Sign In with your
Trend Micro Account
需要協助?
需要協助?

若您需要技術支援,請 按此建立案件。

Emerging Threat on VALYRIA

    • 更新於:
    • 27 Jul 2018
    • 產品/版本:
    • Deep Security
    • Hosted Email Security
    • Interscan Messaging Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • OfficeScan
    • ScanMail for Exchange
    • Trend Micro Email Security
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Standard
    • 作業系統:
    • N/A N/A
概要

TROJ_VALYRIA is a password protected Microsoft document file containing malicious scripts embedded in its document body (detected as VBS_NEMUCOD).  NEMUCOD, a script malware known through its highly obfuscated “download and execution” script, is now evolving from JavaScript to a Visual Basic Script malware.

As a Payload, TSPY_URSNIF is downloaded by VBS_NEMUCOD, stealing users’ information and then attempting to send and receive information from a certain host URL.

VALYRIA_Infection Chain

Click image to enlarge

Anti-Spam Pattern

LayerDetectionPattern VersionRelease Date
INFECTIONVBS_VALYRIA.A13.413.00



































   5/18/2017 14:07
INFECTIONVBS_VALYRIA.B13.413.00
INFECTIONVBS_VALYRIA.C13.413.00
INFECTIONVBS_VALYRIA.D13.413.00
INFECTIONVBS_VALYRIA.E13.413.00
INFECTIONVBS_VALYRIA.F13.413.00
INFECTIONVBS_VALYRIA.G13.413.00
INFECTIONVBS_VALYRIA.H13.413.00
INFECTIONVBS_VALYRIA.I13.413.00
INFECTIONTROJ_VALYRIA.GAS13.413.00
INFECTIONTROJ_VALYRIA.GGA13.413.00
INFECTIONTROJ_VALYRIA.LNKA13.413.00
INFECTIONTROJ_VALYRIA.DOC13.413.00
INFECTIONTROJ_VALYRIA.DOCA13.413.00
INFECTIONTROJ_VALYRIA.DOCB13.413.00
INFECTIONTROJ_VALYRIA.DOCC13.413.00
INFECTIONTROJ_VALYRIA.DOCD13.413.00
INFECTIONTROJ_VALYRIA.DOCE13.413.00
INFECTIONTROJ_VALYRIA.DOCF13.413.00
INFECTIONTROJ_VALYRIA.DOCG13.413.00
INFECTIONTROJ_VALYRIA.DOCH13.413.00
INFECTIONTROJ_VALYRIA.DOCI13.413.00
INFECTIONTROJ_VALYRIA.DOCJ13.413.00
INFECTIONTROJ_VALYRIA.DOCK13.413.00
INFECTIONTROJ_VALYRIA.DOCL13.413.00
INFECTIONTROJ_VALYRIA.DOCN13.413.00
INFECTIONTROJ_VALYRIA.DOCQ13.413.00
INFECTIONTROJ_VALYRIA.DP13.413.00
INFECTIONTROJ_VALYRIA.GQA13.413.00
INFECTIONTROJ_VALYRIA.FQA13.413.00
INFECTIONTROJ_VALYRIA.AQX13.413.00
INFECTIONTROJ_VALYRIA.AUSQO13.413.00
INFECTIONTROJ_VALYRIA.AUSQP13.413.00
INFECTIONTROJ_VALYRIA.AUSQQ13.413.00
INFECTIONTROJ_VALYRIA.AUSQR13.413.00
INFECTIONTROJ_VALYRIA.AUSQS13.413.00
INFECTIONTROJ_VALYRIA.AUSQT13.413.00
INFECTIONTROJ_VALYRIA.AUSQU13.413.00
INFECTIONTROJ_VALYRIA.AUSQV13.413.00
INFECTIONTROJ_VALYRIA.AUSQW13.413.00
INFECTIONTROJ_VALYRIA.AUSQX13.413.00
INFECTIONTROJ_VALYRIA.AUSQY13.413.00
INFECTIONTROJ_VALYRIA.AUSQZ13.413.00
INFECTIONTROJ_VALYRIA.AUSRA13.413.00
INFECTIONTROJ_VALYRIA.AUSRB13.413.00
INFECTIONTSPY_URSNIF.GQA13.417.005/20/2017 11:38

Web Reputation (Malicious URL’s and Classification)

LayerURLRatingRelease Date
EXPOSURE{blocked}185.189.14.193/odg.jdMalware Accomplice3/20/2017
EXPOSUREhxxp://{blocked}91.210.166.142/skdata.sqlMalware Accomplice5/18/2017
EXPOSUREhxxp://{blocked}91.210.166.142/skdata.sqlMalware Accomplice5/18/2017
EXPOSUREhxxp://urbansoft{blocked}.cc/sql.dbMalware Accomplice5/11/2017
EXPOSUREhxxp://{blocked}185.188.183.206/report.prtDisease Vector4/21/2017
EXPOSUREhxxp://aura-proprete{blocked}.fr/sck.txtDisease Vector4/25/2017
EXPOSUREhxxp://{blocked}185.195.25.79/5324.csvMalware Accomplice5/18/2017
EXPOSUREhxxp://coloctionneur{blocked}.fr/license.csvMalware Accomplice5/18/2017
EXPOSUREhxxp://{blocked}91.210.164.3/22.dobMalware Accomplice5/18/2017
EXPOSUREhxxp://{blocked}185.188.183.235/img.jptMalware Accomplice4/13/2017
EXPOSUREhxxp://legadodevelopmentgroup{blocked}.com/tmp.pkgMalware Accomplice5/5/2017

Web Reputation (Malicious URL’s and Classification)

LayerDetectionPattern VersionRelease Date
AEGIS4914TOPR 16716/14/2017
 
Make sure to always use the latest pattern available to detect the old and new variants of VALYRIA.
詳情
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan11 SP1 above






Update Pattern via web console
Update Pattern via Web console








Enable Web Reputation Service*




Update Pattern via web console



Not Applicable

Update Pattern via web console
Worry-Free Business SuiteStandard
Not Applicable
Advanced/MSAUpdate Pattern via web console
Hosted
Deep Security8.0 and above





Not Applicable
Update Pattern via web consoleNot ApplicableUpdate Pattern via web console
ScanMailSMEX 10 and later


Not Applicable


Update Pattern via Web console


Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and later
Not Applicable
Update Pattern via web console
 
* Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Threat Report

Premium
Internal
評價:
分類:
SPEC
解決方案ID:
1117788
評定這個解決方案
本文是否幫助解決您的問題?

感謝您的意見!

請留下您的Email方便進一步的聯繫,協助我們改進文章內容:
我們不會透過以上Email寄送任何可能騷擾您的垃圾信.

本意見調查系統為自動運作,將不會回覆如銷售、技術、產品等一般問題.

若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.