Crystal Finance Millennium (CFM) Security Incident Information

Product / Version includes:

OfficeScan11.0 , Deep Discovery InspectorAll

Last updated: 2021/08/28

Solution ID: KA-0007804

Category: Remove a Malware / Virus

Summary

A Ukraine based Account Firm, Crystal Finance Millennium (CFM), has been hacked and is found to be distributing malware, which could be part of an attack in a larger scale. This caused the firm to take down their own website to prevent further spreading of damage.

Infection Chain

Attacker sends phishing email containing Zip files with JavaScript Files.
The JavaScript files will download load.exe from CFM's compromised web server.
- URL: http[:]//cfm.com[.]ua/awstats/load.exe
- IP Address: 194.28.172[.]73
Once load.exe triggers, it creates a copy of itself and downloads additional executable files. Below are the Indicators-of-Compromise (IOCs):
- http[:]//finishirenemoflexvathard[.]com/filesok/443.exe
- finishirenemoflexvathard[.]com
- 47.88.52.220
- 46.20.33.219
- C:\Users\%имя пользователя%\AppData\Roaming\Microsoft\fbufwrbe\siaeesws.exe
- C:\Users\%имя пользователя%\AppData\Roaming\Microsoft\fbufwrbe\fbufwrbe
- C:\Users\%имяпользователя%\AppData\Roaming\Microsoft\Windows\dllcache\logagent.exeC:\Users\%имя пользователя%\AppData\Roaming\Microsoft\Windows\dllcache\RCX4012.tmp
- C:\Users\%имяпользователя%\AppData\Roaming\Microsoft\Windows\dllcache\RCX4497.tmp
- C:\Users\%имя пользователя%\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\logagent.lnk
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jack1024 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\logagent
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\logagent
According to an ISSP report, load.exe along with the additional downloaded files were designed to attack various banking client`s applications.

Trend Micro Solutions

Trend Micro offers various solutions to prevent the spread of the infection. Click below for information on the detections:

Detections

HASH	VSAPI	TrendX
ed040d225ee354e6f86dc602698731a0e6e41994f0385ab8b12032a64551acf1	BKDR_TRICKBOT.SM	TROJ.Win32.TRX.XXPE002FF018
da4e2287b1f05578aef96f8726abfb1b306721e1fc24a37b2fcda8a07f948685	Mal_SageCrypt-1h	-
0885905c9997f003dfac42232a2f4b38b7f6a8773bdd6cdbc6386b28d1357109	TROJ_SHARIK.MVP	Cryp.Win32.TRX.XXPE002FF018
728789ca0a19ee54a86cb355bf75ea5ae8dd35d5e484dd2c44ce5134f4ae3926 (JS File)	JS_DLOADR.AUSUCK	-
71106a58801928a4dcc7322e6cbb33740017b4396c2664e5eeb7a4e245bfe4a7	TSPY_EMOTET.SML3	TROJ.Win32.TRX.XXPE002FF018
47e875297863768c8f763576900a6ee493728a787fe46a8a1f6dcd942c5e31f8	BKDR_TRICKBOT.SM	TROJ.Win32.TRX.XXPE002FF018
31ae18bc578f66569cce8cbba64ecb849e058e73e66a5bc52f7b2b4ae2a2fdac	TROJ_SHARIK.MVP	Ransom.Win32.TRX.XXPE002FF017
6dd932f82339c6bc1b9dda85f2a385ec931526dc06d3f85f5eac368f56b90662	BKDR_TRICKBOT.SM	Ransom.Win32.TRX.XXPE002FF018
05A51D915F316FDBED4635B3FD4126E2D1BC99771FEFA0D91F39804E54B90A26 (copy)	Possible_SageCrypt-1c	-
4CED511A7AEDFA4FEFE0EFB5647ABF5F2E5628453CAB0E19CC07EEC2C83A6B5D (load.exe)	TSPY_ZBOT.XNI	TROJ.Win32.TRX.XXPE002FF018

Web Reputation Service (WRS)

URL	Classification
http[:]//cfm.com[.]ua/awstats/load.exe	Disease Vector
http[:]//nolovenolivethiiswarinworld[.]com/ico/load.exe	Disease Vector
http[:]//crystalmind[.]ru/versionmaster/nova/load.exe	Disease Vector
contsernmayakinternacional[.]ru	Disease Vector
soyuzinformaciiimexanikiops[.]com	Disease Vector
kantslerinborisinafrolova[.]ru	Disease Vector

Prevention and Monitoring

Different Trend Micro products are capable of preventing the security incidents, as well as monitor them. For more information about these features, click the product that you are using below:

EXPAND ALL

OfficeScan (OSCE)

Below is the list of OSCE features that can monitor and prevent the threats:

Real-time Scan for Virus/Malware
Predictive Machine Learning
Behavior Monitoring
Enable Newly Encountered Program Settings - Monitor newly encountered programs downloaded through HTTP or email applications
Suspicious File
Enable Suspicious File List under Suspicious Object List Settings

Deep Discovery Inspector (DDI)

Below is the list of DDI features that can monitor threat activity:

ZEUS - HTTP (Response) - TSPY_ZBOT.XNI
Dangerous URL in Web Reputation Services database - HTTP (Request)
File with malware-related file name- HTTP (Request)

Blogs and Security News

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Crystal Finance Millennium (CFM) Security Incident Information

Trend Micro Solutions

Detections

Web Reputation Service (WRS)

Prevention and Monitoring

OfficeScan (OSCE)

Deep Discovery Inspector (DDI)

Blogs and Security News

Crystal Finance Millennium (CFM) Security Incident Information

Product / Version includes:

Summary

Infection Chain

Trend Micro Solutions

Detections

Web Reputation Service (WRS)

Prevention and Monitoring

OfficeScan (OSCE)

Deep Discovery Inspector (DDI)

Blogs and Security News