CERT mailing list archives
AR18-275A: MAR-1021537 - HIDDEN COBRA FASTCash-Related Malware
From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Wed, 03 Oct 2018 00:56:37 -0500
U.S. Department of Homeland Security US-CERT National Cyber Awareness System: AR18-275A: MAR-1021537 - HIDDEN COBRA FASTCash-Related Malware [ https://www.us-cert.gov/ncas/analysis-reports/AR18-275A ] 10/02/2018 12:15 PM EDT Original release date: October 02, 2018 Description Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. Summary Description Ten (10) files were submitted to NCCIC for analysis. Four (4) files are malicious applications, obfuscated using a file encryption tool called Themida. When executed on a computer running Windows, the malware unpacks a payload that is loaded directly into the memory of the compromised system. Once installed, this malware modifies the Windows Firewall to allow incoming connections and installs a proxy server application. In addition, the malware has the ability to exfiltrate data, install and run secondary payloads, and provide proxy capabilities on a compromised system. Two (2) files are command-line utility applications. Three (3) files are applications designed to provide export functions and methods that allow the application to interact with financial systems and perform transactions. One (1) file is a log file. Two (2) additional samples in the report include unpacked files contained within the following samples: 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6 and 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756 *For a downloadable copy of IOCs, see:* * MAR-1021537.stix [ https://www.us-cert.gov/sites/default/files/publications/MAR-10201537.stix.xml ] Submitted Files (10) 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba (Lost_File.so) 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c (Lost_File1_so_file) 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756 (4f67f3e4a7509af1b2b1c6180a03b3...) 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6 (5cfa1c2cb430bec721063e3e2d144f...) a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc (8efaabb7b1700686efedadb7949eba...) ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629 (d0a8e0b685c2ea775a74389973fc92...) ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c (2.so) d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee (Injection_API_executable_e) e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8 (Injection_API_log_generating_s...) f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2 (inject_api) Additional Files (2) 1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d (Unpacked_dump_4a740227eeb82c20...) 9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26 (Unpacked_dump_820ca1903a305162...) IPs (1) 75.99.63.27 Findings 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6 Tags backdoortrojan Details Name 5cfa1c2cb430bec721063e3e2d144feb Size 1643616 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 5cfa1c2cb430bec721063e3e2d144feb SHA1 c1a9044f180dc7d0c87e256c4b9356463f2cb7c6 SHA256 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6 SHA512 a65e615203269b657e55fe842eca0542a4cd3bac80d3039d85dfb5fbbfdb5768bbabe2fc86f213fb1a759124a82780a1cfbb9fd8457f4923cefad73e9db6f6a4 ssdeep 24576:LTxUZWB9BdhYaqJ+LkDWo+eIgV10M/w6weSx4y4Golx+Q/K:LVUZWTjoSkz+eIg/z/YxFasgK Entropy 7.957226 Antivirus Ahnlab Trojan/Win32.Agent Antiy Trojan/Win32.BTSGeneric Avira BDS/RMS.ejnsf BitDefender Trojan.GenericKD.30382654 Cyren W32/Trojan.KBJG-8883 ESET a variant of Win32/Packed.Themida.AOO trojan Emsisoft Trojan.GenericKD.30382654 (B) Ikarus Trojan.Win32.Themida McAfee Trojan-FPWN!5CFA1C2CB430 NANOAV Trojan.Win32.RMS.ewarws NetGate Trojan.Win32.Malware Symantec Trojan.Gen.2 TrendMicro TROJ_FR.15C6BFCA TrendMicro House Call TROJ_FR.15C6BFCA VirusBlokAda Backdoor.RMS Yara Rules No matches found. ssdeep Matches No matches found. PE Metadata Compile Date 2017-08-14 13:14:04-04:00 Import Hash baa93d47220682c04d92f7797d9224ce PE Sections MD5 Name Raw Size Entropy 23041caef38d4991296ffbe42743c691 header 4096 0.825738 da701d0e0ab6bfbddd747feebed96546 156672 7.983417 d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000 efcb51d4d8a55d441d194e80899bb2b0 .idata 512 1.308723 231617ad2dc2a0c3f2d8e3241c57626f 512 0.240445 92a0680fea369ae11f900c1a92e5499c gvxlrmcr 1474048 7.954645 cf68e5165e3b89c0ece9b4905abf861a eolnwoiw 512 3.342017 Process List Process PID PPID 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6.exe 2104 (2084) lsass.exe 468 (384) Description This application is a Themida-packed 32-bit Windows executable. This application unpacks and executes a service proxy module in memory (5c0a4f9e67ced69eaea17092444b2c1a). Analysis indicates that this proxy module accepts command-line parameters