How Threat Hunting Can Help Defend Against Malware Attacks

By Kris Merritt (Vector8) and Justin Swisher (Anomali)

Since the outbreak of Petya some days ago many articles have been written dissecting the malware, its purpose, and its attribution. These articles used reverse engineering and malware analysis to conduct post incident analysis. Vector8 and Anomali viewed the Petya outbreak differently, leveraging threat hunting techniques developed to identify and pattern malicious behavior evident in malware like Petya.

Specifically, our data source for analysis is a Microsoft Windows Sysinternals tool called Sysmon. In short, Sysmon provides an authoritative source of what’s happening on a computer by linking all observable activity on that system back to the responsible process(es). This is a boon for real-time threat hunting as well as forensic analysis; the conventional follow-on data collection to obtain such details is no longer required. In other words, Sysmon has high resolution and animation (see descriptions of these terms). Read this blog post for further information regarding Sysmon as a detection, hunting, and analysis tool.

By sending Sysmon events to an aggregation point for further querying and historical analysis, our analysis of Petya was limited only by speed of thought, not tooling or data gaps. In this case, the aggregation point is Elastic’s open source “Elastic Stack,” which consists of a Logstash aggregator, Elasticsearch cluster backend, and Kibana web user interface frontend.

Our test environment was a fresh Windows 10 install on a Virtual Machine, preloaded with Sysmon v6, a custom configuration, and a logger that feeds events to Vector8’s analysis platform (Sysmon + Elastic Stack). We copied over a confirmed sample of the Petya malware (027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745) to the machine. Next, we manually ran the malicious DLL via rundll32.exe on the command line with the flag “#1” to activate the malware.

Sysmon analysis
Command line execution of the Petya malware

The following events are recorded by Sysmon and forwarded to the Vector8 cloud platform for analysis. This details how the malware behaves and provides insights into how to detect or prevent similar malware from executing in the future.

  1. The first thing that happens is that Rundll32.exe (the parent process) writes a copy of the DLL to ‘C:Windows’. This activity is unusual, but not necessarily malicious on its own.
    • Sysmon event ID 11 (File Created)
      Image: C:WindowsSysWoW64rundll32.exe
      TargetFilename: C:Windows7cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
  2. Rundll32.exe then accesses raw disk several times, presumably to modify the MBR. Accessing raw disk is abnormal, as it bypasses the filesystem structure to access the disk sectors directly. This level of disk access is not normal operations and is very suspicious, especially by Rundll32.
    • Sysmon event ID 9 (Raw Disk Access Read)
      Image: C:WindowsSysWOW64rundll32.exe
      Device: DeviceHarddisk0DR0
    • 1 access to the current working volume (DeviceHarddiskVolume2) and 24 accesses to DeviceHarddisk0DR0
  3. Rundll32.exe schedules a task to force reboot of the system 60 minutes from time of execution. Rundll32 creating a scheduled task is a suspicious pattern that should trigger a hunter to investigate.
    • Sysmon event ID 1 (Process Created)
      CommandLine: /c schtasks /Create /SC once /TN "" /TR "C:Windowssystem32shutdown.exe /r /f" /ST 16:06
      ParentCommandLine: rundll32.exe 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.dll,#1
  4. Rundll32.exe writes a .tmp file in the user’s LocalTemp directory. Temp files created in this directory would not normally cause alarm, unless linked to another more suspicious event.
    • Sysmon event ID 11 (File Created)
      Image: C:WindowsSysWoW64rundll32.exe
      TargetFilename: C:UserstanooAppDataLocalTemp95.tmp
  5. Rundll32.exe kicks off the .tmp file it wrote earlier and directs it to a named pipe. As referenced above, since this .tmp file is now communicating with another process over a named pipe, a hunter would want to investigate the .tmp file as this is unusual behavior as well.
    • Sysmon event ID 1 (Process Created)
      Image: C:UserstanooAppDataLocalTemp95.tmp
      CommandLine: "C:UserstanooAppDataLocalTemp95.tmp" .pipe{77A05906-5A7D-4442-8140-0899A3C4423C
    • When 5695.tmp runs (Sysmon event ID 1), we get its hash (02EF73BD2458627ED7B397EC26EE2DE2E92C71A0E7588F78734761D8EDBDCD9F), which open source research and VirusTotal results purport to be mimikatz
    • Sysmon pipe events show the pipe creation by rundll32.exe and access by 5695.tmp
      • Sysmon event ID 17 (Pipe Created)
        Image: C:WindowsSysWoW64rundll32.exe
        PipeName: {77A05906-5A7D-4442-8140-0899A3C4423C}
      • Sysmon event ID 18 (Pipe Connected)
        Image: C:UserstanooAppDataLocalTemp95.tmp
        PipeName: {77A05906-5A7D-4442-8140-0899A3C4423C}
  6. Rundll32.exe writes a file called dllhost.dat to C:Windows, which is a very suspicious event as dat files are not normally written to that directory.
    • Sysmon event ID 11 (File Created)
      Image: C:WindowsSysWoW64rundll32.exe
      TargetFilename: C:Windowsdllhost.dat
    • Open source research corroborates this file write and has concluded it is a legitimately signed psexec
    • Since dllhost.dat wasn’t executed in our sampling (due to our VM not meeting malware checks), we don’t get this file’s hash
  7. The tmp file accesses another running process, lsass.exe. This event could be a solid candidate for a hunting trigger as it could be indicative of credential harvesting or some other abuse of Windows’ security authority service (lsass.exe). It is not unusual for lsass.exe to be accessed, but a .tmp file doing so is highly unusual.
    • Sysmon event ID 10 (Process Accessed)
      SourceImage: C:UserstanooAppDataLocalTemp95.tmp
      TargetImage: C:Windowssystem32lsass.exe
      CallTrace: C:WindowsSYSTEM32ntdll.dll+a5314|C:WindowsSystem32KERNELBASE.dll+290ad|C:UserstanooAppDataLocalTemp95.tmp+3390|C:UserstanooAppDataLocalTemp95.tmp+369a|C:UserstanooAppDataLocalTemp95.tmp+25e9|C:UserstanooAppDataLocalTemp95.tmp+4577|C:WindowsSystem32KERNEL32.DLL+8364|C:WindowsSYSTEM32ntdll.dll+65e91
    • Lsass.exe then accesses the malicious rundll32.exe
      • Sysmon event ID 10 (Process Accessed)
        SourceImage: C:Windowssystem32lsass.exe
        TargetImage: C:WindowsSysWoW64rundll32.exe
        CallTrace: C:WindowsSYSTEM32ntdll.dll+a5ea4|C:WindowsSystem32RPCRT4.dll+6576f|C:Windowssystem32lsasrv.dll+ceed|C:WindowsSYSTEM32SspiSrv.dll+11a2|C:WindowsSystem32RPCRT4.dll+77d63|C:WindowsSystem32RPCRT4.dll+3450f|C:WindowsSystem32RPCRT4.dll+3739a|C:WindowsSystem32RPCRT4.dll+4a2b4|C:WindowsSystem32RPCRT4.dll+491cd|C:WindowsSystem32RPCRT4.dll+49a7b|C:WindowsSystem32RPCRT4.dll+29c1c|C:WindowsSystem32RPCRT4.dll+2a09c|C:WindowsSystem32RPCRT4.dll+4438c|C:WindowsSystem32RPCRT4.dll+45beb|C:WindowsSystem32RPCRT4.dll+386ea|C:WindowsSYSTEM32ntdll.dll+325fe|C:WindowsSYSTEM32ntdll.dll+330d9|C:WindowsSystem32KERNEL32.DLL+8364|C:WindowsSYSTEM32ntdll.dll+65e91

