Fake 'Invoice', 'Incoming Docs' SPAM, Locky ransomware campaign
FYI...
Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
4 Sep 2017 - "... Locky downloader... an email with the subject of 'Invoice INV-000379' from Property Lagoon Limited for Gleneagles Equestrian Centre (random numbers) pretending to come from a random name that matches the name in the email body but appearing to come from messaging-service@ post.xero .com...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ian-Centre.png
Invoice INV-000379.7z: Extracts to: INV-000626.vbs - Current Virus total detections 13/59*. Payload Security**
Locky download (VirusTotal ***). These all have a 7z attachment and a link-in-email-body to download the zip. The invoice amounts are random as well.... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1504521374/
INV-000626.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
clubdeautores .es: 91.121.165.214
*** https://www.virustotal.com/en/file/3...is/1504516547/
BSmIimqLX.exe
___
Fake 'Invoice' SPAM - delivers Globeimposter ransomware
- https://myonlinesecurity.co.uk/fake-...er-ransomware/
4 Sep 2017 - "... an email with the subject of '45653946 – True Telecom Invoice for August 2017' (random numbers) pretending to come from billing@ true-telecom .com. This is coming via the Necurs botnet but instead of delivering Locky today, this 2nd malspam run is delivering Globeimposter ransomware... In the same way that today’s earlier malspam run that delivered Locky ransomware[1], these have a-link-in-the-body to download the zip and a zip (7z) attachment as well...
1] https://myonlinesecurity.co.uk/fake-...ky-ransomware/
Screenshot: https://myonlinesecurity.co.uk/wp-co...ugust-2017.png
2017-08-45653946-Bill.7z: 2017-08-41840179-Bill.vbs - Current Virus total detections 8/57*. Payload Security**
Another version (VirusTotal 10/58***) | (Payload Security[4]) | downloaded & xor’d binary - VirusTotal 18/64[5] | Payload Security[6]...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1504533698/
2017-08-41840179-Bill.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
world-tour2000 .com: 103.53.172.3
naturofind .org: 85.192.177.103
www .world-tour2000 .com: 103.53.172.3
proyectogambia .com: 87.106.65.247
*** https://www.virustotal.com/en/file/b...4b3b/analysis/
2017-08-92918095-Bill.vbs
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
49.50.240.107
5] https://www.virustotal.com/en/file/b...6f47/analysis/
zojzoefi.exe
6] https://www.hybrid-analysis.com/samp...ironmentId=100
___
Fake 'Incoming Docs' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-...vers-trickbot/
4 Sep 2017 - "An email with the subject of 'Important: Incoming BACs Documents' pretending to come from NatWest Bank but actually coming from a look-a-like domain Natwest <message@ natwestbacs .co.uk> or Natwest <message@ natwestbacs .com> with a password protected malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ed-NatWest.png
SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** | JoeSandBox***
This malware file downloads from
http ://6-express .ch/ser.png which of course is -not- an image file but a renamed .exe file that gets renamed to execute.exe (VirusTotal [4]). An alternative download location is
http ://checkpointsystems .de/ser.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co..._bacs_docs.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/4...is/1493724795/
SecureMessage.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86
*** https://jbxcloud.joesecurity.org/analysis/355644/1/html
4] https://www.virustotal.com/en/file/e...is/1504524050/
ser.png
6-express .ch: 77.236.96.52: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/7e...429f/analysis/
checkpointsystems .de: 87.106.183.214: https://www.virustotal.com/en/ip-add...4/information/
___
Locky ransomware campaign
- https://www.helpnetsecurity.com/2017...ns-new-tricks/
Sep 1, 2017 - "... the newest variant adds the .lukitus extension to the encrypted files:
> https://www.helpnetsecurity.com/imag...y-appriver.jpg
... AppRiver researchers explained*. The malware arrives in inboxes attached to emails with vague subject lines like “please print”, “documents”, “scans”, “images”, and so on, And, unfortunately for those who get infected, there are no publicly shared methods to reverse this Locky strain. The crooks behind this malware campaign are asking 0.5 Bitcoin to deliver the decryption key..."