to perform its functions. The module modifies the Windows Firewall on the victims machine to allow for incoming connections and to force the compromised system to function as a proxy server. The proxy module uses the following command to open a Windows Firewall port on the victims machine to allow for incoming connections: --Begin firewall modification-- "netsh firewall add portopening TCP <port> RPCServer" --End firewall modification-- The malware listens to an open port for incoming traffic. The traffic may contain instructions to perform any of the following functions: -Retrieve information about the logon sessions, drives installed, and operating system -Search for files -Execute processes -Terminate processes -Delete files -Execute commands -Download and upload files -Read files -Write files -Compress and decompress files This malware uses the multi-protocol file transfer library "libcurl 7.49.1" for transferring data with a URL syntax. It supports the following network protocols: -POP3 -SMTP -IMAP -LDAP -DICT -FTP -HTTP -HTTPS 9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26 Tags trojan Details Name Unpacked_dump_820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6.exe Size 4247040 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 5c0a4f9e67ced69eaea17092444b2c1a SHA1 8462cb955a6c459036a3e27d59b1b8b6cc9acfd5 SHA256 9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26 SHA512 3a0f668d5ae4998ad6555adccbfcf837eabee2dcb2e36a3c9cad8efe0996a5a7ba238041b8f31b1e2feb36165daac0c6b5fe70e4df5339dce0aa0d031d455dec ssdeep 98304:mv9KZUELYbD09b2WBFs6BEroKso7aO7/Qs7K:mwZHs6BaoE71MEK Entropy 6.823899 Antivirus Ahnlab Trojan/Win32.Agent BitDefender Gen:Trojan.Heur.PT.@BW@bq9rd7j Emsisoft Gen:Trojan.Heur.PT.@BW@bq9rd7j (B) Symantec Heur.AdvML.B Yara Rules No matches found. ssdeep Matches No matches found. PE Metadata Compile Date 2017-08-14 13:14:04-04:00 Import Hash baa93d47220682c04d92f7797d9224ce PE Sections MD5 Name Raw Size Entropy 22f49b12cb818728d293ae43082d8949 header 1024 2.661805 01c0e5316c7bba2ebdc00754a1d83f2a 311296 6.307203 d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000 5e501430acba545b719c0887357226dd .idata 1024 0.778128 37fabfab797e631603a696b7ac2296d7 2459136 5.741823 c10780e19363abda168c5861ce481635 gvxlrmcr 1474048 7.954349 671f4fb0c657d89c924064db6be0442e eolnwoiw 512 3.326839 Description This file is the unpacked version of 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6. Displayed below are strings of interest for this unpacked proxy module: --Begin strings of interest-- http libcurl/7.49.1 %s:%d %255[^:]:%d:%255s %255[^:]:%d <no protocol> %I64u- ALL_PROXY all_proxy http_proxy _proxy NO_PROXY no_proxy %s://%s%s%s:%hu%s%s%s ;type=%c [%*45[0123456789abcdefABCDEF:.]%c ftp () example com anonymous %s%s%s User-Agent: %s Set-Cookie: RELOAD FLUSH SESS identity socks socks4 socks4a socks5 socks5h pop3 POP3. smtp SMTP. IMAP IMAP. LDAP LDAP. DICT DICT. FTP. /?]%[^ %15[^ :]://%[^ /?]%[^ file %15[^:]:%[^ %s://%s FALSE TRUE #HttpOnly_ expires max-age version domain path httponly secure %1023[^; =] =%4999[^; %s%s%s %I64d unknown # Fatal libcurl error # Netscape HTTP Cookie File # https://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. none [%s %s %s] from Header Data host! 0123456789abcdefghijklmnopqrstuvwxyz 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ (nil) (nil) .%ld 0123456789 %d.%d.%d.%d HTTP %sAuthorization: Basic %s Proxy- %s:%s Basic Authorization: Proxy-authorization: Digest NTLM HTTP/ Expect: 100-continue 100-continue Expect: Connection Content-Length Content-Type: Host: If-Modified-Since: %s If-Unmodified-Since: %s Last-Modified: %s %s, %02d %s %4d %02d:%02d:%02d GMT Content-Type: application/x-www-form-urlencoded Content-Length: 0 Content-Length: %I64d Content-Length: %s%s %s%s=%s Cookie: %s HTTP/%s %s%s%s%s%s%s%s%s%s%s ftp://%s:%s@%s Content-Range: bytes %s/%I64d Content-Range: bytes %s%I64d/%I64d Content-Range: bytes 0-%I64d/%I64d Content-Range: Range: bytes=%s Range: Host: %s%s%s:%hu Host: %s%s%s Accept: */* Accept: ;type= ftp:// Transfer-Encoding: chunked chunked Transfer-Encoding: Accept-Encoding: %s Accept-Encoding: Cookie: Referer: %s Referer: User-Agent: POST HEAD Location: Proxy-authenticate: WWW-Authenticate: Last-Modified: Content-Encoding: x-gzip gzip deflate Connection: close Proxy-Connection: keep-alive Server: RTSP/%d.%d %3d HTTP %3d HTTP/%d.%d %d %hu.%hu.%hu.%hu HTTP/1.