MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server
Post published:June 16, 2023
Notification
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:CLEAR–Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
Summary
Description
CISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency.
When 11 of the dynamic link library (DLL) files are loaded, the files can read, create, and delete files. If the DLL contains a hardcoded Internet Protocol (IP) address, status messages will be sent to the IP. One DLL file will attempt to collect the target system’s Transmission Control Protocol (TCP) connection table, and exfiltrate it to a remote Command and Control server (C2). Five of the files drop and decode a reverse shell utility that can send and receive data and commands. In addition, the files drop and decode an Active Server Pages (ASPX) webshell. Two DLL files are capable of loading and executing payloads.
CISA has provided Indicators of Compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR).
rule CISA_10413062_06 : exfiltrates_data
{
meta:
Author = “CISA Code & Media Analysis”
Incident = “10413062”
Date = “2022-11-30”
Last_Modified = “20221130_1700”
Actor = “n/a”
Family = “n/a”
Capabilities = “exfiltrates-data”
Malware_Type = “n/a”
Tool_Type = “n/a”
Description = “Detects managed malware code in C# DLL samples”
MD5 = “f6f47911ac32afd786a765dcb1f26722”
SHA256 = “e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913”
strings:
$s0 = { 4E 65 74 6B 65 6C 2E 64 6C 6C }
$s1 = { 76 34 2E 30 2E 33 30 33 31 39 }
$s2 = { 70 68 79 73 69 63 61 6C 50 61 74 68 3D }
$s3 = { 2E 63 6F 6E 66 69 67 00 2B 5F 2B 5F 2B }
$s4 = { 43 3A 5C 69 6E 65 74 70 75 62 5C 74 65 6D 70 }
condition:
all of them
}
ssdeep Matches
No matches found.
Relationships
e044bce06e….
Connected_To
45[.]77[.]212[.]12
Description
This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. Loading this DLL will send “+_+_+” to 45[.]77[.]212[.]12 over port 443. Then, C:inetpubtemp, D:inetpubtemp, and E:inetpubtemp are scanned recursively for files that end in .config.
When a .config file is found, the DLL will look for the strings “physicalPath=” and “/>” within the file. If there is data between those two strings, it will be sent to the IP.
If there was an error calling CreateFileA, “Errorcode: {Error_Code}” will be sent to the IP. If there was an error calling VirtualAlloc, “VirtualAlloc failed” will be sent to the IP. If there was an error while calling ReadFile, “read file failed” will be sent to the IP.
This IP was utilized by multiple malicious applications in this report as a C2 server. It is utilized by the malware to send status information from commands executed on system, as well as a location to exfiltrate sensitive system and network information.
This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. The file has the same functionality as “1667465048[.]8995082[.]dll” (e044bce06e…).
This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. Loading this DLL will send “+_+_+” to 45[.]77[.]212[.]12 over port 443. The DLL will then create E:websitesico[.]txt and write “111” to that file. If there was an error creating the file, “CreateFile Error code: {Error_Code}” will be sent to the IP and execution ends. If there was an error writing to the file, “WriteFile Error code: {Error_Code}” will be sent to the IP and execution ends. If there are no errors, “CreateFileA OK” will be sent. The DLL will then delete E:websitesico[.]txt. If successful, “DeleteFileA OK” will be sent to the IP. If there was an error “DeleteFileA failed” will be sent to the IP.
Analysis indicates the purpose of this application is to provide a remote operator the ability to determine whether or not they can write files to the system’s web server directory. This capability will likely allow the operator to determine whether or not they can remotely install a webshell to allow convenient and persistent remote access to the compromised system.
Screenshots
Figure 1 – This code illustrates the malware attempting to create a file on the targeted system within the E:\websites directory. This appears to be a test to ensure the remote operator can remotely install web application code onto the target.
This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. Static analysis indicates that the primary purpose of this code is to obtain a copy of the targeted system’s TCP connection table via the GetTcpTable API, and export it to the malware’s remote C2 server 45[.]77[.]212[.]12.
The purpose of this application is to allow a remote operator to determine what systems the targeted system currently has an established TCP session with. This capability will allow the operator to more efficiently profile the targeted network.
