BACK [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community # CCleaner Command and Control Causes Concern [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) [This post was authored by Edmund BrumaghinRazorbackIP Blacklist DownloadProject Aspis, Earl Carter,Warren Mercer,Matthew Molyett,](http://www.talosintelligence.com/razorback) [Matthew Olney,Paul Rascagneres andCraig Williams.](https://twitter.com/kpyke) Library DaemonloggerAWBO ExercisesSpamCop Note: This blog post discusses active research by Talos into a new threat. This information Mo�ow [Support Communitiesshould be considered preliminary and will be updated as research continues.](http://www.talosintelligence.com/community) PE-Sig ### INTRODUCTION About Immunet Talos recently published a technical [analysis of a backdoor which was included with version 5.33](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) [Careersof the CCleaner application. During our investigation we were provided an archive containing �lesTeslacrypt Decryption Tool](http://www.talosintelligence.com/careers) that were stored on the C2 server. Initially, we had concerns about the legitimacy of the �les. MBR Filter [However, we were able to quickly verify that the �les were very likely genuine based upon the web](http://blog.talosintelligence.com/) Blog [server con�guration �les and the fact that our research activity was re�ected in the contents of](http://www.talosintelligence.com/first) FIRST the MySQL database included in the archived �les. |Software W E D N E S D AY, S E P T E M B E R 2 0, 2 0|1 7 an Br and ve nd an ou niti rif ct t| |---|---| |Vulnerability Information CCleaner Command|| |Reputation Center This post was authored by Edmund|| |Matthew Olney, Paul Rascagneres Library|| |Note: This blog post discusses acti Ssuhpopuoldrt bCeo mcomnsuinditeieresd preliminary a|| |INTRODUCTION About|| |Talos recently published a technical Careers of the CCleaner application. During|| |that were stored on the C2 server. I However, we were able to quickly ve Blog server con¡guration ¡les and the fa|| LockyDump In analyzing the delivery code from the C2 server, what immediately stands out is a list of [organizations, including Cisco, that were speci�cally targeted through delivery of a second-stageFreeSentry](http://www.talosintelligence.com/freesentry) loader. Based on a review of the C2 tracking database, which only covers four days in September, Flokibot Tools we can con�rm that at least 20 victim machines were served specialized secondary payloads. [Below is a list of domains the attackers were attempting to target. Not all companies identi�ed in](http://www.talosintelligence.com/scanner) Synful Knock Scanner the targets .php �le were seen communicating with a secondary C2 or had a secondary payload deployed. Cisco Smart Install Scanner ROPMEMU ----- BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis DaemonloggerAWBO ExercisesSpamCop Mo�ow PE-Sig About [Interestingly the array speci�ed contains Cisco's domain (cisco.com) along with other high-pro�leImmunet](http://www.talosintelligence.com/immunet) technology companies. This would suggest a very focused actor after valuable intellectual Careers Teslacrypt Decryption Tool property. MBR Filter [BlogThese new �ndings raise our level of concern about these events, as elements of our research](http://blog.talosintelligence.com/) [point towards a possible unknown, sophisticated actor. These �ndings also support and reinforceFIRST](http://www.talosintelligence.com/first) our previous recommendation that those impacted by this supply chain attack should not simply [remove the affected version of CCleaner or update to the latest version, but should restore fromLockyDump](http://www.talosintelligence.com/lockydump) |Software|tai su f c| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About Interestingly the array speci¡ed con|| |technology companies. This would Careers property.|| |BTlohgese new ¡ndings raise our level o|| backups or reimage systems to ensure that they completely remove not only the backdoored FreeSentry version of CCleaner but also any other malware that may be resident on the system. ### TECHNICAL DETAILS Web Server Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU The contents of the web directory taken from the C2 server included a series of PHP �les responsible for controlling communications with infected systems. The attacker used a symlink to redirect all normal tra�c requesting 'index.php' to the 'x.php' �le, which contains the malicious PHP script. In analyzing the contents of the PHP �les, we identi�ed that the server implemented a series of checks to determine whether to proceed with standard operations or simply redirect to the ----- Software BACK [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig Immunet Careers Teslacrypt Decryption Tool MBR Filter Blog The PHP contains references to the required table for information storage within the 'x.php' FIRST