Summary
BEBLOH is a spyware that monitors a machine and can steal sensitive information and send gathered information to a remote server. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It executes the downloaded files and, as a result, malicious routines of the downloaded files are exhibited on the affected system.
It also gathers information and reports it to its servers.
Click image to enlarge.
Antispam Pattern
| LAYER | DETECTION | PATTERN VERSION | RELEASE DATE |
|---|---|---|---|
| EXPOSURE | All related email samples | AS1282 | 1/25/2015 |
VSAPI Pattern (Malicious File Detection)
| LAYER | DETECTION | PATTERN VERSION | Release Date |
|---|---|---|---|
| INFECTION | TSPY_BEBLOH.SMM | OPR 12.409 | 3/17/2016 |
| INFECTION | TSPY_BEBLOH.SMM1 | OPR 12.407 | 3/16/2016 |
| INFECTION | TSPY_BEBLOH.SMM2 | OPR 12.407 | 3/16/2016 |
| INFECTION | Mal_BEBLOH-1 | OPR 12.547 | 05/24/16 |
| INFECTION | Mal_BEBLOH-2 | OPR 12.547 | 05/24/16 |
WRS Pattern (Malicious URL and Classification)
| LAYER | URL | Score | Blocking Date |
|---|---|---|---|
| CLEAN-UP | uswmrmsu1fgdmm{blocked}.net | C&C | 3/2/2016 |
| CLEAN-UP | espedidasalacarta{blocked}.com/ontv.exe | Disease Vector | 3/10/2016 |
AEGIS Pattern (Behavior Monitoring Pattern)
| LAYER | Detection | Pattern Version | Release Date |
|---|---|---|---|
| DYNAMIC | 1933Q | OPR 1555 | 06/21/16 (Batch 1) |
Network Pattern
| LAYER | Detection | Pattern Version | Release Date |
|---|---|---|---|
| CLEAN-UP | HTTP_BEBLOH_REQUEST-2 | RR 1.10155.00 | 4/13/2016DYNAMIC |
Make sure to always use the latest pattern available to detect the old and new variants of TSPY_BEBLOH.
Details
Solution Map - What should customers do?
| Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
|---|---|---|---|---|---|---|---|
| OfficeScan | 10.6 and above | Update Pattern via web console | Update Pattern via web console | Enable Web Reputation Service* | Update Pattern via Web console | Not Applicable | Update Pattern via Web console |
| Worry Free Business Suite | Standard | Not Applicable | |||||
| Advanced/Messaging | Update Pattern via web console | ||||||
| Hosted | |||||||
| Deep Security | 8.0 and above | Not Applicable | Update Pattern via Web console | Not Applicable | Update Pattern via Web console | ||
| ScanMail | SMEX 10 and later | Not Applicable | Update Pattern via Web console | Not Applicable | |||
| SMD 5 and later | |||||||
| InterScan Messaging | IMSVA 8.0 and above | ||||||
| InterScan Web | IWSVA 6.0 and later | ||||||
| Deep Discovery | DDI 3.0 and later | Not Applicable | Update Pattern via web console | ||||
| DDAN | |||||||
| DDEI |
* Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.
Recommendations:
- Recommendations on how to best protect your network using Trend Micro products
- Submitting suspicious or undetected virus for file analysis to Technical Support using Threat Query Assessment
Threat Report
