Thursday, April 8, 2021

Threat Source Newsletter (April 8, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We've all heard about spam coming through your email or those robocalls we all hate. But during the COVID-19 pandemic, attackers are now turning to chat rooms and gaming servers to spread spam. Talos researchers this week unveiled multiple malware campaigns spreading through sites like Discord and Slack, which have becoming increasingly popular while more and more people work from home.

Beers with Talos is also back this week after going quiet for a few weeks. The show's back with a mailbag episode, where the guys answer your Twitter questions. And they don't waste any time getting to Craig's robot problems.


Cybersecurity week in review

Notable recent security issues


Description: Cisco Talos recently discovered a new campaign targeting video game players and other PC modders. Talos detected a new cryptor used in several different malware campaigns hidden in seemingly legitimate files that users would usually download to install cheat codes into video games or other visual and game modifications (aka "mods"). The cryptor uses Visual Basic 6 along with shellcode and process injection techniques. The cryptor in this campaign uses several obfuscation techniques that makes it difficult to dissect and could pose a challenge for security analysts not familiar with Visual Basic 6. Video game players may opt to download certain cheats or modifications (aka "mods") to change the way some games are presented. The adversaries use these gaming and OS modding tools to attach hidden malware to infect their victims. 
ClamAV signatures: Win.Trojan.VB6Crypt-9839935-0, Win.Trojan.Elzob-9839938-0, Win.Malware.Amyl6tnk-9839937-0, Win.Packed.Cerbu-9839936-0 

Title: Accusoft ImageGear vulnerabilities could lead to code execution 
Description: Cisco Talos recently discovered multiple out-of-bounds write vulnerabilities in Accusoft ImageGear that an adversary could exploit to corrupt memory on the targeted machine. The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF and Microsoft Office. A user could trigger these vulnerabilities by opening an attacker-created, malicious file. 
Snort SIDs: 57011 - 57018, 57052, 57053, 57124, 57125 

Most prevalent malware files this week


MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg 

MD5: 96f8e4e2d643568cf242ff40d537cd85 
Typical Filename: SAService.exe  
Claimed Product: SAService  
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg 

MD5: 84291afce6e5cfd615b1351178d51738 
Typical Filename: webnavigatorbrowser.exe 
Claimed Product: WebNavigatorBrowser 
Detection Name: W32.BFBE7022A4.5A6DF6a61.auto.Talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.