Petya activity
Activity related to the execution of the Petya malware from 27 June 2017, as seen in Kibana

Petya Execution Infographic

Petya Execution Timeline

See an in depth view of Petya’s execution timeline with this infographic.


The result of this type of analysis provides some crucial insights into the behaviors this malware exhibits. These behaviors can be examined and turned into defensive measures such as hunting triggers or even preventative measures through endpoint tools, network tools, or system policies.

For this example, there are a number of behavior patterns we can key on:

  • Process writes a .tmp file, and that .tmp file is later run as a process
  • A .tmp file accesses lsass.exe
  • A schtasks.exe process command line includes the “shutdown” switch
  • Rundll32.exe writes files
  • The string “pipe” is found in a process’ command line
  • A .dat file is written to c:windows
  • Raw access reads to DR0 volume

Note that these patterns are all based on endpoint process metadata, like Sysmon output. It’s also important to point out that the fidelity of each of these patterns depends on what is normal in your environment.

Threat hunting can be used as a powerful tool not only to detect malicious behavior missed by other security measures but also drive a deeper understanding of how malicious software, actor tools, and behaviors work and how to proactively detect or prevent them.

Anomali partners with Vector8 to provide threat hunting services. To find out more about this service, see our Professional Services page.

This is a joint blog between Anomali and Vector8. Vector8 provides threat hunting services leveraging tools, techniques, and expertise introduced in this blog. For more information on Vector8, visit them at

Source: Honeypot Tech

WTB: New “WPSetup” Attack Targets Fresh WordPress Installs

The intelligence in this week’s iteration discuss the following threats: Adobe Patches, Android Malware, Cloud Leaks, Point-of-Sale, Ransomware, Remote Access Trojan, and Windows Protocol Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

GhostCtrl Is an Android RAT That Also Doubles as Ransomware (July 17, 2017)
A new Android Remote Access Trojan (RAT) called “GhostCtrl RAT,” has been used in a wave of attacks against Israeli healthcare organizations. GhostCtrl RAT is a variant of OmniRAT, which targets four operating systems: Android, Linux, macOS and Windows. GhostCtrl tries to hide itself by masquerading as popular applications. It has a large amount of functions such as data exfiltration, audio and video recording, ransomware, controlling bluetooth, and more.
Recommendation: Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Tags: RAT, Android, Malware

New “WPSetup” Attack Targets Fresh WordPress Installs (July 14, 2017)
A campaign was discovered that took place in May and June that targeted fresh installations of WordPress which allowed an attacker to take over the hosting account. The attackers scanned for a URL used by new installations of WordPress, “/wp-admin/setup-config.php.” The URL, if present, indicates that the user did not complete the installation steps. An attacker is able to go through the first steps of the installation and enter their own database server information. This allows an attacker to create an admin-level account on the victim’s server, which gives the attacker the ability to run any PHP code on the hosting account.
Recommendation: Website administrators should always make sure that their WordPress installation is complete as soon as possible. Additionally, website administrators should also use a web application firewall to block unwanted access. One can also use a “.htaccess” file to limit access by IP address.
Tags: WordPress, Vulnerability