variables as de�ned: |Software|re| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| |Blog The PHP contains references to the|| LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU Within 'init.php' the $db_table is declared to allow insertion into the required database on the attacker infrastructure. This is 'Server' as de�ned below. ----- The web server also contains a second PHP �le (init.php) that de�nes core variables and [Softwareoperations used. Interestingly, this con�guration speci�es "PRC" as the time zone, whichBACK](http://www.talosintelligence.com/software) corresponds with People's Republic of China (PRC). It’s important to note that this cannot be [Vulnerability Informationrelied on for attribution. It also speci�es the database con�guration to use, as well as theSnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community](http://www.talosintelligence.com/vulnerability_info) �lename and directory location to use for the variable $x86DllName. [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) The following information is gathered from infected systems, which is later used to determine RazorbackIP Blacklist DownloadProject Aspis how to handle those hosts. This includes OS version information, architecture information, [Librarywhether the user has administrative rights, as well as the hostname and domain name](http://www.talosintelligence.com/resources) DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig About Immunet Careers Teslacrypt Decryption Tool MBR Filter Blog FIRST The system pro�le information was rather aggressive and included speci�c information such as a |The web server also contains a sec Software operations used. Interestingly, this c|on on of i¡e se ed lud ri| |---|---| |corresponds with People's Republic Vruellnieedra obnil iftoy rI naftotrrimbuattiioonn. It also spec ¡lename and directory location to u|| |Reputation Center The following information is gather|| |how to handle those hosts. This inc Lwibhraertyher the user has administrative|| |associated with the systems. Support Communities|| |About|| |Careers|| |Blog|| PE-Sig Immunet Careers Teslacrypt Decryption Tool MBR Filter [list of software installed on the machine and all current running processes on the machine withLockyDump](http://www.talosintelligence.com/lockydump) no surprise that 'CCleaner.exe' was a current running process on the victim machine. The system pro�le information is then stored in the MySQL database. FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU There is also functionality responsible for loading and executing the Stage 2 payload on systems that meet the prede�ned requirements, similar to functionality that we identi�ed would be required in our previous analysis of Stage 1. While there is shellcode associated with both x86 and x64 PE delivery, it appears that only the x86 PE loading functionality is actually utilized by the C2 server. Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU ----- |Software|Col2| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| |Blog|| FreeSentry Flokibot Tools And below is the shellcode associated with the x64 version of the PE Loader. Synful Knock Scanner BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis DaemonloggerAWBO ExercisesSpamCop Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry ----- RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop The PHP script later compares the system beaconing to the C2 to three values: $DomainList, BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis [$IPList, and $HostList. This is to determine if the infected system should be delivered a Stage 2Mo�ow](http://www.talosintelligence.com/community) [Support Communities](http://www.talosintelligence.com/community) payload. Below is condensed PHP code that demonstrates this: PE-Sig About Immunet Careers Teslacrypt Decryption Tool MBR Filter Blog FIRST LockyDump FreeSentry Flokibot Tools |Software|sys ter od| |---|---| |Vulnerability Information|| |Reputation Center|| |Library The PHP script later compares the|| |$IPList, and $HostList. This is to de Support Communities payload. Below is condensed PHP c|| |About|| |Careers|| |Blog|| Immunet Careers Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Synful Knock Scanner The use of domain-based �ltering further indicates the targeted nature of this attack. While we [have con�rmed that the number of systems affected by the backdoor was large based upon](http://www.talosintelligence.com/smart_scanner) Cisco Smart Install Scanner beacon information stored within the MySQL database, the attackers were speci�cally controlling [which infected systems were actually delivered a Stage 2 payload. While it was reported that noROPMEMU](http://www.talosintelligence.com/ropmemu) systems executed a Stage 2 payload, this is not accurate. In analyzing the database table storing information on the systems that were delivered a Stage 2 payload, we identi�ed 20 unique hosts that may have been