Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Crystal Finance Millennium (CFM) Security Incident Information

    • Updated:
    • 19 Sep 2017
    • Product/Version:
    • Deep Discovery Inspector All.All
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • N/A N/A
Summary

A Ukraine based Account Firm, Crystal Finance Millennium (CFM), has been hacked and is found to be distributing malware, which could be part of an attack in a larger scale. This caused the firm to take down their own website to prevent further spreading of damage.

Infection Chain

Infection Chain

  1. Attacker sends phishing email containing Zip files with JavaScript Files.
  2. The JavaScript files will download load.exe from CFM's compromised web server.
    • URL: http[:]//cfm.com[.]ua/awstats/load.exe
    • IP Address: 194.28.172[.]73
  3. Once load.exe triggers, it creates a copy of itself and downloads additional executable files. Below are the Indicators-of-Compromise (IOCs):
    • http[:]//finishirenemoflexvathard[.]com/filesok/443.exe
    • finishirenemoflexvathard[.]com
    • 47.88.52.220
    • 46.20.33.219
    • C:\Users\%имя пользователя%\AppData\Roaming\Microsoft\fbufwrbe\siaeesws.exe
    • C:\Users\%имя пользователя%\AppData\Roaming\Microsoft\fbufwrbe\fbufwrbe
    • C:\Users\%имяпользователя%\AppData\Roaming\Microsoft\Windows\dllcache\logagent.exeC:\Users\%имя пользователя%\AppData\Roaming\Microsoft\Windows\dllcache\RCX4012.tmp
    • C:\Users\%имяпользователя%\AppData\Roaming\Microsoft\Windows\dllcache\RCX4497.tmp
    • C:\Users\%имя пользователя%\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\logagent.lnk
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jack1024 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\logagent
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\logagent
  4. According to an ISSP report, load.exe along with the additional downloaded files were designed to attack various banking client`s applications.
Details
Public

Trend Micro Solutions

Trend Micro offers various solutions to prevent the spread of the infection. Click below for information on the detections:

HASHVSAPITrendX
ed040d225ee354e6f86dc602698731a0e6e41994f0385ab8b12032a64551acf1BKDR_TRICKBOT.SMTROJ.Win32.TRX.XXPE002FF018
da4e2287b1f05578aef96f8726abfb1b306721e1fc24a37b2fcda8a07f948685Mal_SageCrypt-1h-
0885905c9997f003dfac42232a2f4b38b7f6a8773bdd6cdbc6386b28d1357109TROJ_SHARIK.MVPCryp.Win32.TRX.XXPE002FF018
728789ca0a19ee54a86cb355bf75ea5ae8dd35d5e484dd2c44ce5134f4ae3926 (JS File)JS_DLOADR.AUSUCK-
71106a58801928a4dcc7322e6cbb33740017b4396c2664e5eeb7a4e245bfe4a7TSPY_EMOTET.SML3TROJ.Win32.TRX.XXPE002FF018
47e875297863768c8f763576900a6ee493728a787fe46a8a1f6dcd942c5e31f8BKDR_TRICKBOT.SMTROJ.Win32.TRX.XXPE002FF018
31ae18bc578f66569cce8cbba64ecb849e058e73e66a5bc52f7b2b4ae2a2fdacTROJ_SHARIK.MVPRansom.Win32.TRX.XXPE002FF017
6dd932f82339c6bc1b9dda85f2a385ec931526dc06d3f85f5eac368f56b90662BKDR_TRICKBOT.SMRansom.Win32.TRX.XXPE002FF018
05A51D915F316FDBED4635B3FD4126E2D1BC99771FEFA0D91F39804E54B90A26 (copy)Possible_SageCrypt-1c-
4CED511A7AEDFA4FEFE0EFB5647ABF5F2E5628453CAB0E19CC07EEC2C83A6B5D (load.exe)TSPY_ZBOT.XNITROJ.Win32.TRX.XXPE002FF018
URLClassification
http[:]//cfm.com[.]ua/awstats/load.exeDisease Vector
http[:]//nolovenolivethiiswarinworld[.]com/ico/load.exeDisease Vector
http[:]//crystalmind[.]ru/versionmaster/nova/load.exeDisease Vector
contsernmayakinternacional[.]ruDisease Vector
soyuzinformaciiimexanikiops[.]comDisease Vector
kantslerinborisinafrolova[.]ruDisease Vector

Prevention and Monitoring

Different Trend Micro products are capable of preventing the security incidents, as well as monitor them. For more information about these features, click the product that you are using below:

Below is the list of OSCE features that can monitor and prevent the threats:

  • Real-time Scan for Virus/Malware

    Real-time Scan

  • Predictive Machine Learning

    Predictive Machine Learning

  • Behavior Monitoring

    Enable Newly Encountered Program Settings - Monitor newly encountered programs downloaded through HTTP or email applications

    Behavior Monitoring

  • Suspicious File

    Enable Suspicious File List under Suspicious Object List Settings

    Suspicious File

Below is the list of DDI features that can monitor threat activity:

  • ZEUS - HTTP (Response) - TSPY_ZBOT.XNI

    TSPY_ZBOT.XNI

  • Dangerous URL in Web Reputation Services database - HTTP (Request)

    Dangerous URL

  • File with malware-related file name- HTTP (Request)

    File with malware-related file name

Blogs and Security News

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1118332
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.