Live Ransomware samples Subject, Sender August/July 2016 Switzerland

An overview what Swiss hospitals get in these days?

If you still don't get it and understand how critical this point is:

  • Budget is NOT the limit to use an attachment Analyze sandbox or not.
  • Modern version of Cerber SPREAD through Share Credentials from Microsoft Windows and jump to all clients. A customer with 13'000 clients was infected in Asia in a few hours.
  • If you are above 100+ employees or if you think your business is important BUY a Sandbox for Mail Analyze and use Mcafee TIE/ATD for Files.
  • If you are too small > No solution. Do not accept attachment anymore! The step to take all Mail Flow and Exchange to the cloud will not help you! Spend massive money in security or take the risk that you close your business once because of Ransomware

http://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomware-attack-report/article/505845/ (June 2016)

Updated: Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last week that not only included a ransom note, but an audio warning informing victims that their files were encrypted.

Steven Toole, a researcher for the cloud-security firm Avanan, blogged that his company saw the first attack roll in at 6:44 a.m. on June 22 and that at least 57 percent of all Office 365 customers on Avanan's platform received at least one phishing attempt that contained the infected attachment and Avanan extrapolated that the same number of all Office 365 users were involved. While Avanan did not supply a specific number of those possibly hit, Microsoft reported in its first quarter 2016 earnings report that there are 18.2 million Office 365 subscribers.

http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

http://www.butsch.ch/post/200216-Ransomware-Locky-Trojan-Germany-high-infection-rates.aspx

https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html

 

The malware was sent from THOSE company's listed. The sender address where spoofed/Forged.

Date

Time

Client

Message

From

27.07.2016

04:44:34

mx2.ait.ac.at [62.218.164.132]

The file Alphabet Incorporation.docx is infected with MSWord/Phishing.C97F!phish.

anja.koengeter@ait.ac.at

16.08.2016

13:44:58

[62.152.169.139]

The file dhl_bestellung.docx is infected with JS/Nemucod.AAP!tr.dldr.

buro@dhl.com

20.07.2016

13:40:36

mo4-p03-ob.smtp.rzone.de [81.169.146.172]

The file Paketnummer0221036778.zip is infected with JS/Ransom.AP!tr.

c.zaehringer@microtracer.de

16.08.2016

13:31:43

fysiohoevensevld.demon.nl [80.100.200.39]

The file dhl_rechnung.docx is infected with JS/Nemucod.AAP!tr.dldr.

donotreply@dhl.com

18.07.2016

17:34:31

host-212-68-196-182.dynamic.voo.be [212.68.196.182]

The file coop.ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:30:10

mail.grosvenor-carpets.co.uk [91.135.7.205]

The file coop_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:20:25

91.98.235.122.pol.ir [91.98.235.122]

The file coop_ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:09:24

gw.paph.co.uk [82.33.219.82]

The file coop.ch_quitung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:07:35

[82.79.49.226]

The file coop_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:01:47

gw.paph.co.uk [82.33.219.82]

The file coop.ch_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:54:46

gw.paph.co.uk [82.33.219.82]

The file coop_quitung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:52:15

[82.78.203.146]

The file coop.ch_quitung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:39:59

82-76-211-44.rdsnet.ro [82.76.211.44]

The file coop.ch_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:39:40

gw.paph.co.uk [82.33.219.82]

The file coop.ch_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:07:52

82-76-211-44.rdsnet.ro [82.76.211.44]

The file coop_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

14:45:18

host-48-166-108-91.as10.ldn.uk.sharedband.net [91.108.166.48]

The file coop.ch_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

14:29:21

host-212-68-196-182.dynamic.voo.be [212.68.196.182]

The file coop_ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

13:49:33

91-189-60-54.riz.pl [91.189.60.54]

The file coop_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

13:36:58

static.imatel.es [91.200.117.76]

The file coop_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

13:13:35

91-189-60-54.riz.pl [91.189.60.54]

The file coop_ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

15.08.2016

15:41:43

static-84-42-159-115.net.upcbroadband.cz [84.42.159.115]

The file bestellung_15_08_2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

15.08.2016

15:18:33

[193.85.159.72]

The file rechnung_15_08.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

15.08.2016

13:19:41

148.63.249.5.rev.vodafone.pt [5.249.63.148]

The file bestellung_15_08.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

15.08.2016

13:12:11

148.63.249.5.rev.vodafone.pt [5.249.63.148]

The file zahlung_15.08.2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

16.08.2016

12:12:37

fysiohoevensevld.demon.nl [80.100.200.39]