Screenshots
Figure 2 – The malicious binary loading its C2 IP 45[.]77[.]212[.]12 onto the stack.
Figure 3 – The malware obtaining a copy of the targeted system’s TCP connection table. Analysis indicates the TCP table will be exfiltrated to the remote C2 server.
This artifact is a DLL that drops and executes a reverse shell utility. When the DLL is loaded, it will drop an embedded and base64 encoded payload named ‘sortcombat’ into the path C:WindowsTemp. The program will then invoke the Windows command-line utility certutil[.]exe with the –decode option and write the new file as sortcombat[.]exe into C:WindowsTemp. Cmd[.]exe is then invoked to execute sortcombat[.]exe.
This artifact is a reverse shell utility with the internal name of ‘XEReverseShell[.]exe’ that is dropped by “1596923477[.]4946315[.]png” (8a5fc2b8ec…) into C:WindowsTemp as sortcombat[.]exe. When this utility is executed it will attempt to connect to the domain xework[.]com to obtain the IP address of the C2 and port number to listen on. If no IP address or port number is obtained the program will terminate.
—Begin HTTP Sessions—
GET /masterip HTTP/1[.]1
Host: xework[.]com
Connection: Keep-Alive
GET /masterport HTTP/1[.]1
Host: xework[.]com
—End HTTP Sessions—
Upon receipt of the port number, XEReverseShell[.]exe will establish a listener on the port to accept streamed data. The utility is able to read or write streamed data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of command shell is required. For Windows systems it will invoke Y21kLmV4ZQ== (cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).
XEReverseShell collects the path to the web server system files, current username, APP_POOL (IIS Application Pool configuration), ComputerName, OSVersion, Internet IP, Local IP and Reverse Domain. If it cannot identify the Internet IP address or Reverse Domain the utility attempts to connect to api[.]hackertarget[.]com/reverselookup/?q= to identify the IP address or retrieve answer records for the domain. Api[.]hackertarget[.]com is a legitimate website hosted for blue teams and penetration testers.
XEReverseShell will send the system data to the C2 in the following format:
—Begin—
WEBSITE PATH
————————[ XE ReverseShell ]———————–
CURRENT USERNAME
APP POOL
COMPUTER NAME
SYSTEM
INTERNET IP LOCAL IP
REVERSE DOMAIN
—End—
The utility will expect the command ‘xesetshell’ from the C2. If the command is received it will connect to the C2 and download a file called small[.]txt (5cbba90ba5…). Small[.]txt is a base64 encoded webshell that the program decodes as small[.]aspx and places in the path C:WindowsTemp.
If the utility receives the command ‘xequit’ it will sleep for a period of time determined by the adversary.
xework[.]com
Tags
command-and-control
Ports
80 TCP
HTTP Sessions
GET /masterip HTTP/1[.]1
Host: xework[.]com
Connection: Keep-Alive
At the time of analysis, the files “XEReverseShell[.]exe” (11d8b9be14…) and “Multi-OS_ReverseShell[.]exe” (a0ab222673…) attempted to connect to this domain.
184[.]168[.]104[.]171
Relationships
184[.]168[.]104[.]171
Resolved_To
xegroups[.]com
184[.]168[.]104[.]171
Resolved_To
hivnd[.]com
184[.]168[.]104[.]171
Resolved_To
xework[.]com
Description
At the time of analysis, the domains xework[.]com, xegroups[.]com, and hivnd[.]com resolved to this IP address.
144[.]96[.]103[.]245
Relationships
144[.]96[.]103[.]245
Resolved_To
xework[.]com
Description
The domain xework[.]com returned this IP address as the masterip for the reverse shell.
This artifact is a base64 encoded text file that is downloaded by “XEReverseShell[.]exe” (11d8b9be14…) and decoded as small[.]aspx. Then it is placed in the path C:WindowsTemp.
This artifact is an ASPX webshell. The webshell is able to enumerate drives on the system, send, receive and delete files, and also execute incoming commands. The webshell contains an interface for easily browsing for files, directories, or drives on the system. It can sort files by size or MAC time, and allows the user to upload or download files to any directory.