affected by this payload. The functionality present within Stage 2 is documented in the "Stage 2 Payloads" section of this post. ### MySQL Database The C2 MySQL database held two tables: one describing all machines that had reported to the server and one describing all machines that received the second-stage download, both of which had entries were dated between Sept. 12th and Sept. 16th. Over 700,000 machines reported to the C2 server over this time period, and more than 20 machines have received the second-stage payload. It is important to understand that the target list can be and was changed over the period ----- During the compromise, the malware would periodically contact the C2 server and transmit reconnaissance information about infected systems. This information included IP addresses, online time, hostname, domain name, process listings, and more. It's quite likely this information [was used by the attackers to determine which machines they should target during the �nal](http://www.talosintelligence.com/software) Software BACK [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community The main connection data is stored in the "Server" table. Here is an example of one of Talos' hosts in that database table: [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis DaemonloggerAWBO ExercisesSpamCop RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support CommunitiesIn addition, the compromised machines would share a listing of installed programs.](http://www.talosintelligence.com/community) PE-Sig |online time, hostname, domain nam was used by the attackers to determ Software stages of the campaign.|e, in in ine| |---|---| |Vulnerability Information The main connection data is stored|| |hosts in that database table: Reputation Center|| |Library|| |SInup apdodritt iCoonm, tmheu cnoitimespromised mach|| |About|| |Careers|| |Blog|| Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU A process list was also captured ----- |Software|Col2| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| |Blog|| Software BACK [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig Immunet Careers Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner When combined, this information would be everything an attacker would need to launch a later Cisco Smart Install Scanner [stage payload that the attacker could verify to be undetectable and stable on a given system.](http://www.talosintelligence.com/smart_scanner) ROPMEMU A second database table, separate from the 'Server' database table, contained an additional information set that was associated with systems that had actually been delivered the Stage 2 payload. This table contained similar survey information to the 'Server' database table, the structure of which is shown below: ----- [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [In analyzing this second database table 'OK', we can con�rm that after deduplicating entries, 20](http://www.talosintelligence.com/reputation) Software BACK [systems were successfully delivered the Stage 2 payload. Talos reached out to the companies](http://www.talosintelligence.com/razorback) RazorbackIP Blacklist DownloadProject Aspis con�rmed affected by this Stage 2 payload to alert them of a possible compromise. Library DaemonloggerAWBO ExercisesSpamCop |Software|abl d t pay| |---|---| |Vulnerability Information|| |In analyzing this second database t Reputation Center systems were successfully delivere|| |con¡rmed affected by this Stage 2 Library|| |Support Communities|| |About|| |Careers|| |Blog|| Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig Immunet Careers Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU Based on analysis of the 'Server' database table, it is obvious this infrastructure provides attackers access to a variety of different targets. Given the �ltering in place on the C2 server, the attackers could add or remove domains at any given time, based upon the environments or organizations they choose to target. To provide additional perspective regarding the types of h h k ld h f h h h b l h h ----- BACK [SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community](https://2.bp.blogspot.com/-UZ4jeVdvX9g/WcLQ6g3WaUI/AAAAAAAABWY/aHy_1Qie8bsRqjZHpA1movCC5pd94C_OQCLcBGAs/s1600/image10.png) [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop [The following screenshot shows the number of affected government systems around the world.](http://www.talosintelligence.com/daemon) Mo�ow [Support Communities](http://www.talosintelligence.com/community) PE-Sig About Immunet Careers Teslacrypt Decryption Tool MBR Filter [Support Communities](http://www.talosintelligence.com/community) PE-Sig Immunet Careers Teslacrypt Decryption Tool [Likewise, looking at compromised systems belonging to domains containing the word 'bank'FIRST](http://www.talosintelligence.com/first) |Software|e n| |---|---| |Vulnerability Information|| |Reputation Center|| |Library The following screenshot shows th|| |Support