A .NET malware abusing legitimate ffmpeg (July 13, 2017)
A new wave of malware that records videos and spies on user activities is being distributed in a new campaign, according to researchers. First discovered in 2015, the malware’s objective is to spy on a user’s banking activities. The malware contacts a Command and Control (C2) server over TCP. The C2 server requests information on the infected machine, and then sends the infected machine a list of targeted banks which are saved in the registry. The legitimate program “FFmpeg” is downloaded and used to record videos of the victim. The recording event is triggered when the victim opens a website associated with banking. The video is then sent to the C2 server encoded in Base64.
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe). Also take a look at processes running in your computer in the background that should not be running. If there are unexpected processes running, you should terminate them and run a virus scan immediately.
Tags: Malware, FFmpeg, Banking

Meet Ovidiy Stealer: Bringing Credentials Theft to the Masses (July 13, 2017)
A new credential-stealing malware called “Ovidiy Stealer” has been found being advertised for sale on Russian-speaking marketplaces, according to Proofpoint researchers. The malware is offered for purchase for 450-750 Rubles (approximately $7-13 USD). Ovidiy Stealer is being distributed via emails with compressed executable attachments or links to an executable download. The malware can steal information from multiple web browsers and credentials from targeted applications on a Windows OS machine.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Crenditla theft, Ovidiy

New Ransomware Threatens to Send Your Internet History and Private Pics to All Your Friends (July 13, 2017)
Two malicious applications were discovered in the Google Play Store to contain malware called “LeakerLocker,” according to McAfee researchers. Researchers call the malware a form of ransomware except that it does not encrypt files. Instead the malware gathers information from the infected device and then displays a screen that threatens to share the data unless a payment is made. LeakerLocker can read various forms of data including Chrome history, device information, email address, pictures, as well as random text messages and call information.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Ransomware, LeakerLocker, Mobile

Telegram-based Katyusha SQL injection scanner sold on hacker forums (July 12, 2017)
A Russian-speaking hacker is offering an automated SQL injection vulnerability scanner tool, called “Katyusha,” for sale on an underground forum. The tool is based on the open source Arachni web app security scanner. Katyusha is controlled via a web app and it can be monitored using the Telegram messenger. In addition to identifying SQL injection flaws within websites, the tool is able to perform actions such as brute-forcing logins, dumping databases, and uploading web shells.
Recommendation: Properly sanitize user provided data to prevent injection attacks. Using prepared statements and stored procedures, implementing escape schemes, properly limiting privileged accounts, and using input validation are also different steps you can take to better protect your company from SQL injections attacks.
Tags: Telegram, SQL, Vulnerability

Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts (July 12, 2017)
UpGuard researchers discovered in late June that the Israeli technology company, “Nice Systems,” controlled an Amazon S3 storage bucket that was misconfigured. The bucket was configured to be publicly accessible, and the data was downloadable by anyone who was able to guess the correct web address. The data was available for download for approximately one week, according to researchers. The files stored consisted of 14 million Verizon customer records with each record containing cell phone number, full name, and their account PIN.
Recommendation: Always make sure your cloud storage is properly configured. Experts have been warning companies that Amazon S3 buckets are too often misconfigured. Leaked data can be used by extortionists in an attempt to make money. Ensure that any cloud storage services you use are properly configured to only allow access to trusted and authorized users. Require multi-factor authentication for access to the most sensitive materials you store.
Tags: Verizon, Breach

LockPOS Joins the Flock (July 12, 2017)
Arbor Networks researchers have discovered that an inactive C2 server for the “FlokiBot” Point of Sale (POS) malware has recently become active. Interestingly, the C2 is not distributing FlokiBot but was instead identified to be distributing a new strain of POS malware dubbed “LockPOS.” Additionally, researchers believe that the same actors behind FlokiBot are responsible for LockPOS because both are distributed by the same botnet have a mutual C2 host.
Recommendation: Customer facing companies that store credit card data must actively defend against Point-of-Sale (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of FastPoS infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.
Tags: POS, LockPOS

Spam Campaign Delivers Cross-Platform Remote Access Trojan Adwind (July 11, 2017)
The “Adwind” Remote Access Trojan (RAT) has reappeared in a spam-distribution campaign, according to Trend Micro researchers. The spam emails attempt to trick recipients into following a malicious URL to download a PDF file. This download will install the Adwind RAT that is capable of filming and retrieving videos, exfiltrating data, keylogging, stealing credentials, and taking pictures or screenshots.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: RAT, Adwind

Source: Honeypot Tech

TAXIIing to the Runway

Common challenges in starting a threat intelligence program

Once considered a “nice to have”, threat intelligence is now increasingly seen as an critical part of security programs. In the 2016 Value of Threat Intelligence: Ponemon Study, 78 percent of respondents polled agreed that threat intelligence was essential to a strong security posture. From that same Ponemon Study, 70 percent of respondents also stated that threat intelligence is often too voluminous or complex to provide actionable information. Why then, if threat intelligence is so challenging, are threat intelligence programs still worthwhile for organizations to develop? Regardless of the size or bandwidth of your organization, threat intelligence can provide value through:

  • Improved visibility and situational awareness
  • Increased response efficiency
  • A method to identify malicious activity that other technologies may have missed

With those advantages in mind, we’ll explain some of the key aspects of managing threat intelligence so you can take your threat intelligence program from TAXII to takeoff.