The file Zahlung_DHL.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@dhl.com

24.08.2016

06:39:32

ncr-100-66.primenet.in [203.115.100.66]

The file PRIVATE CASH.zip is infected with W32/Inject.ABHZO!tr.

info@infobitsystem.com

09.08.2016

17:23:43

88.250.40.151.static.ttnet.com.tr [88.250.40.151]

The file zahlung_09.08.2016.docx is infected with Malware_Generic.P0.

info@post.ch

09.08.2016

17:04:24

[88.208.35.108]

The file zahlung_09.08.2016.docx is infected with Malware_Generic.P0.

info@post.ch

09.08.2016

16:57:18

[86.34.227.40]

The file quittung_09.08.2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@post.ch

09.08.2016

16:36:59

80.179.6.66.static.012.net.il [80.179.6.66]

The file zahlung_09.08.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@post.ch

09.08.2016

14:51:07

llamentin-656-2-209.w81-248.abo.wanadoo.fr [81.248.1.209]

The file zahlung.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@post.ch

09.08.2016

16:08:59

comox.a-enterprise.ch [62.12.150.213]

The file rechnung 09_Aug.docm is infected with WM/Obfuscated.V!tr.

m12e@bluewin.ch

09.08.2016

15:46:01

zhhdzmsp-smtp14.bluewin.ch [195.186.136.32]

The file rechnung 09_Aug.docm is infected with WM/Obfuscated.V!tr.

migrol.stans@bluewin.ch

19.07.2016

14:45:56

[189.126.194.34]

The file migros_rechnung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

14:39:17

fysiohoevensevld.demon.nl [80.100.200.39]

The file migros_zahlung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

14:37:47

[181.49.220.34]

The file migros_quittung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

14:25:22

[181.49.220.34]

The file migros_quittung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

13:47:29

[181.49.220.34]

The file migros_bestellung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

20.07.2016

17:30:54

mail.ofekltd.co.il [81.218.132.237]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

noreply@paypal.com

20.07.2016

16:23:30

mail.ofekltd.co.il [81.218.132.237]

The file paypal_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

noreply@paypal.com

28.07.2016

15:58:43

ms1.webland.ch [92.43.217.101]

The file copier@asa-spitaeler.ch_20160720076718.docm is infected with WM/Agent.BJC!tr.dldr.

no-reply=23=copier@asa-spitaeler.ch

16.08.2016

15:38:36

fysiohoevensevld.demon.nl [80.100.200.39]

The file dhl_packet_16.08.2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

paket@dhl.com

16.08.2016

13:14:02

[62.152.169.139]

The file dhl_packet_16_08_2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

reply@dhl.com

27.07.2016

14:00:52

expertno-analit-zentr.ch.govorit.ru [89.221.61.75]

The file Paypal_Zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.ch

27.07.2016

13:53:50

expertno-analit-zentr.ch.govorit.ru [89.221.61.75]

The file Paypal_Zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.ch

20.07.2016

16:12:32

host81-137-222-56.in-addr.btopenworld.com [81.137.222.56]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

20.07.2016

15:54:40

cpc87465-finc19-2-0-cust332.4-2.cable.virginm.net [82.17.37.77]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

20.07.2016

15:20:16

cpc87465-finc19-2-0-cust332.4-2.cable.virginm.net [82.17.37.77]

The file paypal_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

20.07.2016

14:41:39

lmontsouris-657-1-208-29.w80-11.abo.wanadoo.fr [80.11.48.29]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

21.07.2016

16:38:27

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

16:04:30

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

16:01:00

82-137-118-134.ip.btc-net.bg [82.137.118.134]

The file zurich.com_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

15:58:54

host81-133-60-254.in-addr.btopenworld.com [81.133.60.254]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

15:34:28

82-137-118-134.ip.btc-net.bg [82.137.118.134]

The file zurich.com_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

15:08:05

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

14:13:25

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:28:41

mail.aretilaw.com [81.4.136.98]

The file zurich.com_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:16:01

mail.aretilaw.com [81.4.136.98]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:04:58

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:00:48

host81-133-60-254.in-addr.btopenworld.com [81.133.60.254]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

26.07.2016

11:36:01

lputeaux-657-1-16-200.w90-63.abo.wanadoo.fr [90.63.199.200]

The file viagogo.com_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

ticketalerts@info.viagogo.com

20.07.2016

13:17:02

[81.28.170.24]

The file zoo.ch_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

zoo@zoo.ch

20.07.2016

12:54:45

[81.28.170.24]

The file zoo.ch_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

zoo@zoo.ch

Ransomware: High rate dropbox attack Switzerland 24-25.08.2016 to Healthcare

MalwareFortiguard: JS/Nemucod.ARH!tr

We have seen a high rate of 50-100 Attachments per customer with correct E-Mail address with Ransomware sent out from:

no-reply@dropbox.com

Fortiguard and Mcafee did find it around 12:30 to clock 24.08.2016 BUT not before.

