SANS Internet Storm Center, InfoCON: green

Syndicate content SANS Internet Storm Center, InfoCON: green
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Updated: 55 min 35 sec ago

Another Day - Another Ransomware Sample, (Fri, Aug 26th)

Fri, 2016/08/26 - 21:30
Catching ransomware is pretty easy these days. I setup a procmail filter that will extract all e-mails with compressed JavaScript attachments. Whatever is left in the morning after AV decimated the folder I will usually take a quick look at. Today, I got a bunch of e-mails with the subject office equipment" /> This time, the malware doesnt even try to hide. One of the hostnames used by this run is In addition, the samples all use the exact same user agent string, which doesn .NET CLR 3.5.30729) So pretty easy to now pull out the URLs that the malware connect to from bro: zcat http* | bro-cut method host uri user_agent | grep .NET CLR 3.5.30729) | awk {print $1 , $2 , $3} | sort -u GET /upp0nqa
GET /06qbbzy7 -)
POST /data/info.php
GET /4yhgvna
GET /ut1s5
GET /1tdqo6
GET /uk0lo
GET /yhcx6y
POST /data/info.php
POST /data/info.php
POST /data/info.php
POST /data/info.php As so often, /data/info.php may actually also do a pretty good job in detecting these infections. Snort already alerts on the requests to .pw hosts. Indicators of compromise: The IPs and the host names appear to be too ephemeral to be useful as IoCs. I would suggest the /data/info.php URL. I dont see that used a lot in non-malicious requests. ---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts