Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between June 29 and July 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, it will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive, and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis.
For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
The most prevalent threats highlighted in this roundup are:
Separ is spyware that has been delivered via several different spam campaigns. The malware establishes persistence to survive system reboots, and it’s able to collect sensitive information by capturing login attempts via a web browser. It disables the Windows firewall if present, propagates and invokes scripts during runtime, and relies on FTP to upload any collected data.
Daqc is a trojan that collects sensitive information from the infected host and exfiltrates pieces of the collected data over time to a command and control (C2) server. It drops several database files and locks files to properly manage the data it has collected or is queued to collect at a future time.
Tspy is a trojan with several functionalities. It establishes system persistence to survive reboots. It also contacts domains related to remote access trojans (RATs) but are also known to be hosting C2 servers that send additional commands to the malware. The samples are often packed and contain anti-debug features intended to delay manual analysis.
Fareit is a trojan with a significant history associated with malware distribution. It is mainly an information-stealer and malware downloader network that installs other malware on infected machines.
Razy is oftentimes a generic detection name for a Windows trojan. Although more recent cases have found it attributed to ransomware that uses the .razy file extension when writing encrypted files to disk, these samples are the former case. They collect sensitive information from the infected host, format and encrypt the data, and sends it to a C2 server.
Zusy is a trojan that uses Man-in-the-Middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe”. When the user access a banking website, it displays a form to trick the user into submitting personal information.