This artifact is a DLL that drops and executes a reverse shell utility. When the DLL is loaded it will drop an embedded and base64 encoded payload named ‘xesmartshell’ (508dd87110…) into the path C:WindowsTemp. The program will then invoke certutil[.]exe with the –decode option and write the new file as xesvrs[.]exe (1fed0766f5…) into C:WindowsTemp. Cmd[.]exe is then invoked to execute the reverse shell.
This artifact is a reverse shell utility named ‘XE ReverseShell[.]exe’ that is dropped and decoded by “1596686310[.]434117[.]png” (78a926f899…). When the utility is executed it will attempt to connect to the domain xegroups[.]com to obtain the IP address of the C2 and port number to listen on. If no IP address or port number is obtained the program will terminate.
—Begin HTTP Session—
GET /masterip HTTP/1[.]1
Host: xegroups[.]com
Connection: Keep-Alive
GET /masterport HTTP/1[.]1
Host: xegroups[.]com
—End HTTP Session—
Upon receipt of the port number, XE ReverseShell will establish a listener on the port to accept streamed data. The utility is able to read or write streamed data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of command shell is required. For Windows systems it will invoke Y21kLmV4ZQ== (cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).
XE ReverseShell collects the path to the web server system files, current username, APP_POOL (IIS Application Pool configuration), ComputerName, OSVersion, Internet IP, Local IP and Reverse Domain
XEReverseShell will send the system data to the C2 in the following format:
—Begin—
—————[ XE ReverseShell ]—————
CURRENT USERNAME
APP POOL APP_POOL_CONFIG
COMPUTER NAME
SYSTEM LOCAL IP
—————————————————–
—End—
After the listener is set, the utility will execute the ‘setshell’ command that drops an embedded ASPX webshell (08375e2d18…). If the utility receives the command ‘xequit’ it will sleep for a period of time determined by the adversary.
xegroups[.]com
Tags
command-and-control
Ports
443 TCP
HTTP Sessions
GET /masterip HTTP/1[.]1
Host: xegroups[.]com
Connection: Keep-Alive
GET /masterport HTTP/1[.]1
Host: xegroups[.]com
Connection: Keep-Alive
At the time of analysis, the files “XEReverseShell[.]exe” (815d262d38…) and “Multi-OS_ReverseShell[.]exe” (1fed0766f56…) attempted to connect to this domain.
This artifact is a base64 encoded file. The file will be decoded using the command-line utility certutil[.]exe and executed as xesvrs[.]exe (1fed0766f5…).
This artifact is a reverse shell utility named ‘Multi-OS ReverseShell[.]exe’ that is decoded from xesmartshell[.]tmp (508dd87110…). When the utility is executed it will attempt to connect to the domain xegroups[.]com using Secure Sockets Layer (SSL) to obtain the IP address of the C2 and port number to listen on. If no IP address or port number is obtained the program will terminate.
Upon receipt of the port number, Multi-OS ReverseShell will establish a listener on the port to accept streamed data. If a port number is not returned, the program will listen on TCP 3979 by default.
The utility is able to read or write streamed data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of command shell is required. For Windows systems it will invoke Y21kLmV4ZQ== (cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).
Multi-OS ReverseShell collects the path to the web server system files, current username, APP_POOL (IIS Application Pool configuration), ComputerName, OSVersion, Internet IP, Local IP and Reverse Domain
XEReverseShell will send the system data to the C2 in the following format:
—Begin—
—[ X ReverseShell ]—
CURRENT USERNAME
APP POOL APP_POOL_CONFIG
COMPUTER NAME
SYSTEM LOCAL IP
—————————–
—End—
After the listener is set, the utility will execute the ‘setshell’ command that drops an embedded ASPX webshell (08375e2d18…). If the utility receives the command ‘xequit’ it will sleep for a period of time determined by the adversary.
This artifact is a DLL that drops and executes a reverse shell utility. When the DLL is loaded it will drop an embedded and base64 encoded payload named ‘SortVistaCompat’ (d9273a16f9…) into the path C:WindowsTemp. The program will then invoke the command-line utility certutil[.]exe with the –decode option and write the new file as xesvrs[.]exe (1fed0766f5…) into C:WindowsTemp. Cmd[.]exe is then invoked to execute the dropped file.