%d %d CONNECT %s HTTP/%s %s%s%s Host: %s %s%s%s:%hu CONNECT %s:%hu default machine password login _netrc HOME c%c== %c%c%c= %c%c%c%c application/xml .xml text/html .html text/plain .txt .jpeg image/jpeg .jpg image/gif .gif ; filename="%s" ------------------------%08x%08x --%s-- --%s-- Content-Type: %s --%s Content-Disposition: attachment Content-Type: multipart/mixed; boundary=%s Content-Disposition: form-data; name=" --%s %s; boundary=%s Content-Type: multipart/form-data Out of memory Bad content-encoding found Write error Malformed encoding found Illegal or missing hexadecimal sequence Too long hexadecimal number %02x auth-int auth %08x%08x%08x%08x %s, algorithm="%s" %s, opaque="%s" username="%s", realm="%s", nonce="%s", uri="%s", response="%s" username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s" %s:%s:%08x:%s:%s:%s d41d8cd98f00b204e9800998ecf8427e %s:%s:%s MD5-sess algorithm opaque realm true stale nonce NTLMSSP NTLMSSP%c %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s NTLMSSP%c %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c %c%c%c%c%c%c%c%c KGS!@#$% %c%c%c%c out of memory 1.2.8 internal error: deflate stream corrupt requested length does not fit in int deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler 1.2.8 --End strings of interest-- 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756 Tags backdoortrojan Details Name 4f67f3e4a7509af1b2b1c6180a03b3e4 Size 2206296 bytes Type PE32+ executable (console) x86-64, for MS Windows MD5 4f67f3e4a7509af1b2b1c6180a03b3e4 SHA1 1c9a437ed876a0ce0e5374bd93acdfd9e9023f1f SHA256 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756 SHA512 aa310ce7bb649c7bac9295ec0e68c15d595a2bea79c4d0fb22cd13779deee02a04df2824f5583a8cc5f249659474feeb5f647b0a875fe2bc663d8e4c34275316 ssdeep 49152:9ywn1c6Q+lkOpdHyjyDMXSfRndy7vdaCYzQ7cxTEhr2nvoBPVis8M:Ja6HtHk+nojUT6r2nvoB/ Entropy 7.956937 Antivirus Ahnlab Trojan/Win64.Agent BitDefender Trojan.Generic.22876704 Cyren W64/Trojan.LTPJ-3011 ESET Win64/NukeSped.AA trojan Emsisoft Trojan.Generic.22876704 (B) Ikarus Trojan.Win64.Nukesped McAfee Trojan-FPWN!4F67F3E4A750 Microsoft Security Essentials Trojan:Win64/NukeSped NANOAV Trojan.Win64.RMS.facjgp Quick Heal Trojan.IGENERIC Sophos Troj/NukeSped-H Symantec Trojan.Gen.2 TrendMicro Trojan.C9DEC062 TrendMicro House Call Trojan.C9DEC062 Vir.IT eXplorer Backdoor.Win32.RMS.EN Yara Rules No matches found. ssdeep Matches No matches found. PE Metadata Compile Date 2017-08-14 13:14:12-04:00 Import Hash baa93d47220682c04d92f7797d9224ce PE Sections MD5 Name Raw Size Entropy 4bd1bcb9809fedb1d4f556b695fb95a6 header 4096 0.868689 32f3f5b6711f8cb1c9655b615701f50d 184832 7.922033 d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000 74c1d1ec299d8a058f22b61277ceea66 .idata 512 1.297004 f4facb792a8404ec46a8119da73d6ec4 512 0.231158 075fa8edf884d5a43ba9a96c4b20de25 twvngiow 1994240 7.960560 a1785d4faeedfebd99e0cc737f38f551 pavwhbmc 512 4.473835 5af578a4785cc0683866fa19e262eb4d .pdataI 14336 5.546603 Process List Process PID PPID lsass.exe 468 (384) 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756.exe 2120 (2152) Description This application is a Themida--packed 64-bit Windows executable. This application unpacks and executes a service proxy module in memory (02959903cd988443e5ef519d556b34b0). Analysis indicates that this proxy module accepts command-line parameters to perform its functions. The module modifies the Windows Firewall on the victims machine to allow for incoming connections and forces the compromised system to function as a proxy server. The proxy module uses the following command to open a Windows Firewall port on the victims machine to allow for incoming connections: --Begin firewall modification-- "netsh firewall add portopening TCP <port> RPCServer" --End firewall modification-- The malware listens to an open port for incoming traffic. The traffic may contain instructions to perform any of the following functions: -Retrieve information about the logon sessions, drives installed, and operating system -Search for files -Execute processes -Terminate processes -Delete files -Execute commands -Download and upload files -Read files -Write files -Compress and decompress files This malware used the multi-protocol file transfer library "libcurl 7.49.1" for transferring data with a URL syntax. It supports the following network protocols: -POP3 -SMTP -IMAP -LDAP -DICT -FTP -HTTP -HTTPS 1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d Tags trojan Details Name Unpacked_dump_4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756.exe Size 5889536 bytes Type PE32+ executable (console) x86-64, for MS Windows MD5 02959903cd988443e5ef519d556b34b0 SHA1 18e346aa6ee6d3faeae21474f33f5a4601a99213 SHA256 1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d SHA512 cc20d9105f0f91c443a6b6c156bfccde81a1b7fa7a9267c156b9129dece9ddeba706d9d1c49da47d54387ade63e1fe2ecc79743f51de1cf92ee23603dba71761 ssdeep 98304:s0Mu3F1FKHTTEB/oVHhOEVHtHk+nojUT6r2nvoB:sQ/F0TQ/oVBOEjHk+aUTXoB Entropy 6.820153 Antivirus ESET a variant of Win64/NukeSped.AS trojan Yara Rules No matches found. ssdeep Matches No matches found. PE Metadata