* https://blog.appriver.com/2017/08/lo...acks-increase/
Aug 30, 2017 - "... In the past 24 hours we have seen over 23-million-messages sent in this attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017... a massive malicious email campaign began attempting to reach their inboxes. A large spike in malware traffic began this morning just after 7 am CST... The emails utilized one of the following subject lines:
please print
documents
photo
images
scans
pictures
Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file..."
> https://blog.appriver.com/2017/05/yo...at-ransomware/
:fear::fear: :mad:
Fake 'Scanning', 'Invoice' SPAM
FYI...
Fake 'Scanning' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky...edgroup-co-uk/
5 Sep 2017 - "... Locky downloader... an email with the subject of 'Scanning' pretending to come from random names @ tayloredgroup .co.uk... These have a -link-in-the-body- of the email to download the malware as well as an email attachment. The link does -NOT- go to Dropbox but another compromised website, however the link is not correctly formed in this example so won’t open and gives warning in Outlook:
http ://dna-sequencing .org/MSG000-00090.7z
Screenshot: https://myonlinesecurity.co.uk/wp-co...ored_group.png
SCNMSG00002704.7z: Extracts to: Invoice INV-000518.vbs - Current Virus total detections 13/59*.
Payload Security**... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1504602932/
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
pamplonarecados .com: 5.2.88.79: https://www.virustotal.com/en/ip-add...9/information/
dna-sequencing .org: 66.36.160.119: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/da...53fd/analysis/
MSG000-00090.7z
tayloredgroup .co.uk: 85.233.160.151: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/df...074b/analysis/
__
> http://blog.dynamoo.com/2017/09/malw...ing-to-be.html
5 Sep 2017 - "This -spam- email pretends to be from tayloredgroup .co.uk but it is just a simple -forgery- leading to Locky ransomware. There is -both- a malicious attachment and -link- in the body text. The name of the sender varies.
Subject: Scanning
From: "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date: Thu, May 18, 2017 8:26 pm
https ://dropbox .com/file/9A30AA
Jeanette Randels DipFA
Taylored Group
26 City Business Centre
Hyde Street
Winchester
SO23 7TA
Members of the CAERUS Capital Group
www .tayloredgroup .co.uk
Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@ tayloredgroup .co.uk
Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited...
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.
Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6] shows -Locky- ransomware attempting to phone home to the following locations:
91.234.35.170 /imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75 /imageload.cgi (McHost.ru / VDSINA, Russia)
McHost is such a well-known purveyor of toxic-crap* that I recommend you block -all- of their ranges (plus I guess the related VDSINA ones), or even block-the-entire Webzilla AS35415**. You can find a list of the network ranges here**. Also thehost .ua also has a lot of crap*** and I would lean towards blocking-whole-network-ranges****.
Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24 "
1] https://www.virustotal.com/en/file/a...is/1504604787/
Invoice INV-000614.vbs
2] https://www.virustotal.com/en/file/9...is/1504604894/
MSG000-00090.vbs
3] https://malwr.com/analysis/ZDEzOWQ0Z...QxMDg3ZDY1OWU/
Hosts
193.227.248.241
4] https://malwr.com/analysis/MzhiNjQ0O...VmNWZkZmQyZjI/
Hosts
109.234.35.75
91.234.35.170
5] https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
193.227.248.241
6] https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
5.2.88.79
* http://blog.dynamoo.com/search?q=mchost
** https://bgp.he.net/AS35415#_prefixes
*** http://blog.dynamoo.com/search?q=Valeriyovuch
**** https://bgp.he.net/AS56485#_prefixes
___
Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
5 Sep 2017 - "... an email with the subject of 'OnePosting Invoice Ready to View' pretending to come from SPECTUR LIMITED <members@ onenewpost .com>. This eventually delivers Dridex banking Trojan... set up by criminals to spread malware and imitate oneposting .com. onenewpost .com was registered on 4th September 2017 by a Chinese entity and is currently hosted on OVH...