Collecting Information
First and foremost, you’ll need to gather information. Think of this as boarding passengers on a plane- it’s not a particularly useful flight if there isn’t a complete retinue of passengers. The most common way to get these “passengers” is to start collecting data from open source threat intelligence feeds, which provide information on a broad range of topics. It’s important to note though that not all of these feeds will be relevant to your organization, and pulling information from as many as possible might result in too much information. This may seem counterintuitive – more information means better security coverage, right? Unfortunately, having all of this information is no guarantee that it will be usable. Other issues such as duplicate data, lack of context and a high number of false positives further complicate the data collection process. Just as you wouldn’t want duplicate reservations, an overbooked flight, or no-shows, you wouldn’t want incorrect or ultimately useless data. There are some ways to make this data more usable and integrate it into an analyst workflow, such as adding context.

Adding Context
Adding context where there is little or none is perhaps the most important next step in getting your threat intelligence program away from the gate and onto the runway. It’s simple enough to know that a flight needs to takeoff, but you’ll need more information from air traffic control to relay which runway to use or when to leave. Similarly, knowing that an IP is reportedly malicious is beneficial but not as actionable as knowing who or what else that IP is associated with. Luckily, there are numerous free or paid websites available that can provide additional context, such as SHODAN, VirusTotal, Malwr, IPVoid, threatminer, DomainTools, and more. The only drawback to these tools is that using them separately for every piece of data is not particularly efficient. Analysts must spend a significant amount of time copying, pasting and collecting from many different resources. The solution is to find ways to integrate these enhancements to your data in an automated fashion. This can be done with APIs, product integrations, or specific tools designed to aid in this area such as Anomali ThreatStream.

Managing Intelligence
There are also numerous free and open source resources available to help collect and manage gathered intelligence, such as CIF, CRITS, MISP, YETI, STAXX, Cuckoo and the Modern HoneyNet. These tools are highly beneficial in regard to price, community support, plugins and tool integrations. They’re not without their own challenges though – users must self-support and self-maintain these platforms in their environments, integrations and plugins sometimes go dormant or require additional effort to maintain and support, and while they can certainly help manage and curate intelligence, they won’t address all the key challenges in making intelligence data actionable in an environment. Free tools like STAXX are more comprehensive in speeding adoption and increasing value of gathered threat intelligence, although like the other tools mentioned it lacks the features of bigger commercial products. Your mileage may vary depending on your intelligence needs, what you are trying to get out from threat intelligence, and available internal resources you have to provide support and maintenance for these platforms.

Training Analysts
Another important step in getting your threat intelligence program to takeoff is to get your analyst(s), the pilots of threat intelligence programs, up to speed. This can be done via training on threat intelligence principles and involving personnel in daily intelligence generation and analysis. This isn’t to say that you need a full-time analyst on staff straight away (although the same can’t be said for an actual flight). The threat intelligence function may simply be a special function within the SOC or an Incident Response team or it could exist as its own separate function.

Airline analogies aside, starting off a threat intelligence program can be relatively straightforward if you know what resources to use and what potential drawbacks to watch out for. Start by collecting information on observed attacks and add in contextual details where possible. This point can be stated strongly enough. Threat feeds in themselves are not intelligence. Understanding your own environment, the attacks you see, and extrapolating meaning from the data available regarding those attacks is an awesome start to standing up a functional threat intelligence program in your organization. As you add in data from threat intelligence feeds and other sources make sure to curate them for bad data or irrelevant information. Remember also that not everything will be relevant to your organization. Try leveraging tools such as Anomali STAXX to help sort and manage gathered data – it’s free and possesses many capabilities of a commercial Threat Intelligence Platform (TIP), although it lacks the more robust features that are useful for fully operationalizing threat intelligence. Also, be sure to invest in training analysts with books, webinars, online videos, training and more to ensure that they can be as effective as possible. And, to toss one last analogy in, like the safety briefing at the beginning of a flight we hope that this has given you some useful information to advance your threat intelligence program to takeoff.

Anomali Forums

The Anomali Forums

Missed a connection, or unclear of what gate to head to next? Check out the Anomali Forum for more discussion.

Check it Out

Source: Honeypot Tech

WTB: Hard Rock, Loews Hotels Admit Data Breach

The intelligence in this week’s iteration discuss the following threats: Credit Card theft, Distributed Denial-of-Service, Mobile malware, Payment System breach, Point-of-Sale, Ransomware, Remote Access Trojan. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Hard Rock, Loews Hotels Admit Data Breach (July 10, 2017)
Hard Rock Hotels and Casinos and Loews Hotels have both released statements in which they confirmed that they had been breached with information-stealing malware. Unknown actors were able to gain access to card payment systems in multiple Hard Rock locations and steal unencrypted credit card data. The hotel company stated that the breach began on August 10, 2016, and the last access to credit card data was on March 9, 2017. Loews Hotels was also similarly affected and unknown actors were able to steal an unspecified amount of credit card information.
Recommendation: Customer facing companies that store credit card data must actively defend against Point-of-Sale (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.
Tags: Breach, POS, Credit card theft

Self-Service Food Kiosk Vendor Avanti Hacked (July 8, 2017)
A self-service payment kiosk company, Avanti, has had a breach of its networks that allowed hackers to push malware to their payment kiosks. Avanti have warned that the breach may have put customer credit card accounts and their biometric data at risk. The company has approximately 1.6 million customers. The kiosks were infected with the point-of-sale malware known as “PoSeidon.”
Recommendation: POS networks should carefully be monitored for unusual activity, thus keeping logs of what typical network activity looks like is very important. In the case of strange activity, taking POS systems offline and repopulating them is a safe mediation step in order to avoid possible loss of reputation, or lawsuit by individuals who had their credit card information stolen, and possibly used by cybercriminals.
Tags: PoS, Breach, Malware