Communities|| |About|| |Careers|| |Blog|| returns the following results: LockyDump FreeSentry ## Software Flokibot Tools Synful Knock Scanner ROPMEMU FreeSentry ## SoftwareVulnerability InformationReputation CenterSupport Communities Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner This demonstrates the level of access that was made available to the attackers through the use of this infrastructure and associated malware and further highlights the severityand potential impact of this attack. ### Stage 2 Payloads The stage 2 installer is GeeSetup_x86.dll. This installer checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the �lename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool. The x64 version drops a trojanized EFACli64.dll �le named SymEFA which is the �lename taken from a legitimate executable that is part of "Symantec Endpoint". None of the �les that are dropped are signed or ----- Effectively, they patch a legitimate binary to package their malware. Additionally, the setup put an encoded PE in the registry : [HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001](http://www.talosintelligence.com/software) Software BACK HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation CenterThe purpose of the trojanized binary is to decode and execute this PE in registry. This PE](http://www.talosintelligence.com/reputation) [performs queries to additional C2 servers and executes in-memory PE �les. This may complicateRazorbackIP Blacklist DownloadProject Aspis](http://www.talosintelligence.com/razorback) detection on some systems since the executable �les are never stored directly on the �le system. Library DaemonloggerAWBO ExercisesSpamCop Within the registry is a lightweight backdoor module which is run by the trojanized �les. This Mo�ow [Support Communitiesbackdoor retrieves an IP from data stegged into a github.com or wordpress.com search, from](http://www.talosintelligence.com/community) [which an additional PE module is downloaded and run. The stage 3 payload also reaches out to](http://www.talosintelligence.com/pesig) PE-Sig |encoded PE in the registry :|Col2| |---|---| |HKLM\Software\Microsoft\Window Software HKLM\Software\Microsoft\Window|s s s s y is erv he ac ste ow| |HKLM\Software\Microsoft\Window Vulnerability Information HKLM\Software\Microsoft\Window|| |RTehpeu tpautiropno sCee notfe trhe trojanized binar performs queries to additional C2 s|| |detection on some systems since t Library|| |Within the registry is a lightweight b Sbuapcpkodrot oCro rmetmrieuvneitsie asn IP from data|| |which an additional PE module is d "get.adoble.net" About|| |Careers|| |Blog|| MBR Filter ### CODE REUSE Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Talos has reviewed [claims from Kaspersky researchers that there is code overlap with malware](https://twitter.com/craiu/status/910059453948579840) samples known to be used by [Group 72. While this is by no means proof in terms of attribution,](http://www.talosintelligence.com/flokibot) Flokibot Tools we can con�rm the overlap and we agree that this is important information to be considered. Synful Knock Scanner On the left: 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f (CCBkdr.dll) Cisco Smart Install Scanner ROPMEMU On the right: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2 (Missl backdoor - APT17/Group 72) ----- Software BACK [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) [SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community](https://4.bp.blogspot.com/-UiJStzRGmOw/WcLRXDmQ4hI/AAAAAAAABWo/IUcuH-xhf60LbuiGDzQetwvQrhTfuLcbgCLcBGAs/s1600/image8.png) [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [Reputation Center](http://www.talosintelligence.com/reputation) RazorbackIP Blacklist DownloadProject Aspis Library DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities](http://www.talosintelligence.com/community) ### CONCLUSION PE-Sig About Immunet Supply chain attacks seem to be increasing in velocity and complexity. It's imperative that as [security companies we take these attacks seriously. Unfortunately, security events that are not](http://www.talosintelligence.com/careers) Careers Teslacrypt Decryption Tool completely understood are often downplayed in severity. This can work counter to a victim's best [interests. Security companies need to be conservative with their advice before all of the details ofMBR Filter](http://www.talosintelligence.com/mbrfilter) Blog the attack have been determined to help users ensure that they remain protected. This is FIRST [especially true in situations where entire stages of an attack go undetected for a long period of](http://www.talosintelligence.com/first) |Software|re tta wn to he| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |CONCLUSION About|| |Supply chain attacks seem to be inc security companies we take these a Careers completely understood are often do|| |interests. Security companies need Blog the attack have been