- With internet-sharing applications, or "proxyware," users download software that allows them to share a percentage of their bandwidth with other internet users for a fee, with the companies that created this software acting as a go-between.
- As proxyware has grown in popularity, attackers have taken notice and are now attempting to exploit this interest to monetize their malware campaigns.
- Malware is currently leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems.
- In many cases, these applications are featured in multi-stage, multi-payload malware attacks that provide adversaries with multiple monetization methods.
- Trojanized installers are some of the most common threats taking advantage of public interest in proxyware to infect victims.
- These applications pose significant privacy and operational risks to organizations as they may allow nefarious or abusive network traffic to appear as if it originates from their corporate networks resulting in reputational damages that may also lead to service disruption.
Tuesday, August 31, 2021
Attracting flies with Honey(gain): Adversarial abuse of proxyware
Friday, August 27, 2021
Threat Roundup for August 20 to August 27
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 20 and Aug. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Thursday, August 26, 2021
Talos Takes Ep: #65: How several RAT campaigns in Latin America are connected
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
As more people around the world start to get vaccinated against COVID-19, travel is becoming easier, especially during these summer months. But as much as you may be excited to travel, so are threat actors. Asheer Malhotra was part of a team that looked into a series of campaigns targeting users in Latin America, specifically using social engineering tactics centered around travel. Some of the lure documents, in this case, include fake travel itineraries, coupons for flights and hotel reservation confirmations. Asheer joins the show this week to discuss the throughline between all these attacks and their potential connections to the Aggah crimeware group.
Threat Source newsletter (Aug. 26, 2021)
Newsletter compiled by Jon Munshaw.
Friday, August 20, 2021
Threat Roundup for August 13 to August 20
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 13 and Aug. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Thursday, August 19, 2021
Threat Source newsletter (Aug. 19, 2021)
Newsletter compiled by Jon Munshaw.
Malicious Campaign Targets Latin America: The seller, The operator and a curious link

- Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT.
- The campaign targets travel and hospitality organizations in Latin America.
- Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil.
- We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators.
- We've also seen instances where the crypter author has operated their own malicious campaigns abusing archive[.]org.
What's new?
We also discovered a .NET-based infection chain builder/crypter binary used to generate the malicious infection artifacts used in recent campaigns, including the ones targeting Latin America. Such builders indicate the author's intent to bundle malware generation functionalities for easy distribution and use by operators, customers and affiliates.
We've also observed some resemblance to the tactics and techniques used by a known crimeware actor "Aggah," especially the final payload delivery stages. Aggah has traditionally utilized highly modular infection chains with a focus on hosting malicious payloads on public repositories such as Pastebin, Web Archive and Blogger.
How did it work?
We've also observed some Aggah campaigns using similar infection chains including scripts and similar commodity malware. However, unlike Aggah, the operators working the Latin American campaigns tend to use either compromised or attacker-controlled websites to host their components and payloads instead of using public hosting services such as Blogger, Pastebin and Web Archive.
The infection chains used in these campaigns are built using a .NET-based crypter called "3losh crypter rat" [SIC]. This crypter has been actively advertised on social media by the authors and used to generate infection chains for campaigns operated by the crypter's authors themselves.
So what?
All these campaigns however, aim to distribute commodity RAT families. Commodity malware families are increasingly being used by both crimeware and APT groups to infect their targets. RATs in particular are extremely popular since they provide a wide range of functionalities to their operators to take advantage of the infected systems. These functionalities can be used for malicious activities such as:
- Performing preliminary reconnaissance to scope out victim networks and infrastructure.
- Deploying more malware such as ransomware and wipers to disrupt enterprise operations.
- Executing arbitrary commands.
- Exfiltrating confidential and proprietary information from enterprises.
- Stealing credentials, opening up more systems and services to unauthorized access.
Tuesday, August 17, 2021
Neurevt trojan takes aim at Mexican users

News summary
- Cisco Talos discovered a new version of the Neurevt trojan with spyware and backdoor capabilities in June 2021 using Cisco Secure Endpoint product telemetry.
- This version of Neurevt appears to target users of Mexican financial institutions.
- This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably T1547 – Boot or Login Autostart Execution, T1055 - Process Injection, T1546 - Event-Triggered Execution, T1056 - Credential API Hooking, T1553 – Subvert Trust Controls, T1562 – Impair Defences, T1112 – Modify Registry, T1497 – Virtualization\Sandbox Evasion, T1083 - File and directory discovery, T1120 - Peripheral device discovery, T1057 - Process Discovery, T1012 - Query Registry, T1518 - Software Discovery and T1082 - System Information Discovery.
- Cisco Secure Endpoint, SNORTⓇ and Cisco Umbrella can all protect users from downloading this malware, protecting their online banking accounts from potential theft.
What's new?