Broadpwn Bug Affects Millions of Android and iOS Devices (July 8, 2017)
Security researcher Nitay Artenstein has discovered that “BCM43xx” Wi-Fi chips made by Broadcom are vulnerable to a bug that allows an attacker to remotely execute code on a victim’s device. The Broadcom chips are embedded in millions of iOS and Android devices.The vulnerability can be exploited when a user is within range an attacker’s Wi-Fi network. The bug appears to be a heap overflow that can occur when the victim’s device receives a special packet from a connected network.
Recommendation: Users should only connect to Wi-Fi networks that they trust. Users should also disable any Wi-Fi auto connect feature. Google has made a patch for this vulnerability for Android devices. It is recommended that users phones are always kept up to date. To check if your Android phone is updated, go to “Settings” -> “About Device” -> “Software info” and check to see if the “Android security patch level” is at least “2017-07-05.” It is still unknown whether Apple have addressed this vulnerability.
Tags: Android, Remote Code Execution, iOS, wifi

How the CopyCat Malware Infected Android Devices Around the World (July 6, 2017)
Security researchers have identified a malware for Android, called “CopyCat,” that has infected approximately 14 million Android devices primarily located in Southeast Asia. CopyCat is able to root devices and inject code into the Zygote daemon. This allows CopyCat to control any activity on the device. CopyCat uses control of the phone to generate illicit advertisement revenue by displaying fraudulent adverts and stealing the referrer IDs of applications that CopyCat installs from Google Play.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Malware, CopyCat

M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013 (July 6, 2017)
On July 4, 2017, Ukrainian authorities seized update servers owned by the Ukrainian accounting service company, “M.E.Doc,” that distributed malicious updates that contained the “NotPetya” ransomware. Researchers analyzed the servers and discovered that they had not been updated since 2013. Additionally, Cisco researchers believe that the group responsible for compromising the servers and distributing the malicious updates is a cyber espionage group called “TeleBots.” It is believed the group infiltrated M.E.Doc by stealing employee credentials.
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. In addition, your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Furthermore, always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: Breach, Petya/NotPetya, Ransomware

New Konni Campaign References North Korean Missile Capabilities (July 6, 2017)
Talos researchers have identified a new campaign that is distributing the “Konni” Remote Access Trojan (RAT). The Konni malware has been distributed in three previous campaigns over the past three years. In this campaign, the malware is being distributed via a phishing campaign that began on July 3, 2017. The phishing campaign uses a malicious attachment titled “N.K. marks anniversary of strategic force, touting missile capabilities.” If the attachment is opened, the Konni malware will begin its infection process by dropping executables.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or dropbox.
Tags: Konni, RAT, Phishing

New Azer CryptoMix Ransomware Variant Released (July 5, 2017)
The security researcher known as “MalwareHuntTeam” has discovered a new variant of the “Cryptomix” ransomware, called “Azer.” The malware has no network communication processes and functions entirely offline. As of this writing, the ransom note that appears after infection does not specify a monetary amount needed to purchase the decryption tool. Instead, the note provides the email address for the user to contact for further instruction.
Recommendation: It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.
Tags: Cryptomix, Azer variant, Ransomware

AdGholas Malvertising Thrives in the Shadows of Ransomware Outbreaks (July 5, 2017)
Recently, the prolific Malvertising gang “AdGholas” has initiated a new wave of drive-by download attacks that push the “Astrum” exploit kit. AdGholas create fake websites, usually mirroring legitimate websites by changing the logo and acquiring a legitimate SSL certificate. This is done to fool ad agencies who distribute their malicious adverts on popular websites. The redirect tag hosted on their fake website loads a landing page for the Astrum exploit kit. New AdGholas/Astrum infection chains have been dropping ransomware.
Recommendation: Because many exploit kits use known vulnerabilities, it is imperative that users make sure all software is up to date. This makes it a lot harder for malicious actors to compromise systems. Another layer of protection can be to use an ad-blocker in order to stop adverts being served to the user’s machine. But this does not fix the underlying vulnerabilities.
Tags: AdGholas, Malvertising,

SLocker Mobile Ransomware Starts Mimicking WannaCry (July 5, 2017)
The Android mobile ransomware, “SLocker,” was observed to be using the same Graphical User Interface (GUI) of the “WannaCry” ransomware, according to Trend Micro researchers. The researchers released new information about a SLocker variant that was first identified in May 2017. The malware is distributed by impersonating guides and tools for legitimate games in addition to video players.
Recommendation: Always keep your mobile devices fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: SLocker, Mobile, Ransomware

In ExPetr/Petya’s Shadow, FakeCry Ransomware Wave Hits Ukraine (July 4, 2017)
Kaspersky researchers have identified a new strain of ransomware, dubbed “FakeCry,” that is targeting Ukrainian entities. As of this writing, approximately 90 Ukrainian organizations were attacked with FakeCry. Similar to the ExPetr/Patya outbreak on June 2017, 2017, FakeCry was also distributed via compromised MeDoc (Ukrainian accounting software) updates at the same time ExPetr/Petya was being distributed.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Tags: FakeCry, Ransomware

