Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We uncovered the details of a new malware targeting subscribers of a Tibetan email list. The malicious emails delivered a malware we’re calling “ExileRAT,” which appears to be an evolution of the LuckyCat family. Based on the targets and the behavior of the malware, we believe this is an effort by the attackers to spy on the victims.
Now, it’s time to look back. To help put a bow on 2018, we looked at the Snort rules that were triggered the most last year. Spoiler: They mainly blocked cryptocurrency miners and trojans. Here’s a roundup of the five most-triggered Snort rules from 2018.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: RSA Conference
Location: Moscone Center, San Francisco, Calif.
####Date: March 4 - 8
####Speaker: Matt Watchinski
Synopsis: Matt Watchinksi, the vice president of Cisco Talos, will partake in one of the keynote addresses at this year’s RSA conference. Watchinski, along with Liz Centoni of Cisco, will discuss how to defend against internet-of-things attacks. As more automated devices are added to our homes every day, it just creates more attack vectors. Watchinski and Centoni will talk about successful defense strategies Cisco has employed in the past.
####Reference:
###Event: SecIT
Location: Hannover Congress Center, Hanover, Germany
####Date: March 3 - 4
####Speaker: Holger Unterbrink
Synopsis: The pressure on IT security officers to compete for resistant IT security never ends. Attackers are trying to penetrate companies’ networks with new methods and to monetize deducted data every day. Unterbrink sits at the front and will provide insights into the current threat situation and attack scenarios.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Attackers continue to utilize a vulnerability in GoDaddy.com domains. The flaw allows unauthenticated users to send malicious emails via legitimate, dormant domains. Most recently, a group of attackers sent out a series of sextortion and bomb threat emails, as outlined in a report by Cisco Talos. GoDaddy is the world’s largest domain name registrar.
* Email spammers are taking advantage of a little-known Gmail feature that allows them to grow their reach. They can create so-called “dot emails,” which places a period between each letter in their domain name. If the attackers are able to use a seemingly legitimate domain, they can then add dots to that domain and still control the emails, allowing them to send out more spam.
* Facebook is stepping up its crackdown on fake accounts. The social media site took down thousands of pages and profiles posting malicious content. The pages originated from Iran and Indonesia. Earlier this month, it also removed Russian- and Philipino-backed, politically motivated pages.
* Mozilla is working on a new feature for Firefox to protect against side-channel attacks. The new tool aims to be an improved version of Google Chrome’s Site Isolation feature, which helps browsers block potential side-channel attacks.
* The U.S. Department of Justice and Department of Homeland Security completed an election security report. The study, ordered by the White House, looks at whether the 2018 midterm elections were influenced by foreign interference. It’s unclear whether the report will ever be made public.
* Google patched a critical vulnerability in Android devices as part of its February security update. Attackers could use a specially crafted PNG image to completely take over the victim’s mobile device. Google says there’s no evidence of the bug being exploited in the wild.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: New Anatova ransomware works to quickly encrypt files
Description: McAfee Labs recently discovered a new ransomware known as “Anatova” that’s been spotted infecting targets in the U.S. and Europe. The malware encrypts users’ files and then demands a payment of roughly 10 DASH — a cryptocurrency — the equivalent of roughly $700.
Snort SIDs: 49070 - 49072
###Title: GandCrab ransomware disguises itself as emergency plan
Description: The well-known GandCrab ransomware is being spread through a new email campaign. These malicious emails disguise themselves as legitimate emergency plans for the building in which the victim works. The server tied to this campaign previously delivered the Ursnif trojan.
Snort SIDs: 49068, 49069
***
##MOST PREVALENT MALWARE FILES Jan. 31 - Feb. 7:
- **SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393
- MD5: 1a5a7532854ab45ac74b1c657fe47941
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.18042540B3-95.SBX.TG
- SHA 256: 6d36f92ee3f1a7be56e00118cebf62fc4f3f127e307f5a4e7f008793ca549671
- MD5: b23f736c46d9fa238b02c9eb0cea37cf
- Typical Filename: CONFIGURETGN.EXE
- Claimed Product: N/A
- Detection Name: W32.Auto:6d36f9.in03.Talos
- SHA 256: 36164D300B46472EFA0D1D7D5B2CDE209550057CE1C27C51CCE435FDC8C9CDD1
- MD5: e500938823bf72032ba56a82fed4d3ea
- Typical Filename: 25559810.doc
- Claimed Product: N/A
- Detection Name: W32.36164D300B-100.SBX.TG
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
**
##SPAM STATS FOR Jan. 31 - Feb. 7:
####TOP SPAM SUBJECTS OBSERVED
- “Your personal discount”
- “hi”
- “Pharmacy Discounts”
- “Benefits_Docs#621”
- “This account has been hacked! Change your password right now!”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 30633 Leaseweb USA, Inc.
- 24940 Hetzner Online GmbH
- 203377 Okkes Uzunca trading as Fiberserver Internet Teknolojileri
- 209737 Muhammet Meric trading as Meric Hosting
- 16276 OVH SAS
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.