Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We've all heard about spam coming through your email or those robocalls we all hate. But during the COVID-19 pandemic, attackers are now turning to chat rooms and gaming servers to spread spam. Talos researchers this week unveiled multiple malware campaigns spreading through sites like Discord and Slack, which have becoming increasingly popular while more and more people work from home.

Beers with Talos is also back this week after going quiet for a few weeks. The show's back with a mailbag episode, where the guys answer your Twitter questions. And they don't waste any time getting to Craig's robot problems.

Cybersecurity week in review

Notable recent security issues

Title: Video game cheats, mods, used to hide malware

Description: Cisco Talos recently discovered a new campaign targeting video game players and other PC modders. Talos detected a new cryptor used in several different malware campaigns hidden in seemingly legitimate files that users would usually download to install cheat codes into video games or other visual and game modifications (aka "mods"). The cryptor uses Visual Basic 6 along with shellcode and process injection techniques. The cryptor in this campaign uses several obfuscation techniques that makes it difficult to dissect and could pose a challenge for security analysts not familiar with Visual Basic 6. Video game players may opt to download certain cheats or modifications (aka "mods") to change the way some games are presented. The adversaries use these gaming and OS modding tools to attach hidden malware to infect their victims.

ClamAV signatures: Win.Trojan.VB6Crypt-9839935-0, Win.Trojan.Elzob-9839938-0, Win.Malware.Amyl6tnk-9839937-0, Win.Packed.Cerbu-9839936-0

Title: Accusoft ImageGear vulnerabilities could lead to code execution

Description: Cisco Talos recently discovered multiple out-of-bounds write vulnerabilities in Accusoft ImageGear that an adversary could exploit to corrupt memory on the targeted machine. The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF and Microsoft Office. A user could trigger these vulnerabilities by opening an attacker-created, malicious file.

Snort SIDs: 57011 - 57018, 57052, 57053, 57124, 57125

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2

MD5: 96f8e4e2d643568cf242ff40d537cd85

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg

SHA 256:bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208

MD5: 84291afce6e5cfd615b1351178d51738

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name: W32.BFBE7022A4.5A6DF6a61.auto.Talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.