The URL's which were listed in the E-Mail content where listed at that time. The E-Mail contains a Link

From a Commerzbank hosted on a Dropbox account.

Second wave contains an attachment rechnung.zip

 

Raw Log from Fortimail

2850,"2016-08-24","12:38:53","Virus Signature","Reject",,"no-reply@dropbox.com","customer01@butsch.ch","Ihre Mahnung vom 23.08.2016","u7OAcqI9021476-u7OAcqIB021476","f3.81.b6.static.xlhost.com [207.182.129.243]","192.168.1.5",17405,"in","mta","0:3:3","butsch.ch","JS/Nemucod.ARH!tr","OK","0200021477",,"statistics"    

2855,"2016-08-24","12:35:31","Grey List","Delay",,"no-reply@dropbox.com","customer01@butsch.ch",,"u7OAZU4S021464-u7OAZU4U021464","133-53-143-63.static.reverse.lstn.net [63.143.53.133]","192.168.1.5",0,"in","mta","0:3:3","butsch.ch",,"FORGED","0200021465",,"statistics"    

"2856,""2016-08-24"",""12:34:24"",""FortiGuard AntiSpam-IP"",""Reject"",,""no-reply@dropbox.com"",""customer01@butsch.ch"",""=?windows-1251?B?RGVubmlzIExlbmcgaGF0IGRpZSBTYW1tbHVu?=    =?windows-1251?B?ZyCEUmVjaG51bmcuemlwkyBmdXIgU2llIGZy?=    =?windows-1251?B?ZWlnZWdlYmVuLg==?="",""u7OAYNrr021457-u7OAYNrt021457"",""6-219-63-74.static.reverse.lstn.net [74.63.219.6]"",""192.168.1.5"",6997,""in"",""mta"",""0:3:3"",""butsch.ch"",,""FORGED"",""0200021458"",,""statistics"""    

2857,"2016-08-24","12:34:09","Grey List","Delay",,"no-reply@dropbox.com","customer01@butsch.ch",,"u7OAY8wv021455-u7OAY8wx021455","131-53-143-63.static.reverse.lstn.net [63.143.53.131]","192.168.1.5",0,"in","mta","0:3:3","butsch.ch",,"FORGED","0200021456",,"statistics"    

"2859,""2016-08-24"",""12:33:14"",""Not Spam"",""Accept"",,""no-reply@dropbox.com"",""customer01@butsch.ch"",""=?windows-1251?B?V2lsbGlhbSBCZXJyeSBoYXQgZGllIFNhbW1s?=    =?windows-1251?B?dW5nIIRSZWNobnVuZy56aXCTIGZ1ciBTaWUg?=    =?windows-1251?B?ZnJlaWdlZ2ViZW4u?="",""u7OAXC7Y021443-u7OAXC7c021443"",""f5.81.b6.static.xlhost.com [207.182.129.245]"",""192.168.1.5"",7035,""in"",""mta"",""0:3:3"",""butsch.ch"",,""OK"",""0200021444"",,""statistics"""    

Mcafee/TIE: Definition 424 solves c:\Windows\assembly false/Positive detection

http://www.mcafee.com/us/resources/release-notes/threat-intelligence-exchange/tie-03-14-2016.pdf

https://community.mcafee.com/thread/88126

https://community.mcafee.com/thread/88837

 

The problem with the c:\Windows\assembly\Nativeimages seemed to be solved by update 424. These are Framework

Files Executables which are compiled in real time first usage. We have only seen that as example on Exchange CAS Servers before.

They time the first user logs onto OWA after an MSP Patch has that delay once. We had up to 6'000 Files per W7 client before that patch new

During March 2016 Patchday.

 

   

Rule 139 - Identify trusted DOT Net assemblies

 

Description:

 

This rule detects files that have CLR code (DOT Net) and have been installed into the global

Assembly cache folders. The files are present on multiple machines within the enterprise,

Indicating they are not just-in-time compiled assemblies.

 

Default State: Mandatory

 

Changes in this release

Changed how age and prevalence are handled in DOT Net validation algorithm 

   

 

Also there is a heavy update for Ransomware detection.