Compile Date 2017-08-14 13:14:12-04:00 Import Hash baa93d47220682c04d92f7797d9224ce PE Sections MD5 Name Raw Size Entropy a425d258e0ddf17fe412040b81d41aac header 1024 2.802251 9cfb80616de943facef57fabbece780a 374784 6.195005 d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000 55e1897e20dbef5db7b4a718fd539ef7 .idata 1024 0.797549 83734ab1f8e17720271dc4b429ea0f6c 3503616 5.733920 18f194fd3ae2455d8e26aad2e0dd6685 twvngiow 1994240 7.960332 5fa71bdf383d16a6b25955bff53efb90 pavwhbmc 512 4.459428 5af578a4785cc0683866fa19e262eb4d .pdataI 14336 5.546603 Description This file is the unpacked version of 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756. Displayed below are strings of interest for this unpacked proxy module: --Begin strings of interest-- http libcurl/7.49.1 %s:%d %255[^:]:%d:%255s %255[^:]:%d <no protocol> %I64u- ALL_PROXY all_proxy http_proxy _proxy NO_PROXY no_proxy %s://%s%s%s:%hu%s%s%s ;type=%c [%*45[0123456789abcdefABCDEF:.]%c ftp () example com anonymous %s%s%s User-Agent: %s Set-Cookie: RELOAD FLUSH SESS identity socks socks4 socks4a socks5 socks5h pop3 POP3. smtp SMTP. IMAP IMAP. LDAP LDAP. DICT DICT. FTP. /?]%[^ %15[^ :]://%[^ /?]%[^ file %15[^:]:%[^ %s://%s FALSE TRUE #HttpOnly_ expires max-age version domain path httponly secure %1023[^; =] =%4999[^; %s%s%s %I64d unknown # Fatal libcurl error # Netscape HTTP Cookie File # https://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. none [%s %s %s] from Header Data host! 0123456789abcdefghijklmnopqrstuvwxyz 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ (nil) (nil) .%ld 0123456789 %d.%d.%d.%d HTTP %sAuthorization: Basic %s Proxy- %s:%s Basic Authorization: Proxy-authorization: Digest NTLM HTTP/ Expect: 100-continue 100-continue Expect: Connection Content-Length Content-Type: Host: If-Modified-Since: %s If-Unmodified-Since: %s Last-Modified: %s %s, %02d %s %4d %02d:%02d:%02d GMT Content-Type: application/x-www-form-urlencoded Content-Length: 0 Content-Length: %I64d Content-Length: %s%s %s%s=%s Cookie: %s HTTP/%s %s%s%s%s%s%s%s%s%s%s ftp://%s:%s@%s Content-Range: bytes %s/%I64d Content-Range: bytes %s%I64d/%I64d Content-Range: bytes 0-%I64d/%I64d Content-Range: Range: bytes=%s Range: Host: %s%s%s:%hu Host: %s%s%s Accept: */* Accept: ;type= ftp:// Transfer-Encoding: chunked chunked Transfer-Encoding: Accept-Encoding: %s Accept-Encoding: Cookie: Referer: %s Referer: User-Agent: POST HEAD Location: Proxy-authenticate: WWW-Authenticate: Last-Modified: Content-Encoding: x-gzip gzip deflate Connection: close Proxy-Connection: keep-alive Server: RTSP/%d.%d %3d HTTP %3d HTTP/%d.%d %d %hu.%hu.%hu.%hu HTTP/1.%d %d CONNECT %s HTTP/%s %s%s%s Host: %s %s%s%s:%hu CONNECT %s:%hu default machine password login _netrc HOME c%c== %c%c%c= %c%c%c%c application/xml .xml text/html .html text/plain .txt .jpeg image/jpeg .jpg image/gif .gif ; filename="%s" ------------------------%08x%08x --%s-- --%s-- Content-Type: %s --%s Content-Disposition: attachment Content-Type: multipart/mixed; boundary=%s Content-Disposition: form-data; name=" --%s %s; boundary=%s Content-Type: multipart/form-data Out of memory Bad content-encoding found Write error Malformed encoding found Illegal or missing hexadecimal sequence Too long hexadecimal number %02x auth-int auth %08x%08x%08x%08x %s, algorithm="%s" %s, opaque="%s" username="%s", realm="%s", nonce="%s", uri="%s", response="%s" username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s" %s:%s:%08x:%s:%s:%s d41d8cd98f00b204e9800998ecf8427e %s:%s:%s MD5-sess algorithm opaque realm true stale nonce NTLMSSP NTLMSSP%c %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s NTLMSSP%c %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c %c%c%c%c%c%c%c%c KGS!@#$% %c%c%c%c out of memory 1.2.8 internal error: deflate stream corrupt requested length does not fit in int deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler 1.2.8 --End strings of interest-- ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629 Tags trojan Details Name d0a8e0b685c2ea775a74389973fc92ca Size 122880 bytes Type PE32 executable (GUI) Intel 80386, for MS Windows MD5 d0a8e0b685c2ea775a74389973fc92ca SHA1 c752ad74cb99a836eec4b984dab03cb7e99eb974 SHA256 ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629 SHA512 6ec195aa1ec3226252f4959c0abbe0db06645e5b3dea8351d2da8dfb87cce71ce1424159e325fa6a77bf2fe4f0a3181e1ed23f4eb17db6bdc119e4fec7273416 ssdeep 3072:pNwZ4j/a2NlHbAoTL4592kHhEBZTWTBfg09ruXlN:pNwZ4zaibAoTL45oMEPWTBp9ruXl Entropy 6.098281 Antivirus Ahnlab Trojan/Win32.Alreay Antiy Trojan[Banker]/Win32.Alreay BitDefender Gen:Variant.Graftor.364318 Cyren W32/Heuristic-KPP!Eldorado ESET a variant of Win32/NukeSped.CK trojan Emsisoft Gen:Variant.Graftor.364318 (B) K7 Riskware ( 0040eff71 ) McAfee Generic Trojan.aa Symantec