This artifact is a base64 encoded file. The file will be decoded using the command-line utility certutil[.]exe and executed as xesvrs[.]exe (1fed0766f5…).
This artifact is a reverse shell utility named ‘XEReverseShell[.]exe’ that is dropped by “1596835329[.]5015914[.]png” (e45ad91f12…) into C:WindowsTemp as xesvrs[.]exe. When the utility is executed it will attempt to connect to the domain xework[.]com to obtain the IP address of the C2 and port number to listen on. If no IP address or port number is obtained the program will terminate.
—Begin HTTP Sessions—
GET /masterip HTTP/1[.]1
Host: xework[.]com
Connection: Keep-Alive
GET /masterport HTTP/1[.]1
Host: xework[.]com
—End HTTP Sessions—
Upon receipt of the port number, XEReverseShell will establish a listener on the port to accept streamed data. The utility is able to read or write streamed data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of command shell is required. For Windows systems it will invoke Y21kLmV4ZQ== (cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).
XEReverseShell collects the path to the web server system files, current username, APP_POOL (IIS Application Pool configuration), ComputerName, OSVersion, Internet IP, Local IP and Reverse Domain. If it cannot identify the Internet IP address or Reverse Domain the utility attempts to connect to api[.]hackertarget[.]com/reverselookup/?q= to identify the IP address or retrieve answer records for the domain. Api[.]hackertarget[.]com is a legitimate website hosted for blue teams and penetration testers.
XEReverseShell will send the system data to the C2 in the following format:
—Begin—
|
————————[ XE ReverseShell ]———————–
CURRENT USERNAME
APP POOL APP_POOL_CONFIG
COMPUTER NAME
SYSTEM
INTERNET IP LOCAL IP
REVERSE DOMAIN
————————————————————————-
—End—
After the listener is set, the program will drop and decode an embedded base64 encoded webshell named small[.]aspx (08375e2d18…) into the path C:WindowsTemp. If the utility receives the command ‘xequit’ it will sleep for a period of time determined by the adversary.
This artifact is a DLL that is designed to invoke PowerShell to download and execute a file on the system. When the DLL is executed it will attempt to connect to the Uniform Resource Locator (URL) hivnd[.]com/thumpxcache and download a file to the path C:WindowsTemp. The downloaded file is named thumcache[.]exe and is invoked using cmd[.]exe[.]
The file thumcache[.]exe was not available for analysis.
hivnd[.]com
Tags
command-and-control
URLs
hxxps://hivnd[.]com/thumpxcache
Ports
443 TCP
Whois
Domain Name: HIVND[.]COM
Registry Domain ID: 1688870027_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxp://www[.]godaddy[.]com
Updated Date: 2022-09-10T12:20:07Z
Creation Date: 2011-11-25T06:18:30Z
Registry Expiry Date: 2026-11-25T06:18:30Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: ok hxxps://icann[.]org/epp#ok
Name Server: NS31[.]DOMAINCONTROL[.]COM
Name Server: NS32[.]DOMAINCONTROL[.]COM
Name Server: NS63[.]DOMAINCONTROL[.]COM
Name Server: NS64[.]DOMAINCONTROL[.]COM
Name Server: NS77[.]DOMAINCONTROL[.]COM
Name Server: NS78[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned
Domain Name: HIVND[.]COM
Registry Domain ID: 1688870027_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxps://www[.]godaddy[.]com
Updated Date: 2018-03-05T23:44:55Z
Creation Date: 2011-11-25T01:18:30Z
Registrar Registration Expiration Date: 2026-11-25T01:18:30Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: +1[.]4806242505
Domain Status: ok hxxps://icann[.]org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy[.]com
Registrant Street: 2155 E Warner Rd
Registrant City: Tempe
Registrant State/Province: Arizona
Registrant Postal Code: 85284
Registrant Country: US
Registrant Phone: +1[.]4806242599
Registrant Phone Ext:
Registrant Fax: +1[.]4806242598
Registrant Fax Ext:
Registrant Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=hivnd.com
Registry Admin ID: Not Available From Registry
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy[.]com
Admin Street: 2155 E Warner Rd
Admin City: Tempe
Admin State/Province: Arizona
Admin Postal Code: 85284
Admin Country: US
Admin Phone: +1[.]4806242599
Admin Phone Ext:
Admin Fax: +1[.]4806242598
Admin Fax Ext:
Admin Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=hivnd.com
Registry Tech ID: Not Available From Registry
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy[.]com
Tech Street: 2155 E Warner Rd
Tech City: Tempe
Tech State/Province: Arizona
Tech Postal Code: 85284
Tech Country: US
Tech Phone: +1[.]4806242599
Tech Phone Ext:
Tech Fax: +1[.]4806242598
Tech Fax Ext:
Tech Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=hivnd.com
Name Server: NS31[.]DOMAINCONTROL[.]COM
Name Server: NS32[.]DOMAINCONTROL[.]COM
Name Server: NS63[.]DOMAINCONTROL[.]COM
Name Server: NS64[.]DOMAINCONTROL[.]COM
Name Server: NS77[.]DOMAINCONTROL[.]COM
Name Server: NS78[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned
This artifact is a DLL that is designed to download and execute a payload. The file does not contain a URL to check for downloads. If the program determines that it is running in a virtual environment, it will trigger an exception and terminate.