Fourth Largest Cryptocurrency Exchange Was Hacked. Users Lose Ethereum & Bitcoin (July 4, 2017)
Around 3% of the user base (over 31,800 users) of “Bithumb,” of the world’s fourth largest cryptocurrency exchange, have had their details stolen. These details included customer names, email addresses, and mobile phone numbers. The company revealed that one of their employees had had their laptop hacked by an unknown attacker. Bithumb users have started complaining that their accounts were being drained. It is not clear how the attacker used the stolen details to compromise accounts. Bithumb promises to reimburse affected users.
Recommendation: One of the best ways to secure your Bitcoins against theft is by using hardware wallets. Hardware wallets are a type of Bitcoin wallet that stores the owner’s private keys on a hardware device that is secure from hacking attempts. Cold storage wallets could also be used to assist in Bitcoin security. Cold wallets are placed on clean air-gapped computers and therefore protect all private keys from online threats. It is more tedious to use but increases the security.
Tags: Cryptocurrecny exchange, Breach

Malspam With Java-Based RAT (July 4, 2017)
Researchers have discovered a new malspam campaign that attempts to infect recipients with a Java-based Remote Access Trojan (RAT). The sender of the malicious email purports to be “Jees George Cherian,” a Parts Sales Representative for “General Transportation & Equipment Co.” The content of the email claims that a colleague is on leave and requests that the recipient to open that attachment in order to proceed with payment. The malicious attachment, titled “INVOICE LIST,” is a .jar file that will infect the user’s machine if opened.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Additionally, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management. Anti-spam and antivirus applications provided from trusted vendors should also be employed.
Tags: Malspam, RAT

Android Vulnerabilities in Lenovo Vibe Allow Jailbreaking (July 3, 2017)
A vulnerability in Lenovo VIBE mobile phones allows a malicious user with physical possession of the device, without a secure lock screen, the ability to escalate privileges to root user (rooting/jailbreaking). The vulnerabilities use applications that allow private data to be backed up and restored via Android Debug Bridge, which allows for tampering.
Recommendation: Devices that have been upgraded to Android 6.0 Marshmallow and above are not affected. It is recommended that users upgrade their devices. If the user is not able to update, then the user should disable Android Development Bridge, via the Android Developer Options menu, when not in use. Also since the vulnerability requires the attacker to have access to the physical device, users should enable lock screen authentication mechanisms, such as a PIN or password protection.
Tags: Anroid, Mobile, Vulnerability

UK Teen Charged with Running DDoS Booter Service (July 3, 2017)
An 18-year-old resident of Manchester, UK, named Jack Chappell, has been arrested by UK authorities. Chappell has been accused of creating malware that he installed on devices around the world. The compromised devices were then used to create a Distributed Denial-of-Service (DDoS) botnet that he would allow access to for paying customers. The botnet was used to launch DDoS attacks against companies located around the globe.
Recommendation: Denial of service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation technique can vary depending on the specifics of the attack. For example, in the case of BlackNurse, which can disrupt enterprise firewalls, ICMP type 3 traffic should be blocked, or at least rate limited.
Tags: Cybercriminal, DDoS

Source: Honeypot Tech

[Strategic Security Report] Assessing Cybersecurity Risk

As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today’s enterprises evaluate the risks they face. This report also offers a look at security professionals’ concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Source: Cyber Monitoring

Anomali Forum – Your Cyber War Room

Zero-day exploits such as last week’s Petya can be a nightmare of damage to a company’s information, systems and reputation. One of the more practical solutions for such an attack is for companies to band together and share information that could bolster defences or prevent the next outbreak. There are traditional channels for doing this like ISACs, other sharing groups and security products, but these methods still lack the immediacy that is vital to managing attacks of such magnitude.

To help with this issue, the Anomali Forum has a chat feature that enables users within organizations and Trusted Circles to talk with one another in an immediate and secure fashion. Although simple in principle, the Forum’s chat has the potential to transform a place for discussion into a war room for cyber battles such as Petya and WanaCry.

Even when all is quiet on the cyber front, the Anomali Forum provides customers a place to discuss security topics, ask questions and provide answers. Previous topics have covered virtually anything – trends, threat intelligence, zero-day vulnerabilities and threat investigation best practices. Users can reply, bookmark, post, flag, like and share topics and earn badges for participation.

The Anomali Forum is also a great way for users to give feedback to us at Anomali. Any user can create a feature request and subsequent poll that other users can then vote on.

Getting Started

You can get started with the Anomali Forum right away by visiting

If you wish to create any topics, ask questions or discuss any existing blog posts then you can click on Log In (Upper right-hand corner). Access to content differs based on whether or not you are a free STAXX user or paying ThreatStream and Anomali Enterprise customer.

You can select any of the products with a registered account. If you are an existing ThreatStream user then you can simply select ThreatStream option and login with single sign on.

We will be adding content on a daily basis, so please be sure to stop by to Post, Like and Share!

If you would like to see any further improvements to the Anomali Forum please visit our Site Feedback category and you can discuss about the forum, how it works and how we can improve it.