Screenshot: https://myonlinesecurity.co.uk/wp-co...dy-to-View.png
The -link-in-the-body- of the email goes to a -compromised- or fraudulently set up OneDrive for business /SharePoint site...
https ://royalpay-my.sharepoint .com/personal/jamie_costello_royalpay_com_au/_layouts/15/guestaccess.aspx?docid=0b0e5809caadd404ab8e21e3a7322f232&authkey=AfQzKtINqI58J1P-xlw10eg
which downloads a zip containing a.js file...
N2398210.zip: Extracts to: IN2398210.js - Current Virus total detections 6/58*. Payload Security**
downloaded Dridex (VirusTotal 32/64***) (I can’t easily determine the actual download location of the Dridex payload. It does come from -another- compromised or fraudulent SharePoint site)... it appears that onenewpost .com is a domain set up by criminals to spread malware... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it...
* https://www.virustotal.com/en/file/a...is/1504580504/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.virustotal.com/en/file/8...98c3/analysis/
MTXCLU.DLL
onenewpost .com: 188.165.209.31: https://www.virustotal.com/en/ip-add...1/information/
royalpay-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-add...1/information/
:fear::fear: :mad:
Fake 'eBay invoice', 'Virgin Media bill' SPAM
FYI...
Fake 'eBay invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
6 Sep 2017 - "... Locky downloader... an email with the subject of 'Your invoice for eBay purchases (83998749832384616#)' [random numbers] pretending to come from eBay <ebay@ ebay .us>. We are also seeing these pretending to come from all the other main English speaking eBay domains:
ebay@ ebay .com.au
ebay@ ebay .co.uk
ebay@ ebay .com ...
Screenshot: https://myonlinesecurity.co.uk/wp-co...9832384616.png
eBay_Invoice_3476.js - Current Virus total detections 7/59*. Payload Security** | Downloads:
http ://homecarpetshopping .com/bxxomjv.exe (VirusTotal 13/61***)... The link-in-the-email body goes to one of numerous compromised sites. In this case it went to
http ://littleulearning .com/invoive.html
where it downloads an eBay_Invoice_####.js file from
http ://letoftheckhosa .info/invoicing.php
All of the compromised sites in these emails will download or try to download from this address. That creates a randomly numbered eBay_Invoice_.js file. The first 5 or 6 attempts gave me a 0 byte empty file until a working one was delivered... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1504698237/
eBay_Invoice_3476.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
195.123.218.58
91.234.137.145
91.215.186.147
208.79.200.218
62.149.161.147
*** https://www.virustotal.com/en/file/1...is/1504698766/
bxxomjv[1].exe
homecarpetshopping .com: 208.79.200.218: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/70...fb8b/analysis/
littleulearning .com: 66.36.166.87: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/13...ad0d/analysis/
letoftheckhosa .info: 47.88.55.29: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/1e...742b/analysis/
___
Fake 'Virgin Media bill' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
6 Sep 2017 - "... an email with the subject of 'Your Virgin Media bill is ready' pretending to come from Virgin Media <webteam@ virginmediaconnections .com> which delivers Dridex banking trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...media-Bill.png
Virgin Media bill.zip: Extracts to: Virgin Media bill.js - Current Virus total detections 2/59*
Payload Security** | Dridex Payload VirusTotal 14/65*** | Payload Security[4] ... the criminals sending these have registered a look-a-like domain virginmediaconnections .com on 5th September 2017 using eranet .com as registrar and hosted on OVH 176.31.244.44. They are sending these emails from a whole-range-of-IP-addresses that pass email authentication for the -fake- domain virginmediaconnections .com...