determined to|| time. When advanced adversaries are in play, this is especially true. They have been known to LockyDump craft attacks that avoid detection by speci�c companies through successful reconnaissance techniques. FreeSentry [In this particular example, a fairly sophisticated attacker designed a system which appears toFlokibot Tools](http://www.talosintelligence.com/flokibot) speci�cally target technology companies by using a supply chain attack to compromise a vast Synful Knock Scanner [number of victims, persistently, in hopes to land some payloads on computers at very speci�c](http://www.talosintelligence.com/scanner) target networks. ### COVERAGE Cisco Smart Install Scanner ROPMEMU Additional ways our customers can detect and block this threat are listed below. [Advanced Malware Protection (AMP) is ideally](https://www.cisco.com/c/en/us/products/security/advanced-malware-protection) suited to prevent the execution of the malware used by these threat actors. [CWS or WSA web scanning prevents access to](https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html) malicious websites and detects malware used in these attacks. [AMP Threat Grid helps identify malicious](https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html) binaries and build protection into all Cisco ----- [Umbrella, our secure internet gateway (SIG),](https://umbrella.cisco.com/) blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Software BACK ### INDICATORS OF COMPROMISE (IOCS) [Vulnerability Information](http://www.talosintelligence.com/vulnerability_info) SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community Below are indicators of compromise associated with this attack. [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83RazorbackIP Blacklist DownloadProject Aspis](http://www.talosintelligence.com/razorback) [(GeeSetup_x86.dll)](http://www.talosintelligence.com/resources) Library DaemonloggerAWBO ExercisesSpamCop Mo�ow [Support Communities128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (EFACli64.dll)](http://www.talosintelligence.com/community) PE-Sig [07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (TSMSISrv.dll) Immunet](http://www.talosintelligence.com/immunet) Careers Teslacrypt Decryption Tool [DLL in registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a](http://www.talosintelligence.com/teslacrypt_tool) MBR Filter ### Registry Keys: FIRST |domains, IPs, and URLs, whether us Software INDICATORS OF COMPR|er OM e a 61 0e f2 fa| |---|---| |Vulnerability Information Below are indicators of compromis|| |RInepstuatalletiro on nC tehnete CrC: dc9b5e8aa6ec86db8af0a7aa897ca|| |(GeeSetup_x86.dll) Library|| |64-bit trojanized binary: S1u2p8paocrat 5C8obmem32u5n1it7ie4sf0220bd7ca603|| |32-bit trojanized binary: About 07fb252d2e853a9b1b32f30ede411|| |Careers DLL in registry: f0d1f88c59a005312|| |Blog Registry Keys:|| HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 LockyDump [HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002](http://www.talosintelligence.com/lockydump) HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 FreeSentry HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 [HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBPFlokibot Tools](http://www.talosintelligence.com/flokibot) Synful Knock Scanner ### Stage 2 Payload (SHA256): Cisco Smart Install Scanner [dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 ROPMEMU](http://www.talosintelligence.com/ropmemu) P O S T E D B Y [A L E X A N D E R C H I U](https://www.blogger.com/profile/09794908020114943712) AT [5 : 5 7 P M](http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) L A B E L S : [A M P,](http://blog.talosintelligence.com/search/label/AMP) [C 2,](http://blog.talosintelligence.com/search/label/C2) [C C L E A N E R,](http://blog.talosintelligence.com/search/label/CCleaner) [M A LWA R E,](http://blog.talosintelligence.com/search/label/Malware) [T R OJ A N](http://blog.talosintelligence.com/search/label/trojan) S H A R E T H I S P O S T 2 COMMENTS: [UNKNOWN SEPTEMBER 26 2017 AT 7:48 AM](https://www.blogger.com/profile/01119737898542808823) ----- [worrisome.](http://www.talosintelligence.com/) |Reply|Col2|Col3|Col4| |---|---|---|---| |Reply Software|||BBBBAAAACCCCKKKK| ||||2017 AT 3:46 PM SVESmnnuoolnarreittl rC&aob Wmilietmyb RuTneraipt£yorct sReputation CMACMlliaacmmPro AATsVVho rfCet aoAtmd Nvmiasmuonriinietgys Conventions RIPPra oBzjoelarccbtk aAlcissktp iDsownload DASWpaaeBmmOCo Enoxlpoegrcgiesres Mo¢ow PE-Sig Immunet Sign out Teslacrypt Decryption Tool Notify me MBR Filter| |UNKNOWN SEPTEMBER 27, Vulnerability Information|||| |Great job, yall! Reputation Center Reply|||| |Library|||| |Su|pporEtn Cteorm yomuur nciotimesment...||| |||orEtn Cteorm yomuur nciotimesment...