Source: Honeypot Tech

WTB: More Security Firms Confirm NotPetya Shoddy Code Is Making Recovery Impossible

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Cerber Ransomware Tool Tip
Cerber is ransomware that surfaced in January of 2016. Cerber is sold on hacking forums and criminal bulletin board systems. Cerber has been in constant development with version 4 being released around the month of October of 2016. Cerber has been distributed through phishing lures, exploit kits and malvertisement.
Tags: Cerber, Ransomware

Source: Honeypot Tech

How Anomali Enterprise Helped Me Detect Malware In My Home Network

Have you ever wondered who is trying to connect to your home network? Or from your home network to the internet? Few internet users consider either of these questions (and the ones that do usually work in the security industry). Many believe the router their internet service provider issued to them is more than sufficient to protect them from threats. Time-after-time even the most basic steps to improve security – changing the default router password – is ignored by consumers. Coincidentally my ISP, Virgin Media, recently told 800,000 of their customers using default passwords to change them immediately.

“You Will Be Breached”

This ethos holds true as much in the commercial world as it does for your home network. But has my home network already been breached? I decided to use Anomali Enterprise to identify any potential malicious activity.

Introducing Anomali Enterprise

Anomali Enterprise (AE) is a powerful Threat Hunting engine that compares millions of IOCs against your network traffic to identify active threats. AE can analyze millions of Indicators of Compromise (IOCs) against billions of events every day. In the case of my home network, currently generating an average of 2 million log lines per day, AE is more than sufficient (to put it lightly!).

Topology (and shopping list)

The network topology of my home network is fairly simple. Most devices connect wirelessly to my router, an Asus RT-AC68U. Some network switches are plugged directly into the router. In either scenario all data in and out of the network flows through the router. Anomali Enterprise can accept raw syslog feeds from any network device. Given the simplicity of my network I decided to stream syslogs from my router to AE. One other thing to note, not all routers support streaming of router logs via syslog, especially the cheap ones provided by ISPs.

Once I figured out how to configure syslog streaming I then needed to setup a machine to run Anomali Enterprise and Anomali Universal Link, a client that sits in-front of AE to parse the incoming raw syslog feeds. The machine needed to be both powerful enough for AE to analyse my network traffic against millions of IOCs and have enough storage to handle all of the information being thrown at it. For this, I used a spare Mac Mini I had lying around that met the hardware specifications required. I then installed VMFusion on the Mac Mini to run an OS supported by AE – I chose CentOS – and proceeded to setup and configure both Anomali Enterprise and Anomali Universal Link on it.

What I Found

Lots of inbound threats from China

And Russia. And the Untied States. And Ukraine. You get the idea.

That were predominantly scanning IPs

Most IOC matches, totaling hundreds per day, were known scanning IPs. My router reports all information including blocked requests by its firewall so this was unsurprising.

And generally benign

Anomali ThreatStream Threat Intelligence ranks the severity and confidence of an IOC match. I can use AE’s powerful search interface to filter and pivot quickly on the threats detected. This made it easy to identify that most matches were fairly benign with low severity and low confidence scores. 

Though some were more serious

Not only were scanning IPs identified by Anomali Enterprise, some outbound connections were being made to a recently identified malware IP. As Anomali Enterprise allowed me to see the detailed analysis and context for the malware IOC in question and view the raw log of the event, I was able to easily identify the potentially comprised machine. Thankfully (for me) in this case it was just one machine and it belonged to a friend who had connected his laptop to the WiFi at my house whilst visiting.

Being extra cautious, I was also able to retrospectively compare this recent malware IOC against all my historic network logs stored in Anomali Enterprise. Thankfully, no matches this time.

In Summary

Whilst their were some known threats observed by Anomali Enterprise on my network most were nothing to worry about. I was able to triage matches and come to this conclusion quickly because Anomali Enterprise provided:

  1. A detailed analysis and context of every IOC matched to my network data
  2. The ability to view the raw log of an event that matched a known IOC
  3. The option to run a forensic search to discover if an IOC had ever been seen in my network data previously

Clearly in a larger corporate network, the amount of data being generated will be significantly greater than on my home network. Corporate networks are more likely to be the subject of targeted and sustained attacks with many more points of weakness (generally employees).

You should see what Anomali Enterprise is really capable of…

Source: Honeypot Tech

Petya (NotPetya, Petrwrap)


A malware strain that appears to be based off of the “Petya” ransomware began targeting and infecting governments and businesses worldwide on June 27th, 2017. Since dubbed “NotPetya” by some researchers, and “Nyetya” by others, this malware has spread across Europe and North America and infected several businesses in countries such as Denmark, France, Germany, India, Russia, Spain, Ukraine, North America and the United Kingdom. The Petya ransomware trojan is speculated to be part of a Ransomware-as-a-Service (RaaS) malware family that was first advertised by Janus Cybercrime Solutions as a Ransomware-as-a-Service (RaaS) in late 2015.

The threat actors behind this campaign are currently demanding that an email be sent to “wowsmith123456@posteo[.]net” for the decryption key, accompanied by a payment of 300 USD in Bitcoins sent to “1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX”. The German email provider, Posteo, has blocked the email address that was being used to manage the ransom demands. This now prevents users from receiving decryption keys even if the ransom is paid. It is unknown if the actors behind the campaign will attempt to create a new email account to manage any additional funds that may be received. The actors’ Bitcoin wallet has since received 3.99009155 Bitcoins ($10,161 USD).

Figure 1. Ransom Notification

Anton Gerashchenko, an aide to the Ukrainian Interior Minister, has stated that this infection is “the biggest in Ukraine’s history.” Numerous companies across various industries have been infected with the Petya ransomware. Kievenergo, a utility company, turned off all of their computers after Petya breached their network. Another power company, Ukrenergro, has also reportedly been affected by the malware. Ukraine’s Central Bank has issued a warning on their website regarding how several banks within the country have also been targeted by threat actors. Additionally, the Ukrainian deputy prime minister, Pavlo Rozenko, tweeted an image of a black computer screen stating that the entirety of the government’s computer system had been shut down because of the trojan.