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This DLL deletes .dll files ending with “.dll” extension in the “C:windowstemp” directory on the infected machine. This sample also has the capability to enumerate the system, get network parameters including host name, domain name, Domain Name System (DNS) servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server. The sample then communicates the collected data to a C2 server located at IP address 137[.]184[.]130[.]162.
137[.]184[.]130[.]162
Tags
command-and-control
Ports
443 TCP
Whois
NetRange: 137[.]184[.]0[.]0 – 137[.]184[.]255[.]255
CIDR: 137[.]184[.]0[.]0/16
NetName: DIGITALOCEAN-137-184-0-0
NetHandle: NET-137-184-0-0-1
Parent: NET137 (NET-137-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS14061
Organization: DigitalOcean, LLC (DO-13)
RegDate: 2019-11-13
Updated: 2020-04-03
Comment: Routing and Peering Policy can be found at hxxps://www[.]as14061[.]net
Comment:
Comment: Please submit abuse reports at
hxxps://www[.]digitalocean[.]com/company/contact/#abuse
Ref: hxxps://rdap[.]arin[.]net/registry/ip/137[.]184[.]0[.]0
OrgName: DigitalOcean, LLC
OrgId: DO-13
Address: 101 Ave of the Americas
Address: FL2
City: New York
StateProv: NY
PostalCode: 10013
Country: US
RegDate: 2012-05-14
Updated: 2022-05-19
Ref: hxxps://rdap[.]arin[.]net/registry/entity/do-13
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This sample has the capability to load additional libraries, enumerate the system, processes, files, directories, and has the ability to write files, get network parameters including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server. The sample then communicates the collected data to a C2 server located at IP address 137[.]184[.]130[.]162.
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This sample has capability to get network parameters including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, DHCP server, and additional data and communicate it to a C2 server located at IP address 137[.]184[.]130[.]162 over port 443.
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This file has the same functionality as the file “1665128935[.]8063045[.]dll” (833e9cf750…).
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This file has the same functionality as the file “1665128935[.]8063045[.]dll” (833e9cf750…).
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This file has the same functionality as the file “1665128935[.]8063045[.]dll” (833e9cf750…), except it does not have the capability for network communication. However, the IP address 137[.]184[.]130[.]164 is hard-coded within the sample like the other files.
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.
XWe use cookies in our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of the cookies explicitly. Visit Cookie Settings to know more about the cookies used on our website. Read More RejectACCEPTCookie settings
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
This category contains the advertising cookie that is set by Google, when embeding one of its services. CYNET embeds a Google Map, showing its location in the Homepage and in Contact sections. The cookies that are set are the following:
NID
This website uses Google Analytics (with IP Anonymization) in order to track the visitor's performance. The cookies that are set by the service are the following:
_ga
_gat
_gid
This category contains all the cookies that are closely related to the functionality of the Website, such as the prefered language, whether the user has read and/or accepted the Cookie Consent in the various categories.
The following cookies are set:
pll_language
viewed_cookie_policy
cookielawinfo-checkbox-preferences
cookielawinfo-checkbox-advertisement