|Mo¢ow PE-Sig| |A|bout||| |C|Comment as: ggyy (Google) areers||| |Publish Preview Blog|||| POST A COMMENT FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner [N E W E R P O S T](http://blog.talosintelligence.com/2017/09/fin7-stealer.html) [Cisco Smart Install ScannerH O M E](http://blog.talosintelligence.com/) [O L D E R P O S T](http://blog.talosintelligence.com/2017/09/beers-with-talos-ep-13a-vast-ccleanup.html) S U B S C R I B E T O : [P O S T C O M M E N T S (AT O M)ROPMEMU](http://blog.talosintelligence.com/feeds/7154757954598852419/comments/default) Search Blog **SUBSCRIBE TO OUR FEED** ----- [▼ 2 0 1 7](javascript:void(0)) (149) BACK [Banking Trojan Attempts To Steal Brazillion$](http://blog.talosintelligence.com/2017/09/brazilbanking.html) [Vulnerability InformationFIN7 Group Uses JavaScript and Stealer DLL Variant...SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community](http://www.talosintelligence.com/vulnerability_info) [CCleaner Command and Control Causes Concern](http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) [Beers with Talos EP 13:A Vast CCleanup, Strutting ...ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) [CCleanup: A Vast Number of Machines at Risk](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) RazorbackIP Blacklist DownloadProject Aspis [Threat Round Up For Sept 8 - Sept 15](http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html) [Beers with Talos EP12 - IrmaGerd! The Internet Ate...](http://www.talosintelligence.com/resources) DaemonloggerAWBO ExercisesSpamCop [Deep Dive in MarkLogic Exploitation Process via Ar...](http://blog.talosintelligence.com/2017/09/deep-dive-marklogic-exploitation.html) [Vulnerability Spotlight: YAML Parsing Remote Code ...Mo�ow](http://www.talosintelligence.com/community) [Support Communities](http://www.talosintelligence.com/community) [Vulnerability Spotlight: LibOFX Tag Parsing Code E...](http://blog.talosintelligence.com/2017/09/vulnerability-spotlight-libofx-tag.html) [Microsoft Patch Tuesday - September 2017PE-Sig](http://blog.talosintelligence.com/2017/09/ms-tuesday.html) [Vulnerability Spotlight: TALOS-2017-0430/0431: Mul...](http://blog.talosintelligence.com/2017/09/vulnerability-spotlight-talos-2017.html) Immunet [Another Apache Struts Vulnerability Under Active E...](http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html) [Vulnerability Spotlight: Content Security Policy b...](http://www.talosintelligence.com/careers) Teslacrypt Decryption Tool |► O C T O B E R (12)|Col2| |---|---| |▼ S E P T E M B E R (17) SoftwTahrreeat Round Up for Sept 22 - Sept 29|lion r DL s C, St at R nte ces mo ing 017 0/0 er Pol| |Banking Trojan Attempts To Steal Brazil FIN7 Group Uses JavaScript and Steale Vulnerability Information CCleaner Command and Control Cause|| |Beers with Talos EP 13:A Vast CCleanup Reputation Center CCleanup: A Vast Number of Machines|| |Threat Round Up For Sept 8 - Sept 15 LibrarByeers with Talos EP12 - IrmaGerd! The I Deep Dive in MarkLogic Exploitation Pro|| |Vulnerability Spotlight: YAML Parsing Re Support Communities Vulnerability Spotlight: LibOFX Tag Pars|| |Microsoft Patch Tuesday - September 2 About Vulnerability Spotlight: TALOS-2017-043|| |Another Apache Struts Vulnerability Und CareeVruslnerability Spotlight: Content Security Graftor - But I Never Asked for This…|| |Threat Round Up for Aug 25 - Sep 1 Blog ► A U G U S T (16)|| [► J U LY](javascript:void(0)) (14) [► J U N E](javascript:void(0)) (14) [► M AY](javascript:void(0)) (19) [► A P R I L](javascript:void(0)) (17) [► M A R C H](javascript:void(0)) (17) [► F E B R U A R Y](javascript:void(0)) (12) [► J A N U A R Y](javascript:void(0)) (11) [► 2 0 1 6](javascript:void(0)) (98) [► 2 0 1 5](javascript:void(0)) (62) [► 2 0 1 4](javascript:void(0)) (67) [► 2 0 1 3](javascript:void(0)) (30) [► 2 0 1 2](javascript:void(0)) (53) [► 2 0 1 1](javascript:void(0)) (23) [► 2 0 1 0](javascript:void(0)) (93) [► 2 0 0 9](javascript:void(0)) (146) [► 2 0 0 8](javascript:void(0)) (37) **RECOMMENDED BLOGS** [C I S C O B L O G](https://blogs.cisco.com/) MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU [New Fog Standards Initiative Will Accelerate Digital Transformation](https://blogs.cisco.com/innovation/new-fog-standards-initiative-will-accelerate-digital-transformation) [S N O R T B L O G](http://blog.snort.org/) [Snort Subscriber Rule Set Update for 10/25/2017 BadRabbit](https://feedproxy.google.com/~r/Snort/~3/2PdpLCmvnyo/snort-subscriber-rule-set-update-for_25.html) ----- BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis DaemonloggerAWBO ExercisesSpamCop Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU |Software|Col2| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About|| |Careers|| |Blog|| ----- BACK SnortVulnerability ReportsEmail & Web Tra�c ReputationSnort Community [ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community](http://www.talosintelligence.com/clamav) RazorbackIP Blacklist DownloadProject Aspis DaemonloggerAWBO ExercisesSpamCop Mo�ow |Software|uln Su ros| |---|---| |Vulnerability Information|| |Reputation Center|| |Library|| |Support Communities|| |About|| |V Careers|| |Blog Mic|| -----