The malware distribution has also reached entities in Denmark and France. The Danish conglomerate company, Maersk, has stated that its customers are unable to use online booking systems and that their internal systems are offline.

Saint-Gobain, a French manufacturing company, has also released a statement discussing that they too have been affected by Petya.


As news of the ransomware circulated on June 27, so too did theories of the infection method. Many researchers and companies alike claimed that the malware’s propagation was similar to the May 12th, 2017 outbreak of Wanacry ransomware via the EternalBlue exploit, while others claimed that the infection vector was a phishing campaign with malicious Word document attachments. As the day progressed in Europe it became clear that Russian and Ukrainian entities were most affected. At 11:49 a.m. (UTC+02:00), Ukrainian authorities published a Tweet in which they claimed that the infection was caused via an update issued by the Ukrainian tax account package called “MeDoc.” MeDoc has since issued a statement on Facebook denying these allegations.

Researchers now believe that, in some cases, the initial infection vector was associated with contaminated software updates from MeDoc. Contrary to their statement made earlier in the day, MeDoc released another statement stating that their servers had “made a virus attack.” According to Ukrainian authorities, MeDoc has a built-in update feature that updates periodically. It is believed that this feature was exploited to deliver the malicious Petya Dynamic Link Library (DLL). Researchers also believe that a threat actor(s) managed to compromise the MeDoc server that handled the software updates in order to switch the updates from legitimate software to a malicious payload.

Once inside a victim’s network, Petya spreads internally using the PSEXEC tool that allows execution of process on other systems and Windows Management Instrumentation (WMI) that provides information about local or remote computer systems. Prior to using said tools, Petya will first harvest user credentials from the infected system that are then passed to PSEXEC and WMI to gain access to other machines and systems connected to the network.

Additional information and analysis has lead researchers to believe the ransomware was not, in fact, Petya. Researchers instead maintain that this is a new strain of ransomware which was subsequently dubbed “NotPetya.” Other researchers maintain that due to code reused between this strain of Petya and previously observed strains of Petya, that this is indeed a new variant of the Petya ransomware. Regardless, researchers have also discovered a way to “vaccinate” a machine from NotPetya. However, unlike the WannaCry ransomware that had the ability to be killed via a network connection, this “vaccination” requires modifying a potential victim machine prior to being infected. This involves creating a file that NotPetya drops in the Local Disk (C:) called “perfc.dat” and setting it to read only so it cannot be overwritten. If this file already exists on machine, and is changed to read only, the malware should not be able to infect the machine nor propagate. Leveraging tools like Group Policy (as suggested by researchers at Binary Defense) is a way to automate this “vaccination”.

Petya killswitch
Figure 2. Reversed Malware to Detect Vaccine

The Infection

Systems infected with the ransomware will attempt to discover a file dropped titled “Perfc.dat.” This library contains the instructions which attempts to gain administrative privileges for the current logged-in user. If the malware achieves administrative privileges through the Windows API AdjustTokenPrivileges, the ransomware will override the Master Boot Record (MBR). Even if the MBR override is unsuccessful, the malware will maintain a schedule to reboot the system one hour after initial infection.

The malware then attempts to find other visible machines on the network by using NetServerEnum and scans for an open TCP 139 port. Researchers believe this strain of ransomware uses three methods to distribute itself once a machine is infected. These include the aforementioned PSEXEC, WMI, and EternalBlue and EternalRomance exploits (used in the WannaCry outbreak). These are used to install and execute the “perfc.dat” on other devices attempting to propagate itself across the network, according to Talos researchers.

Note: The EternalBlue exploit was patched in MS17-010, and should be applied as soon as possible if it has not been already.

Observed Industries Affected

  • Airports
  • Banks
  • Electricity grids
  • Factories (mining and steel)
  • Government
  • Harbor terminals
  • Hospitals
  • Insurance companies
  • Metro transportation
  • Military
  • Pharmaceutical
  • Russian steel

Observed Countries Affected, Among Others (Approximately 64 Countries)

  • Belgium
  • Brazil
  • Denmark
  • France
  • Germany
  • India
  • Russia
  • Spain
  • The Netherlands
  • Ukraine
  • United Kingdom
  • United States




Source: Honeypot Tech

Ukraine hit hard as Petya Ransomware Variant Spreads around the world

We will be updating this page with additional information. Please check back for the latest.

While initial reports have only centred on the Ukraine being hit by a new stream of ransomware known as Petya, this is a global attack. Just like WannaCry, this might be leveraging EternalBlue, which attacks SMB file-sharing services, locking organisations out of their networks and demanding a fee to decrypt files. Bitcoin payments are currently already at $2,000+ already. But it’s essential that victims understand that payment may not actually allow them to access their data, and may just fund hackers to commit further crimes.

The exact measures organisations can implement to mitigate risk depends on the kind of system being protected but there are fundamental actions such as backing up data in the Cloud and on an external hard drive, updating system and patch vulnerabilities, and ensuring everyone is watching where their click. While collaboration across organisations and individuals is also a highly effective method of prevention and mitigation. Sharing experience or research on various types of ransomware helps to dilute their effectiveness.

Source: Honeypot Tech