Although Neurevt has been around for a while, recent samples in Cisco Secure Endpoint show that the actors combined this trojan with backdoors and information stealers. This trojan appears to target Mexican organizations. Talos is tracking these campaigns embedding URLs in the associated droppers, which belong to many major banks in Mexico.
Friday, August 13, 2021
Vulnerability Spotlight: Memory corruption vulnerability in Daemon Tools Pro
Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered a memory corruption vulnerability in Disc Soft Ltd.'s Daemon Tools Pro.
Daemon Tools Pro is a professional emulation software that works with disc images and virtual drives. It allows the user to mount ISO images on Windows systems.
TALOS-2021-1295 (CVE-2021-21832) can cause memory corruption in the application if the user opens an adversary-created ISO file that causes an integer overflow. This vulnerability exists in the way the application parses ISOs.
Threat Roundup for August 6 to August 13
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 6 and Aug. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Vulnerability Spotlight: Multiple integer overflow vulnerabilities in GPAC Project on Advanced Content
A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple integer overflow vulnerabilities in the GPAC Project on Advanced Content that could lead to memory corruption.
The GPAC Project on Advanced Content is an open-source cross-platform library that implements the MPEG-4 system standard and provides tools for media playback, vector graphics, and 3-D rendering. The project comes with the MP4Box tool, which allows the user to encode or decode media containers in multiple supported formats.
TALOS-2021-1297 (CVE-2021-21834 - CVE-2021-21852), TALOS-2021-1298 (CVE-2021-21859 - CVE-2021-21862) and TALOS-2021-1299 (CVE-2021-21853 - CVE-2021-21858) could all allow an adversary to corrupt the memory of the application. An adversary could exploit these vulnerabilities by sending the target a specially crafted MPEG-4 input. This could cause an integer overflow due to unchecked addition arithmetic, eventually resulting in a heap-based buffer overflow that causes memory corruption.
Talos Takes Ep. #64: Back 2 Skool edition
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
There's no shortage of complications leading into this new school year. Students, parents, teachers and admins alike are adapting to the "new normal," and each county and state seem to have their own set of restrictions, challenges and plans to address those challenges.
This can be a cybersecurity nightmare for everyone involved. We hope we can provide a bit of help heading into the start of the new school year with this week's Talos Takes episode, where we talk about students bringing computers to and from school, the dangers of hybrid learning and the best steps for education networks' admins.
We also address Talos' research into online homework scams and associated, follow-on malware. For more on that, check out our original post here and Forbes' recent article on our work here.
Thursday, August 12, 2021
Vice Society leverages PrintNightmare in ransomware attacks
Executive Summary
Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society.
Talos Incident Response's research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward. For defenders, it is important to understand the attack lifecycle leading up to the deployment of ransomware. If users have not already, they should download the latest patch for PrintNightmare from Microsoft.
In this post, we'll analyze the various TTPs used in a recent ransomware attack from Vice Society that leveraged this vulnerability. Many of these same TTPs are commonly observed in other ransomware attacks, such as a previously published analysis of a WastedLocker attack.
Threat Source newsletter (Aug. 12, 2021)
Newsletter compiled by Jon Munshaw.
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
News summary
- Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505's arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper's activity. We investigated the activity and discovered a set of intertwined malware families and TTPs.
- We found that ServHelper is being installed onto the targeted systems using several different mechanisms, ranging from fake installers for popular software to using other malware families such as Raccoon and Amadey as the installation proxies.
- This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably Scripting - T1064, PowerShell - T1059.001, Process Injection - T1055, Non-Standard Port - T1571, Remote Access Software - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027, Ingress Tool Transfer - T1105, and Registry Run Keys/Startup Folder - T1547.001.
What's new?
Although ServHelper has existed since at least early 2019, we detected the use of other malware families to install it. The installation comes as a GoLang dropper, .NET dropper or PowerShell script. Its activity is generally linked to Group TA505, but we cannot be certain that they are the exclusive users of this RAT.ServHelper will also sometimes install a module that includes either Monero or Ethereum cryptocurrency mining tools.
How did it work?
One path for infection starts with the compromise of a legitimate site that hosts cryptographically signed MSI installers. These install popular software such as Discord. However, they also launch a variant of the Raccoon stealer, which downloads and installs a ServHelper RAT if instructed by the command and control (C2) server.Attackers also deploy the ServHelper RAT with a variant of the Amadey malware which gets a full command line from the server to install an initial PowerShell downloader component for ServHelper.
ServHelper includes the functionality to remotely control the infected system, log keystrokes, exfiltrate users' confidential data, launch RDP sessions, install cryptomining software and install the NetSupport remote access tool.
So what?
Although many threat actors, such as TA505 or its associated groups — to which we attribute these campaigns with moderate confidence — have been affected by the arrests of several CLOP members in Ukraine, they continued to operate using a different set of tools. These attacks are geared toward taking control over the infected systems and stealing confidential data which the group will likely leverage for financial gain later on.Users need to make sure they install software only from trusted sources. Even if installers are signed with a valid certificate, that does not mean that the functionality is legitimate.