Heur.AdvML.C TACHYON Trojan.Generic.18331628 Zillya! Trojan.Agent.Win32.722146 Yara Rules No matches found. ssdeep Matches No matches found. PE Metadata Compile Date 2016-03-19 14:03:05-04:00 Import Hash 4215312bc485628dca703e26b9c891d0 Company Name None File Description Resource cache builder tool Internal Name mcbuilder.exe Legal Copyright Microsoft Corporation. All rights reserved. Original Filename None Product Name Microsoft Windows Operating System Product Version 6.2.9200.16384 PE Sections MD5 Name Raw Size Entropy e31fd661c75ca688e967a8cb3acaf667 header 4096 0.719150 ee501cdb0da38b6674f2156044a7c4fa .text 81920 6.357905 01772205e022a2ffd1809a471bd44333 .rdata 20480 6.533817 6292ff91b59460d11cb00c8553b79b2d .data 12288 3.569966 c8d0ecf5c22d5806a5af87953844408c .rsrc 4096 1.146235 Packers/Compilers/Cryptors Microsoft Visual C++ v6.0 Process List Process PID PPID lsass.exe 468 (384) ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629.exe 2344 (2104) Relationships ab88f12f0a... Contains 75.99.63.27 Description This application is a 32-bit Windows executable. This application executes as a service named "helpsvcs." The application utilizes the Rivest Cipher 4 (RC4) encryption algorithm to encrypt configuration data. It stores a four-byte unique identifier, RC4 key, and the encrypted configuration data in the following registry: --Begin registry key-- hKey = HKEY_LOCAL_MACHINE Subkey = "SYSTEM\CurrentControlSet\Services\Security" ValueName = "Data1" ValueData = "Encrypted configuration data" hKey = HKEY_LOCAL_MACHINE Subkey = "SYSTEM\CurrentControlSet\Services\PVS\Security" ValueName = "Data1" ValueData = "Encrypted configuration data" --End registry key-- Displayed below is the RC4 key for encrypting and decrypting the configuration data: --Begin RC4 key-- 11 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 --End RC4 key-- Displayed below is the hard-coded configuration data, which contains command and control (C2) information: --Begin hard-coded configuration data-- FF 04 00 02 00 00 00 04 FF 08 00 00 4B 63 3F 1B ===> 75.99.63.27 00 00 00 00 FF 02 00 01 BB 01 FF 04 00 04 00 00 ===> port 443 00 00 FF 04 00 03 3C 00 00 00 FF 04 00 05 00 00 00 00 FF 04 00 08 01 00 00 00 FF 04 00 06 00 00 00 00 FF 00 00 09 00 FF 00 00 0A 00 FF 00 00 0B 00 FF 00 00 0C 00 FF 00 00 0D 00 FF 00 00 0E 00 FF 04 00 07 00 00 00 00 FD --End hard-coded configuration data-- Displayed below is the data stored in the registry to include the four byte unique identifier, RC4 key, and the encrypted configuration data: --Begin configuration data-- 10 00 20 00 ==> four bytes data (unique identifier) 11 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ===> RC4 key FF 04 00 02 00 00 00 04 FF 08 00 00 4B 63 3F 1B ===> configuration 00 00 00 00 FF 02 00 01 BB 01 FF 04 00 04 00 00 00 00 FF 04 00 03 3C 00 00 00 FF 04 00 05 00 00 00 00 FF 04 00 08 01 00 00 00 FF 04 00 06 00 00 00 00 FF 00 00 09 00 FF 00 00 0A 00 FF 00 00 0B 00 FF 00 00 0C 00 FF 00 00 0D 00 FF 00 00 0E 00 FF 04 00 07 00 00 00 00 FD --End configuration data-- The malware encrypts a payload from the remote operator using the following hard-coded RC4 key: --Begin hard-coded RC4 key-- 53 87 F2 11 30 3D B5 52 AD C8 28 09 E0 52 60 D0 6C C5 68 E2 70 77 3C 8F 12 C0 7B 13 D7 B3 9F 7C --End hard-coded RC4 key-- The encrypted payload is installed into the following registry key: --Begin registry key-- hKey = HKEY_LOCAL_MACHINE Subkey = "SYSTEM\CurrentControlSet\Services\Security" ValueName = "Data0" ValueData = "Encrypted payload" --End registry key-- The malware uses the following command to open the Windows Firewall port on the victims machine to allow incoming connections: --Begin firewall modification-- "netsh firewall add portopening TCP 443 "Windows Firewall Remote Management"" --End firewall modification-- The malware binds and listens on port 443 for incoming connections from a remote operator. No outbound connection was observed. Static analysis indicates that the malware is capable of providing remote command and control (C2) capabilities, including the ability to exfiltrate data, install and run secondary payloads, and provide proxy services on a compromised system. The malware utilizes the RC4 encryption algorithm to encrypt and decrypt a portion of its communications data to and from the remote operator. Listed below are the types of data exfiltrated by the malware: - network adapter information - computer name - username - systems Internet Protocol (IP) address - hard-coded value (00 00 00 04h) - current directory of the malware - %Current directory%\malware.exe - hard-coded value (01h) - hard-coded value "PVS" - the victim's operating system information - installed drives information - the current system time Displayed below are additional functions the malware