Wednesday, February 10, 2016

AS57389 ZNET-Mikronet Kft

OK... lets follow the bouncing ball again:

1. Microsoft Word doc is being propagated this morning that leverages a naming convention along the lines of "ReportforInvoicexxx.doc".  We strongly recommend you block this file from being downloaded as it contains a malicious macro that modifies 24 Files, 2 Processes and 417 Registry Entries.  Forcepoint File Sandbox Report here.

2. As is typically the case, the Anti-Virus Vendors are slow in responding as only 5 of 54 companies are accurately detecting the file as malware:


3. So... what does the malware do besides the aforementioned modifications?  Per below, it makes an HTTP call outbound to download an additional file:


4.  Whats happens when the 65fg67n file is downloaded?  Per this Forcepoint File Sandbox Report, the malware author downloads updates from Microsoft (how nice of them to patch our boxes) and additionally phones home to the botnet via TCP Port 843 to a server in Hungary (AS # 57389).  Hence the title of our post.

In summary, if you see outbound connections to 87.229.86.20 on your firewall... you have problems.  Call ESPO Systems for a free consultation in regards to IT Controls across the entire Kill Chain.

No comments:

Post a Comment