Wednesday, August 11, 2021
Talos Incident Response quarterly threat report — The top malware families and TTPs used in Q2 2021
By David Liebenberg and Caitlin Huey.
Last quarter, ransomware was not the most dominant threat for the first time since we began compiling these reports. We theorized that this was due to a huge uptick in Microsoft Exchange exploitation, which temporarily became a primary focus for Cisco Talos Incident Response (CTIR). We believed that ransomware would soon return to its position as the most observed threat. This proved correct, as ransomware cases exploded this quarter, comprising nearly half of all incidents, underscoring that it remains one of the top threats targeting enterprises.
Although ransomware was the top threat, there were very few observations of commodity trojan use this quarter. Ransomware actors continued to use commercial tools such as Cobalt Strike, open-source tools, including Rubeus, and tools native on the victim’s machine (living-off-the-land binaries, aka “LoLBINs”) such as PowerShell.
Tuesday, August 10, 2021
Microsoft Patch Tuesday for August 2021 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Martin Lee.
Microsoft released its monthly security update Tuesday, disclosing 44 vulnerabilities in the company’s firmware and software. This is the fewest amount of vulnerabilities Microsoft has patched in a month in more than two years.
There are only nine critical vulnerabilities included in this release, and the remainder is “important.”
The most serious of the issues is CVE-2021-26424 a remote code executing vulnerability which exists in the Windows TCP/IP protocol implementation. An attacker could remotely trigger this vulnerability from a Hyper-V guest by sending a specially crafted TCP/IP packet to a host utilizing the TCP/IP protocol stack. This raises the possibility of a malicious program running in a virtual machine compromising the host environment.
Other products included in this month’s Patch Tuesday include the Windows Graphic Component, print spooler and Microsoft Office. For a full rundown of these CVEs, head to Microsoft’s security update page.
Vulnerability Spotlight: Multiple vulnerabilities in AT&T Labs’ Xmill utility
Carl Hurd of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in AT&T Labs’ Xmill utility. An attacker could take advantage of these issues to carry out a variety of malicious actions, including corrupting the application’s memory and gaining the ability to execute remote code.
Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods. As of publishing, AT&T Labs is no longer supporting this software and, therefore, will not be issuing any patches. The software, released in 1999, can still be found in modern software suites, such as Schneider Electric's EcoStruxure Control Expert.
Vulnerability Spotlight: Code execution vulnerability in Mozilla Firefox
Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered a use-after-free vulnerability in Mozilla Firefox that could lead to code execution.
Firefox is a widely used web browser available on many operating systems. This specific vulnerability exists in the software’s nsBufferedStream component, which is part of the Stream buffering functionality.
TALOS-2021-1345 (CVE-2021-29985) can be triggered if an attacker tricks a user into visiting a specially crafted, malicious web page. This could cause a race condition situation, which can lead to a use-after-free vulnerability and potential remote code execution.
Friday, August 6, 2021
Talos Takes Ep: #63: Shield your eyes from the Solarmarker
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
Andrew Windsor has been following the Solarmarker threat for months. But it really started to catch his eye when he spotted a surge in credential-harvesting activity.
Andrew recently wrote about the new modules this threat is adding as part of a blog post. And this week, he joins Talos Takes to dive further into his research on this threat and break down each of the new modules and explain why they're dangerous to users. He discusses how this threat has been able to fly under the radar while still ramping up its activities.
Threat Roundup for July 30 to August 6
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 30 and Aug. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date tof publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Thursday, August 5, 2021
Threat Source newsletter (Aug. 5, 2021)
Newsletter compiled by Jon Munshaw.
Wednesday, August 4, 2021
Beers with Talos, Ep. #108: Kaseya it ain't so
Beers with Talos (BWT) Podcast episode No. 108 is now available. Download this episode and subscribe to Beers with Talos:
Who needed a summer vacation anyway? The whole Beers with Talos family was trying to take some time off or just go fishing for a few hours, but the bad guys have had other ideas. In the latest episode, we're dissecting the Kaseya incident and associated ransomware campaigns.
Vulnerability Spotlight: Use-after-free vulnerability in tinyobjloader
Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered that a specific function of tinyobjloader does not properly validate array indexes. An adversary could trick a user into opening a specially crafted file, causing an index out-of-bounds condition, potentially leading to code execution. Tinyobjloader is an open-source loader for embedding the .obj loader into graphics-rendering projects.
In accordance with our coordinated disclosure policy, Cisco Talos worked with tinyobjloader to ensure that this issue is resolved and that an update is available for affected customers.
Tuesday, August 3, 2021
Updates to the Cisco Talos Email Status Portal
Cisco Talos is rolling out several changes to the Email Status Portal that adds new features and makes the Portal even easier to use.
The Talos Email Status Portal allows users to view mail samples submitted and their statuses, analyze graphical displays of submission metrics, administer domains and user access and generate reports of this data.