performs based on specified commands from the remote operator: -Retrieve information drives installed -Search for files -Execute processes -Terminate processes -Delete files -Execute commands -Download and upload files -Read files -Write files -Compress and uncompress files -Change the listening port for Remote Desktop via registry modification a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc Tags trojan Details Name 8efaabb7b1700686efedadb7949eba49 Size 105984 bytes Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows MD5 8efaabb7b1700686efedadb7949eba49 SHA1 7b17d63694eee51010bcad143bc72e355e17cb50 SHA256 a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc SHA512 fce7a868b531f55b3f483dd66b3c029328ea18bf7586b00172e3c6735023631fa9091f4ac5d4d2f32da95045c18af7f433bbae1e989d68ae710beb676008512b ssdeep 3072:jpaydDE0X8ShTP3SkwsX7Uo+fcqVFn+v4hbHxW:j0yx8eTP3SNC7UbUqVLx Entropy 6.150963 Antivirus Ahnlab Malware/Win64.Generic BitDefender Trojan.GenericKD.30902108 Cyren W64/Trojan.PRVF-4031 ESET Win64/NukeSped.AK trojan Emsisoft Trojan.GenericKD.30902108 (B) Ikarus Trojan.Win64.Nukesped K7 Trojan ( 0052a98d1 ) McAfee Generic Trojan.aa Quick Heal Trojan.IGENERIC Symantec Trojan.Gen.2 Yara Rules No matches found. ssdeep Matches No matches found. PE Metadata Compile Date 2015-01-07 21:49:56-05:00 Import Hash f124895b94c3b1ec5baf7f21dc62122a Company Name Microsoft Corporation File Description Microsoft Neutral Natural Language Server Data and Code Internal Name NlsLexicons0002 Legal Copyright Microsoft Corporation. All rights reserved. Original Filename NlsLexicons0002.dll Product Name Microsoft Windows Operating System Product Version 6.1.7600.16385 PE Sections MD5 Name Raw Size Entropy 7db95ed8565bbdbfc5ed4c5e80c68a4f header 1024 2.598472 387bb23a8901baa300e42ce92310530e .text 71680 6.521050 f0411cd79ef1b71082f0817fe17fe1e6 .rdata 18432 4.690004 25afe34ab1b36cc1ee118c9165f8619c .data 7680 3.582928 1bb7ba760f7f7cba0addd4a273b464f6 .pdata 4096 4.606565 922af695fe14a7f70f8e068dcadc0584 .rsrc 1536 4.074927 729c12997f9639810666bb171ea9241d .reloc 1536 2.990709 Process List Process PID PPID lsass.exe 468 (384) rundll32.exe 2204 (1172) Description This application is a malicious 64-bit Windows Dynamic Link Library (DLL), designed to run as a Windows service under Windows "svchost.exe." When executed, it searches and attempts to load and RC4-decrypt a payload from the following registry into memory: --Begin registry key-- hKey = HKEY_LOCAL_MACHINE Subkey = "SYSTEM\CurrentControlSet\Services\Security" ValueName = "Data0" hKey = HKEY_LOCAL_MACHINE Subkey = "SYSTEM\CurrentControlSet\Services\Security" ValueName = "Data2" --End registry key-- The binary that installs the encrypted payload in the registry was not available for analysis. 75.99.63.27 Ports * 443 TCP Whois Domain Name: optonline.net Registry Domain ID: 4531660_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2016-06-08T16:38:21Z Creation Date: 1996-10-07T04:00:00Z Registrar Registration Expiration Date: 2018-10-06T04:00:00Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse () godaddy com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited Registrant Organization: Cablevision Systems Corporation Registrant State/Province: New York Registrant Country: US Name Server: AUTHNS1.CV.NET Name Server: AUTHNS1.CVNET.COM DNSSEC: signedDelegation URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2018-05-22T21:00:00Z <<<
Relationships 75.99.63.27 Contained_Within ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629 d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee Details Name Injection_API_executable_e Size 89088 bytes Type 64-bit XCOFF executable or object module MD5 b3efec620885e6cf5b60f72e66d908a9 SHA1 274b0bccb1bfc2731d86782de7babdeece379cf4 SHA256 d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee SHA512 a36dab1a1bc194b8acc220b23a6e36438d43fc7ac06840daa3d010fddcd9c3168a6bf314ee13b58163967ab97a91224bfc6ba482466a9515de537d5d1fa6c5f9 ssdeep 1536:CnM87WOrh1EEshNunXJzZst56iYTKg+T8v6paBLc0s7G8Y+s0nrTqG0s0nrTqB:CpW2h1mhpaBqTrverE Entropy 5.052439 Antivirus No matches found. Yara Rules No matches found. ssdeep Matches No matches found. Process List Process PID PPID lsass.exe 496 (384) cmd.exe 2976 (2944) rundll32.exe 2456 (2976) AcroRd32.exe 2916 (2456) Relationships d465637518... Related_To e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8 Description This file is an Advanced Interactive Executive (AIX) executable intended for a proprietary UNIX operating system developed by IBM. This application injects a library into a currently running process. Figure 1 is a screenshot containing strings of interest. The strings indicate the application is a command-line utility that enables an operator to easily conduct code injection on an IBM AIX platform. Analysis indicates this application logs its usage to a log file (Figure 2). Screenshots Figure 1 - Screenshot of the strings of interest *Figure 1 - *Screenshot of the strings of interest Figure 2 - Application logging its usage to a log file. *Figure 2 - *Application logging its usage to a log file. 