The link-in-the-email goes to a compromised or fraudulently set up OneDrive for business/ SharePoint site where a zip file containing a .js file is downloaded. That eventually contacts http ://cabinetcharpentier .fr/css/style.png (which is -not- a png but a renamed .exe file) to download the Dridex banking Trojan...
https ://kobaltsystemsptyltd-my.sharepoint .com/personal/karen_kobaltsystems_com_au/_layouts/15/guestaccess.aspx?docid=1a0c9ac9effc046b6840207579a616453&authkey=AVRvpElPwHq48OG2zdkLMk8 ...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1504695675/
Virgin Media bill.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
91.216.107.90
*** https://www.virustotal.com/en/file/b...is/1504696253/
FFCa9j9ru.exe
4] https://www.hybrid-analysis.com/samp...ironmentId=100
176.31.244.44: https://www.virustotal.com/en/ip-add...4/information/
cabinetcharpentier .fr: 91.216.107.90: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/01...d071/analysis/
kobaltsystemsptyltd-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-add...1/information/
:fear::fear: :mad:
CCleaner 5.33 compromised, Fake 'Revised invoice', 'Status of invoice' SPAM
FYI...
CCleaner 5.33 compromised...
- https://www.helpnetsecurity.com/2017...ored-ccleaner/
Sep 18, 2017 - "... Piriform – the company that develops CCleaner and which has been recently acquired by AV maker Avast – has confirmed* that the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud were affected..."
Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
* https://www.piriform.com/news/releas...-windows-users
Sep 18, 2017 - "We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had-been-compromised. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download**. We apologize and are taking extra measures to ensure this does not happen again..."
** https://www.piriform.com/ccleaner/download/standard
- http://blog.talosintelligence.com/20...s-malware.html
Sep 18, 2017 - "... Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode-on-top of the installation of CCleaner... Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities..."
Indicators of Compromise (IOCs):
... IP Addresses
216[.]126[.]225[.]148 "
216.126.225.148: https://www.virustotal.com/en/url/ad...d3a8/analysis/
___
Fake 'Revised invoice' SPAM - delivers malware
- https://myonlinesecurity.co.uk/re-re...r24-extension/
18 Sep 2017 - "... an email with the subject of 'Re: Revised invoice' pretending to come from Sales <Sales@ machinery .com>... it comes with an .r24 extension which is completely unknown to windows. Examining the file in a hex editor shows it has a PK header which means it is a compressed (zip) file. Simply renaming the extension to .zip will allow the contents to be extracted and examined...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ed-invoice.png
New Invoice.r24 (VirusTotal 9/62*): Extracts to: New Invoice.com - Current Virus total detections 15/65**
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1505723811/
New Invoice.r24
** https://www.virustotal.com/en/file/9...is/1505723863/
New Invoice.com
*** https://www.hybrid-analysis.com/samp...ironmentId=100
___
Fake 'Status of invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/09/malw...e-with-7z.html
18 Sep 2017 - "This spam leads to Locky ransomware:
Subject: Status of invoice
From: "Rosella Setter" ordering@ [redacted]
Date: Mon, September 18, 2017 9:30 am
Hello,
Could you please let me know the status of the attached invoice? I
appreciate your help!
Best regards,
Rosella Setter
Tel: 206-575-8068 x 100
Fax: 206-575-8094
*NEW* Ordering@[redacted].com
* Kindly note we will be closed Monday in observance of Labor Day *
The name of the sender varies. Attached is a .7z archive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename... Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:
yildizmakina74 .com/87thiuh3gfDGS?
miliaraic .ru/p66/87thiuh3gfDGS?
lanzensberger .de/87thiuh3gfDGS?
web-ch-team .ch/87thiuh3gfDGS?
abelfaria .pt/87thiuh3gfDGS?
An executable is dropped with a detection rate of 19/64[5] which Hybrid Analysis[6] shows is phoning home to:
91.191.184.158 /imageload.cgi (Monte Telecom, Estonia)
195.123.218.226 /imageload.cgi (Layer 6, Bulgaria)
.7z files are popular with the bad guys pushing -Locky- at the moment. Blocking them at your mail perimiter may help.
