Good afternoon, Talos readers.
We have RATs on RATs on RATs over the past few weeks. And last week, we found a few more heading to Latin America to target users and try to steal their login credentials.
The threat actor in this case has some compelling connections to the Aggah threat group we've written about in the past, but there doesn't appear to be any definitive link.
Upcoming Talos public engagements
Speaker: Chris DiSalle
Date: Sept. 9
Location: Virtual
Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more.
Workshop: Analysing Android malware at VirusBulletin localhost 2021
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Cybersecurity week in review
- T-Mobile confirmed that more than 50 million current, former and prospective customers' information was affected by a recent data breach. The company said that in its most recent research, they could not find any evidence that victims' social security numbers or driver's license information was accessed.
- A threat actor returned roughly $600 million worth of cryptocurrency that they stole about two weeks prior. The online platform targeted in the attack, Poly Network, offered the attacker a monetary reward for returning the virtual currency and attempted multiple lines of communication.
- The FBI sent out its first-ever warning regarding a ransomware affiliate group, part of the growing trend around ransomware-as-a-service. The alert details the actions of the OnePercent group, known to spread ransomware such as Maze and REvil.
- Ransomware actors are using a new secret code in online forums to bypass researchers and government officials looking to stop their activities. There is essentially a series of unwritten rules bad actors are following, including the use of seemingly legitimate language to connotate cyber attacks.
- Google issued an update for its Chrome web browser that fixes seven security issues, some of which could allow an attacker to take control of an affected system. The update came two weeks after Google released a separate set of patches for Chrome.
- The U.S. State Department was reportedly the victim of a recent cyber attack, though the exact extent is still not known. News of the attack came a few weeks after several federal agencies received poor cybersecurity grades from a Senate report.
- A small New Hampshire town lost $2.3 million in taxpayer money after a recent cyber attack. It's believed that an adversary used an email-based attack to divert funds meant for the school system to an attacker-controlled account.
- A vulnerability in Microsoft's Power Apps mistakenly left millions of records exposed across some high-profile websites. The sites affected include COVID-19 contact-tracing applications, vaccination registration pages, job application portals and employee databases.
- The U.S. Department of Cybersecurity and Infrastructure Security warned that attackers are actively exploiting two vulnerabilities in ProxyShell. Security researchers say this is a different attack vector than the ProxyLogon vulnerability and Hafnium threat first discovered in March.
Notable recent security issues
Title: LockBit 2.0 targets organizations across the globe
Description: The ransomware-as-a-service network behind the LockBit ransomware is launching new attacks using the 2.0 version of its malware. LockBit has recently been spotted targeting organizations in the U.K., Taiwan, Chile and Italy. This new version of LockBit includes new encryption features and an effort to recruit “insiders” at the targeted organizations. Once the malware encrypts the data on the targeted machine, it changes the wallpaper to display an advertisement, telling users that they can become a part of LockBit’s recruitment process, promising payouts in the millions of dollars. LockBit’s been behind several recent high-profile attacks, including one on global consulting firm Accenture.
Snort SIDs: 58024, 58025
Title: Several RATs team up to target users in Latin America
Description: Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT. The campaign targets travel and hospitality organizations in Latin America. Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil. We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators. The threat actor authoring the crypter primarily aims to sell it as a service. We've observed the authors advertise their crypters on Facebook, YouTube and other social media. However, we've also discovered that the crypter's authors have conducted their own malware campaigns abusing archive[.]org to deliver commodity RATs. The highly modular structure of the Latin American attack indicates a focus on stealth to deliver two widely popular RAT families of AsynRAT and njRAT. These techniques along with other indicators are shared with the Aggah group indicating that the crypter author might have sold it to both parties.
Cisco Secure Endpoint orbital search queries: https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_njrat_filepath.yaml
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587
MD5: ec26aef08313a27cfa06bfa897972fc1
Typical Filename: 01fd0f9a83cb940bca23fbeea3ecaffcfb4df2ef.vbs
Claimed Product: N/A
Detection Name: Win.Worm.Dunihi::tpd
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af
MD5: 0a13d106fa3997a0c911edd5aa0e147a
Typical Filename: mg20201223-1.exe
Claimed Product: N/A
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.