Threat Source newsletter for Sept. 3, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Check out our complete details of the threat and our protections here.

We are also excited to show off our fancy new Talos Email Status Portal. Here, you can see any ham or spam you’ve submitted to us for review.

And, lastly, there’s a new Beers with Talos episode that’s all about FUD.

Cyber Security Week in Review

Tesla CEO Elon Musk confirmed that his company was the target of an alleged scheme to install malware on the company’s network. A Russian tourist was arrested last week for allegedly recruiting a Tesla employee to carry out the hack.
Several states’ Department of Motor Vehicles may overreach in how available they make drivers’ information. Several private investigators indicated to Vice’s Motherboard that they were able to easily buy information under several little-known policies.
Norwegian parliament says it was the victim of a cyber attack. Several government officials’ emails were breached, though the country is still investigating the full extent of the damage.
Facebook shut down a swath of groups it says is tied to Russian threat actors who were attempting to spread disinformation. The social media giant says thanks to partnerships with American intelligence agencies, it is catching these groups earlier on in their lifecycle.
New updates are on their way to iOS and Android that officially implement COVID-19 contact-tracing alerts. The features, which will need to be manually enabled by users, will track users’ potential exposure to COVID-19 using Bluetooth.
New Zealand’s government told private companies in the country to brace for a wave of cyber attacks. The warning came after a fifth attack in two weeks on the country’s stock exchange.
Cisco disclosed two serious vulnerabilities in some of its carrier-grade routers. The company said hackers are actively exploiting the bugs in the wild, which could potentially allow adversaries to completely disrupt service.
Top American election security officials say it’ll no longer deliver regular briefings to Congress. The Office of the Director of National Intelligence will instead provide written statements on a somewhat regular basis, which Democrats say is insufficient.
The well-known Evilnum threat actor is now using a Python-scripted trojan as part of its major payloads. The new “PyVil RAT” steals information, keylogs and deploys additional tools to steal login credentials.

Notable recent security issues

Title: Ransomware families LockBit, Maze headline ransomware dominance

Description: Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape over the past quarter, according to a new report. Infections involved a wide variety of malware families including LockBit and Maze, among others. Sixty-six percent of all ransomware attacks this quarter involved the red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans. CTIR reports a rise in ransomware actors engage in data exfiltration and even observed the new cartel formed by Maze and other ransomware operations in action.

Snort SIDs: 54910 – 54917 (Protect against the LockBit ransomware)

Title: Emotet starts using new Word lure document

Description: The Emotet botnet continues to evolve, and now uses a Microsoft Word template to spread its malware. Known as “Red Dawn,” the new infection method involves the user downloading a Word file, and then the file prompts them to enable macros to read the document. If enabled, the macros then download Emotet onto the victim’s machine. Emotet spam emails try to entice users with information on COVID-19, financial documents or package tracking.

Snort SIDs: 54900, 54901

Most prevalent malware files this week

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201

SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36

MD5: adad179db8c67696ac24e9e11da2d075

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: W32.7F9446709F-100.SBX.VIOC

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

The internet is already scary enough without April Fool’s jokes

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

Intelligence Center

Vulnerability Research

Incident Response