Recommended blocklist:
195.123.218.226
91.191.184.158 "
1] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
85.95.237.29
195.123.218.226
91.191.184.158
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
194.150.248.56
91.191.184.158
195.123.218.226
3] https://malwr.com/analysis/Y2IxOTMwM...ZjNjJjMmViYzQ/
5121669985.vbs
4] https://malwr.com/analysis/MGY4YzRmO...E5NGJjZDA1ZmM/
25860394240.vbs
5] https://www.virustotal.com/en/file/c...c8a7/analysis/
CJgBjTI.exe
6] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
91.191.184.158
195.123.218.226
216.58.209.228
85.95.237.29: https://www.virustotal.com/en/ip-add...9/information/
195.123.218.226: https://www.virustotal.com/en/ip-add...6/information/
91.191.184.158: https://www.virustotal.com/en/ip-add...8/information/
:fear::fear: :mad:
Fake 'Amazon Invoice' SPAM, 'CCleaner' follow up
FYI...
Fake 'Amazon Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
21 Sep 2017 - "... Locky downloaders... an email with the subject of 'Invoice RE-2017-09-21-00102' (random last 6 digits) pretending to come from Amazon Marketplace <uJLHsSYOYmvOX@ marketplace.amazon .co.uk> (random characters before the @)...
Screenshot: https://myonlinesecurity.co.uk/wp-co...downloader.png
RE-2017-09-21-00102.7z: Extracts to: RE-2017-09-21-00273.vbs - Current Virus total detections 14/58*:
Payload Security** | Downloads
http ://accuflowfloors .com/IUGiwe8? which is a txt file that is -renamed- to nVtcNP.exe (VirusTotal 22/63***)
Other download sites inside this VBS file are:
fulcar .info/p66/IUGiwe8 and
afradem .com/IUGiwe8? - There will be dozens of others in other versions...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1505983662/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
65.182.174.12
*** https://www.virustotal.com/en/file/a...is/1505984851/
TnipmOahC.exe
accuflowfloors .com: 65.182.174.12: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/65...8c18/analysis/
fulcar .info: https://check-host.net/check-dns?host=fulcar.info
[ http://blog.dynamoo.com/2017/09/malw...017-09-21.html
21 Sep 2017
Comment: ... This will be the Necurs botnet. IPs will be all over the place... blocking .7z files would probably not cause much a problem, these are commonly used for Locky right at the moment. ]
afradem .com: 178.255.99.134: https://www.virustotal.com/en/ip-add...4/information/
___
'CCleaner' Command and Control - follow up ...
- http://blog.talosintelligence.com/20...2-concern.html
Sep 20, 2017 - "Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application*. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files. In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized -secondary- payloads...
* http://blog.talosintelligence.com/20...s-malware.html
... These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from -backups- or -reimage- systems to ensure that they completely remove not only the backdoored version of CCleaner but -also- any other malware that may be resident on the system...
Conclusion: Supply chain attacks seem to be increasing in velocity and complexity. It's imperative that as security companies we take these attacks seriously. Unfortunately, security events that are not completely understood are often downplayed in severity. This can work counter to a victim's best interests. Security companies need to be conservative with their advice before all of the details of the attack have been determined to help users ensure that they remain protected. This is especially true in situations where entire stages of an attack go undetected for a long period of time. When advanced adversaries are in play, this is especially true. They have been known to craft attacks that avoid detection by specific companies through successful reconnaissance techniques. In this particular example, a fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks..."
(More detail at the talosintelligence URL above.)
- https://www.helpnetsecurity.com/2017...omise-targets/
Sep 21, 2017
>> https://www.helpnetsecurity.com/tag/ccleaner/
- https://blog.avast.com/progress-on-c...-investigation
Sep 21, 2017
> https://www.askwoody.com/2017/is-you...sts-maybe-not/
Sep 21, 2017
> https://www.ghacks.net/2017/09/21/cc...ad-discovered/
Sep 21, 2017
:fear::fear: :mad: