Emerging Threat on VALYRIA

Product / Version includes:

Trend Micro Email SecurityAll , Interscan Web Security Virtual ApplianceAll , Deep SecurityAll , Worry-Free Business Security StandardAll , Interscan Messaging Security Virtual ApplianceAll , ScanMail for ExchangeAll , Worry-Free Business Security AdvancedAll

Last updated: 2021/10/10

Solution ID: KA-0007626

Category: SPEC

Summary

TROJ_VALYRIA is a password protected Microsoft document file containing malicious scripts embedded in its document body (detected as VBS_NEMUCOD). NEMUCOD, a script malware known through its highly obfuscated “download and execution” script, is now evolving from JavaScript to a Visual Basic Script malware.

As a Payload, TSPY_URSNIF is downloaded by VBS_NEMUCOD, stealing users’ information and then attempting to send and receive information from a certain host URL.

Click image to enlarge

Anti-Spam Pattern

Layer	Detection	Pattern Version	Release Date
INFECTION	VBS_VALYRIA.A	13.413.00	5/18/2017 14:07
INFECTION	VBS_VALYRIA.B	13.413.00
INFECTION	VBS_VALYRIA.C	13.413.00
INFECTION	VBS_VALYRIA.D	13.413.00
INFECTION	VBS_VALYRIA.E	13.413.00
INFECTION	VBS_VALYRIA.F	13.413.00
INFECTION	VBS_VALYRIA.G	13.413.00
INFECTION	VBS_VALYRIA.H	13.413.00
INFECTION	VBS_VALYRIA.I	13.413.00
INFECTION	TROJ_VALYRIA.GAS	13.413.00
INFECTION	TROJ_VALYRIA.GGA	13.413.00
INFECTION	TROJ_VALYRIA.LNKA	13.413.00
INFECTION	TROJ_VALYRIA.DOC	13.413.00
INFECTION	TROJ_VALYRIA.DOCA	13.413.00
INFECTION	TROJ_VALYRIA.DOCB	13.413.00
INFECTION	TROJ_VALYRIA.DOCC	13.413.00
INFECTION	TROJ_VALYRIA.DOCD	13.413.00
INFECTION	TROJ_VALYRIA.DOCE	13.413.00
INFECTION	TROJ_VALYRIA.DOCF	13.413.00
INFECTION	TROJ_VALYRIA.DOCG	13.413.00
INFECTION	TROJ_VALYRIA.DOCH	13.413.00
INFECTION	TROJ_VALYRIA.DOCI	13.413.00
INFECTION	TROJ_VALYRIA.DOCJ	13.413.00
INFECTION	TROJ_VALYRIA.DOCK	13.413.00
INFECTION	TROJ_VALYRIA.DOCL	13.413.00
INFECTION	TROJ_VALYRIA.DOCN	13.413.00
INFECTION	TROJ_VALYRIA.DOCQ	13.413.00
INFECTION	TROJ_VALYRIA.DP	13.413.00
INFECTION	TROJ_VALYRIA.GQA	13.413.00
INFECTION	TROJ_VALYRIA.FQA	13.413.00
INFECTION	TROJ_VALYRIA.AQX	13.413.00
INFECTION	TROJ_VALYRIA.AUSQO	13.413.00
INFECTION	TROJ_VALYRIA.AUSQP	13.413.00
INFECTION	TROJ_VALYRIA.AUSQQ	13.413.00
INFECTION	TROJ_VALYRIA.AUSQR	13.413.00
INFECTION	TROJ_VALYRIA.AUSQS	13.413.00
INFECTION	TROJ_VALYRIA.AUSQT	13.413.00
INFECTION	TROJ_VALYRIA.AUSQU	13.413.00
INFECTION	TROJ_VALYRIA.AUSQV	13.413.00
INFECTION	TROJ_VALYRIA.AUSQW	13.413.00
INFECTION	TROJ_VALYRIA.AUSQX	13.413.00
INFECTION	TROJ_VALYRIA.AUSQY	13.413.00
INFECTION	TROJ_VALYRIA.AUSQZ	13.413.00
INFECTION	TROJ_VALYRIA.AUSRA	13.413.00
INFECTION	TROJ_VALYRIA.AUSRB	13.413.00
INFECTION	TSPY_URSNIF.GQA	13.417.00	5/20/2017 11:38

Web Reputation (Malicious URL’s and Classification)

Layer	URL	Rating	Release Date
EXPOSURE	{blocked}185.189.14.193/odg.jd	Malware Accomplice	3/20/2017
EXPOSURE	hxxp://{blocked}91.210.166.142/skdata.sql	Malware Accomplice	5/18/2017
EXPOSURE	hxxp://{blocked}91.210.166.142/skdata.sql	Malware Accomplice	5/18/2017
EXPOSURE	hxxp://urbansoft{blocked}.cc/sql.db	Malware Accomplice	5/11/2017
EXPOSURE	hxxp://{blocked}185.188.183.206/report.prt	Disease Vector	4/21/2017
EXPOSURE	hxxp://aura-proprete{blocked}.fr/sck.txt	Disease Vector	4/25/2017
EXPOSURE	hxxp://{blocked}185.195.25.79/5324.csv	Malware Accomplice	5/18/2017
EXPOSURE	hxxp://coloctionneur{blocked}.fr/license.csv	Malware Accomplice	5/18/2017
EXPOSURE	hxxp://{blocked}91.210.164.3/22.dob	Malware Accomplice	5/18/2017
EXPOSURE	hxxp://{blocked}185.188.183.235/img.jpt	Malware Accomplice	4/13/2017
EXPOSURE	hxxp://legadodevelopmentgroup{blocked}.com/tmp.pkg	Malware Accomplice	5/5/2017

Web Reputation (Malicious URL’s and Classification)

Layer	Detection	Pattern Version	Release Date
AEGIS	4914T	OPR 1671	6/14/2017

Make sure to always use the latest pattern available to detect the old and new variants of VALYRIA.

Solution Map - What should customers do?

Major Products	Versions	Virus Pattern	Behavior Monitoring	Web Reputation	DCT Pattern	Antispam Pattern	Network Pattern
OfficeScan	11 SP1 above	Update Pattern via web console	Update Pattern via Web console	Enable Web Reputation Service*	Update Pattern via web console	Not Applicable	Update Pattern via web console
Worry-Free Business Suite	Standard					Not Applicable	Not Applicable
	Advanced/MSA					Update Pattern via web console
	Hosted					Update Pattern via web console
Deep Security	8.0 and above		Not Applicable		Update Pattern via web console	Not Applicable	Update Pattern via web console
ScanMail	SMEX 10 and later				Not Applicable	Update Pattern via Web console	Not Applicable
ScanMail	SMD 5 and later
InterScan Messaging	IMSVA 8.0 and above
InterScan Web	IWSVA 6.0 and later
Deep Discovery	DDI 3.0 and later					Not Applicable	Update Pattern via web console

* Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Threat Report

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Emerging Threat on VALYRIA

Solution Map - What should customers do?

Recommendations

Threat Report

Emerging Threat on VALYRIA

Product / Version includes:

Summary

Anti-Spam Pattern

Web Reputation (Malicious URL’s and Classification)

Web Reputation (Malicious URL’s and Classification)

Solution Map - What should customers do?

Recommendations

Threat Report