Rule 240 - Identify suspicious files with characteristics that have been predominantly seen in

Ransomware

 

Description:

 

Identify suspicious files with characteristics that have been predominantly seen in

ransomware, are in uncommonly used locations and less than 7 days old

 

Default State: Evaluate

Mcafee Endpoint 10 / VSE 10 Preview points

 

Some points for upcoming Mcafee VSE 10. You can run TIE/GTI integration today with VSE8.8 and Framework 5.X.

Check out some related links:

http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx

http://www.butsch.ch/post/Ransomware-Versions-who-spread-in-network-and-attack-locked-files-from-SQL-Servers-coming-up.aspx

 

Ransomware Schweiz: Mcafee TIE Threat Intelligence Exchange im Einsatz

Ransomware Schweiz, Switzerland, Suisse. Lösungen/Solutions.

Intelligente "Black/White-Listing" Technologie z.B. Mcafee TIE ist die derzeit einzige Lösung nebst ATD-Sandboxen um Ransomware/Epressungstrojaner in den Griff zu bekommen. (http://www.mcafee.com/de/products/threat-intelligence-exchange.aspx). Alles andere ist ein Gebastel und man rennt nur den Problemen nach statt diese zu lösen.

 

 

Proof of Concept soll zeigen wie Mcafee TIE unbekannte Dateien erkennt und soll zeigen, dass Directory welche wir im Virenschutz Modul VSE 8.X ausschliessen nicht vom TIE tangiert sind. Diese Ausnahmen gelten AUCH fuer TIE-Modul.

Proof of concept mit Test Datei welche wir anpassen

 

Wir nehmen ein EXEcutable z.B. Superscan.exe und Machen dies auf um es anzupassen.

 

Wir passen einige unrelevante Sachen mit eine HEX Editor im EXE an und speichern dies unter neuen Namen TIE_superscan.exe (HEX Editor z.B. http://hxd-hex-editor.soft32.com). Einfach die TEXT Partie "not be rund in DOS" anpassen.

 

Die Software superscan.exe ist im Mcafee TIE nicht vorhanden (Obwohl Foundstone von Mcafee/Intel gekauft wurde ;-). Ca. 75-80% Aller Binaries sind aber in der GTI/TIE Datenbank vorhanden. (Durchschnitt Windows 7 64BIT client mit ca. 80 Applikationen Schweiz).

 

Test client virtuel exclusions VSE (Normaler Virenschutz)

Der Folder c:\Geheim_geheim ist exlcuded da sonst z.B. Internet Explorer IEAK9/11 Setups aber auch andere Software beim Setup Probleme machen. Aber auch Driver fuer das Installieren des OS selber sind dort vorhanden. Dieser Folder wird nicht gescannt da man dort zu 100% Vertrauenswürdige Files hat. User hat dort keine Schreibrechte.

 

 

Im Mcafee TIE nicht sichtbar da in c:\geheim_geheim

Update Mcafee > Force senden Infos an EPO

 

Kopieren des Files in c:\temp und ausführen

Directory nicht Exlcuded und VSE > Daher TIE auch Scan

 

Alarm auf client und Block des Files beim Öffnen.

 

 

Umgehend auch OHNE Force Framework Agent sichtbar in Mcafee EPO TIE

 

Neue Datei unbekannt und Rating 50 > DAHER geblockt

 

Die anderen Werte welche zur Einstufung der Reputation heran gezogen werden sind noch nicht ermittelt worden. Da es sich um einen Installer handelt wird dies zudem anders gewichtet.

GTI (mcafee P2P/Cloud Datenbank) kennt das File noch nicht:

 

 

 

Anpassen der Reputation

 

Wir passen die Reputation des Files an da wir dieses File kennen und mit dem PLUGIN in TIE fuer VIRUSTOTAL.COM gescannt haben. Dies kann man durch einen Click auf einen Button automatisch machen lassen!

 

Nach dem Anpassen der Reputation von "Unknown" to "File Known Trusted" PLUS zusätzlich einem Rename des EXE (TIE_superscan.exe zu superscan.exe) wird das File ausgeführt. Damit TIE das Binary intelligent einstufen kann muss es längere Zeit und in mehreren Versionen in der Firma sein ODER die TIE/GTI cloud kennt es.

 

 

Anzeige in MCAFEE EPO Konsole (Enforcement Events)

 

Mcafee EPO Konsole, DASHBOARD

 

Weitere Links von uns:

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

http://www.butsch.ch/post/Ransomware-Versions-who-spread-in-network-and-attack-locked-files-from-SQL-Servers-coming-up.aspx