Good afternoon, Talos readers.

Even though spam emails asking for gift cards may seem like the oldest trick in the book, they're still effective in 2021. The FBI estimates that business email compromise cost victims around $1.8 billion in 2020, and we've seen recent campaigns that are showing the damage can only get worse.

Attackers are taking over businesses' emails and then sending employees and customers messages themed around everything from COVID-19 to PlayStation 5 sales. So while BEC may not seem like the most exciting threat out there, it's still one that can't be ignored.

Upcoming Talos public engagements

Workshop: Analysing Android malware at VirusBulletin localhost 2021

Speaker: Vitor Ventura

Date: Oct. 7 - 8

Location: Virtual

Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • Just days after police made several arrests regarding the CLOP ransomware group, the operators posted data they claim came from a new victim. This indicates the group is still active in some way, even though possibly not as strong.
  • Multiple Russian intelligence officials have recently pledged to help the U.S. track down cybercriminals. The comments from the FSB and the country's deputy foreign minister come after U.S. President Joe Biden and Vladimir Putin, his Russian counterpart, met at a rare summit last week.
  • A new proposal circulating in Congress would label certain entities as being potential targets for cyber attacks, then offer them special access to government resources in exchange for improving their security standards. This idea is known as "systemically important critical infrastructure."
  • The U.S. and European Union created a new joint working group to combat ransomware. A joint statement said the group will address the threat "through law enforcement action, raising public awareness on how to protect networks as well as the risk of paying the criminals responsible, and to encourage those states that turn a blind eye to this crime to arrest and extradite or effectively prosecute criminals on their territory."
  • The EU also created a separate Joint Cyber Unit to address emergency, large-scale cyber attacks. A dedicated team of security experts will now be deployed to European countries in the event of a major ransomware attack to assist with response and recovery.
  • A new ransomware called "LV" appears to have copied large swaths of REvil ransomware code. The two families also share similar TTPs, as LV also steals victims' information and then posts the information on leak sites to shame the victim into paying the ransom.
  • Update firmware in more than 30 million Dell computers could leave the devices open to attacks. Security researchers recently discovered four vulnerabilities affecting desktops, laptops and tablets, and Dell plans to release a patch Thursday.
  • John McAfee, the creator of the McAfee anti-virus software and viral personality, was found dead in a Spanish prison this week. McAfee left the security space many years ago, and since ran into a bevy of criminal charges and legal troubles.
  • The Monero cryptocurrency is quickly becoming the virtual currency of choice for threat actors. Monero is harder to trace than bitcoin and obscures the amount of money exchanged during a transaction between sender and receiver.

Notable recent security issues

Title: Infamous RAT returns in COVID-related scams

Description: The Agent Tesla remote access trojan (RAT) is back again, this time using COVID-19-related phishing documents as its initial infection vector. Attackers are sending emails claiming to have a COVID-19 vaccine schedule attached as an RTF document. The malicious attachment exploits a known Microsoft Office remote code execution vulnerability, CVE-2017-11882, to infect the victim with Agent Tesla. This version of the RAT appears to be the most recent, with updated anti-detection capabilities and data theft tools. Although many countries, including the U.S., are starting to loosen pandemic restrictions as vaccination rates increase, this campaign shows that attackers will continue using COVID-19 as a popular spam topic.

Snort SIDs: 57787

Title: Attackers may be relying on one another to access corporate networks

Description: A new report indicates that APTs may be exchanging information and money as part of a vast network of cyber criminals distributing ransomware. Some of these groups buy access from other, independent adversaries who infiltrate major targets and eventually receive part of the proceeds from a successful ransomware infection. As part of this, security researchers at Proofpoint uncovered several new actors. One of these groups, which it named TA577, has been active since mid-2020. It’s used several ransomware payloads including SmokeLoader, IcedID, Ursnif and Cobalt Strike.

References: https://www.itpro.co.uk/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

Snort SIDs: 57786, 57791

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID.dat

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.