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c Details Name Lost_File1_so_file Size 114688 bytes Type 64-bit XCOFF executable or object module MD5 d790997dd950bb39229dc5bd3c2047ff SHA1 7e6407c28c55475aa81853fac984267058627877 SHA256 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c SHA512 afdeec93ecb0f97cdf712e80597c3b8ec1e9cad58e1673f2f3ad7f096d49450759b1621dc533b7cdeb62ee5970233bfa820b72cc4b33b919afd49d84823feae9 ssdeep 1536:lJhosJHev1QFf+Z/2kREPItM9arn4nwF8uHit2Ofut:jhZJtf+Z/tJtMErn4/k62Iut Entropy 4.803161 Antivirus No matches found. Yara Rules No matches found. ssdeep Matches No matches found. Process List Process PID PPID lsass.exe 496 (384) cmd.exe 2136 (3040) rundll32.exe 2728 (2136) AcroRd32.exe 2900 (2728) Description This file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. This file is a library application designed to provide export functions. These functions allow an application to perform transactions on financial systems using the ISO8583 standard. A list of the ISO8583 functions is displayed in Figure 3 and Figure 4. Screenshots Figure 3 - List of ISO8583 functions *Figure 3 - *List of ISO8583 functions Figure 4 - ISO8583 functions continued *Figure 4 - *ISO8583 functions continued e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8 Details Name Injection_API_log_generating_script Size 2337 bytes Type ASCII text MD5 844eec0ff86c10f5f9b41648b066563b SHA1 5d0fd2c5f58dcbc51e210894e8698bc14ccd30e2 SHA256 e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8 SHA512 199dee05b602039e480f62963cb0ec3b96393e37bb78ff1475e6dfc5857e484924a476dbe73f02de96670ff488eb26f53ca9c600dd44390cf767a4aa510869a4 ssdeep 48:H5rkj2hoPsGPWEA9oEro6mzsmPlaaCc8gN4ickx+nQZmZ7GA5hJLu:H5S0GPPA9hro6RClpCcxN4iDAmmZNhJS Entropy 5.251062 Antivirus No matches found. Yara Rules No matches found. ssdeep Matches No matches found. Process List Process PID PPID lsass.exe 496 (384) cmd.exe 2940 (2880) rundll32.exe 2584 (2940) AcroRd32.exe 3004 (2584) Relationships e03dc5f144... Related_To d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee Description The file appears to be a log file generated by the usage of the application Inject API executable_e (b3efec620885e6cf5b60f72e66d908a9). The data contained in the log file is displayed in Figure 5, 6, and 7. Screenshots Figure 5 - Data contained in the log file. *Figure 5 - *Data contained in the log file. Figure 6 - Data contained in the log file. *Figure 6 - *Data contained in the log file. Figure 7 - Data contained in the log file. *Figure 7 - *Data contained in the log file. f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2 Details Name inject_api Size 19328 bytes Type 64-bit XCOFF executable or object module MD5 58bb2236e5aee39760d3e4fc6ee94a79 SHA1 a74dd2f9723dfb74d0d7b15294622b6ccc0b9562 SHA256 f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2 SHA512 9b67496127d26b47aa8857b1bcbcc43848c09bdf9369f1008a17257e099fbd23e1896d3abf98cab228e6538d3da741c96d6072cfffd7b9614df795b05de8cca0 ssdeep 192:EPraBawFpGxj50/fNB426vRyMrwxOl61YIoBopje4T1jJWA3LZNE6X5PxhKaOdA3:djpGwVB426vRdrEVpt1jFlAAaQF Entropy 4.345227 Antivirus No matches found. Yara Rules No matches found. ssdeep Matches No matches found. Process List Process PID PPID lsass.exe 496 (384) cmd.exe 2932 (2888) rundll32.exe 2564 (2932) AcroRd32.exe 2836 (2564) Description This file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. Figure 8 displays strings of interest. The strings contained within the file indicate it is a command-line utility. The file is designed to update a proprietary data structure on a UNIX system known as "PVPA." The code structure in Figure 9, extracted from this application, attempts to perform a raw read of this data structure from memory. Screenshots Figure 8 - Screenshot of the strings of interest *Figure 8 - *Screenshot of the strings of interest Figure 9 - The UNIX AIX executable attempting to perform a read on the data. *Figure 9 - *The UNIX AIX executable attempting to perform a read on the data. ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c Details Name 2.so Size 110592 bytes Type 64-bit XCOFF executable or object module MD5 b66be2f7c046205b01453951c161e6cc SHA1 ec5784548ffb33055d224c184ab2393f47566c7a SHA256 ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c SHA512 6890dcce36a87b4bb2d71e177f10ba27f517d1a53ab02500296f9b3aac0218107ced483d70d757a54a5f7489106efa1c1830ef12c93a7f6f240f112c3e90efb5 ssdeep 3072:ZGLUeY4Q05eZTe/+3YZbAF/svvtBb0tTy:gLFMAG3YZMF/eBbQTy Entropy 4.752979 Antivirus No matches found. Yara Rules No matches found. ssdeep Matches No matches found. Process List Process PID PPID lsass.exe 468 (384) cmd.exe 2692 (2276) rundll32.exe 2864 (2692) AcroRd32.exe 2112 (2864) Description This file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. The application provides several exported methods permitting the interaction with financial systems that utilize the ISO8583 standard. A list of the ISO8583 functions is displayed in Figure 10 and Figure 11. This file is not considered malicious, but may have been used by actors for malicious purposes. Screenshots Figure 10 - List of ISO8583 functions *Figure 10 - *List of ISO8583 functions Figure 11 - ISO8583 functions continued *Figure 11 - *ISO8583 functions continued 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba Details Name Lost_File.so Size 108896 bytes Type 64-bit XCOFF executable or object module MD5 46b318bbb72ee68c9d9183d78e79fb5a SHA1 5375ad3746ce42a6f262f55c4f1f0d273fb69c54 SHA256 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba SHA512 c91c8ad860d0e03310d8a0c801495e97635a5f8d5e96282dcb343870443ea0519011d745a323d48a941a23b8226a21809d41cd19c8319e99a6c548dd68649ec2 ssdeep 3072:vGLUeY4Q05eZTe/+3YZbAF/7dvtV06eyk:+LFMAG3YZMF/fV06eyk Entropy 4.816181 Antivirus No matches found. Yara Rules No matches found. ssdeep Matches No matches found. Process List Process PID PPID lsass.exe 496 (384) cmd.exe 2960 (2908) rundll32.exe 1864 (2960) AcroRd32.exe 2868 (1864) Description This file is a UNIX Common Object File Format (COFF) executable, a format for executable, object code, and shared libraries used on UNIX systems. The executable provides several exported methods that enable interactions with financial systems utilizing the ISO8583 standard. This file is not considered malicious but may have been used by actors for malicious purposes. Relationship Summary ab88f12f0a... Contains 75.99.63.27 75.99.63.27 Contained_Within ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629 d465637518... Related_To e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8 e03dc5f144... Related_To d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee Recommendations NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts. * Maintain up-to-date antivirus signatures and engines. * Keep operating system patches up-to-date. * Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication. * Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required. * Enforce a strong password policy and implement regular password changes. * Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. * Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests. * Disable unnecessary services on agency workstations and servers. * Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). * Monitor users' web browsing habits; restrict access to sites with unfavorable content. * Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.). * Scan all software downloaded from the Internet prior to executing. * Maintain situational awareness of the latest threats and implement appropriate ACLs. Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops." Contact Information * 1-888-282-0870 * NCCICCustomerService () us-cert gov [ https://www.us-cert.govmailto:NCCICCustomerService () us-cert gov ] (UNCLASS) * us-cert () dhs sgov gov [ https://www.us-cert.govmailto:us-cert () dhs sgov gov ] (SIPRNET) * us-cert () dhs ic gov [ https://www.us-cert.govmailto:us-cert () dhs ic gov ] (JWICS) NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/ Document FAQ *What is a MAR?* A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact NCCIC and provide information regarding the level of desired analysis. *Can I edit this document?* This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc () us-cert gov [ https://www.us-cert.govmailto:soc () us-cert gov ]. *Can I submit malware to NCCIC?* Malware samples can be submitted via three methods: * Web: https://malware.us-cert.gov [ https://malware.us-cert.gov/ ] * E-Mail: submit () malware us-cert gov [ https://www.us-cert.govmailto:submit () malware us-cert gov ] * FTP: ftp.malware.us-cert.gov (anonymous) NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov [ http://www.us-cert.gov/ ]. Revisions * October 2, 2018: Initial version ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: #333333; } body#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size: 15px; } ________________________________________________________________________ A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () ncas us-cert gov to your address book. OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Current thread:
- AR18-275A: MAR-1021537 - HIDDEN COBRA FASTCash-Related Malware US-CERT (Oct 02)