Gamaredon - When nation states don’t pay all the bills
By Warren Mercer and Vitor Ventura. Update 02/22: The IOC section has been updated * Gamaredon is a threat actor, active since at least 2013, that has long been associated with pro-Russian activities in several reports throughout the years. It is extremely aggressive and is us
Masslogger campaigns exfiltrates user credentials
By Vanja Svajcer. News summary * As protection techniques develop, attackers are finding it harder to successfully attack their targets and must find creative ways to succeed. * Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designe
Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows
* The developers of LodaRAT have added Android as a targeted platform. * A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities. * The operators behind LodaRAT tied to a specific campaign targeting Bangladesh, although others h
Interview with a LockBit ransomware operator
By Azim Khodjibaev, Dmytro Korzhevin and Kendall McKay. Ransomware is still highly prevalent in our current threat landscape — it's one of the top threats Cisco Talos Incident Response responds to. One such ransomware family we encounter is called LockBit, a ransomware-as-a-
2020: The year in malware
By Jon Munshaw. Nothing was normal in 2020. Our ideas of working from offices, in-person meetings, hands-on learning and basically everything else was thrown into disarray early in the year. Since then, we defenders have had to adapt. But so have workers around the globe, and th
Quarterly Report: Incident Response trends from Fall 2020
By David Liebenberg and Caitlin Huey. For the sixth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. However, for the first quarter since we began compiling these reports, no engagements that were closed out involved the
Xanthe - Docker aware miner
By Vanja Svajcer and Adam Pridgen, Cisco Incident Command NEWS SUMMARY * Ransomware attacks and big-game hunting making the headlines, but adversaries use plenty of other methods to monetize their efforts in less intrusive ways. * Cisco Talos recently discovered a cryptocur
CRAT wants to plunder your endpoints
* Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT. * Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint. * One of the plugins is a ransomware known as &
LodaRAT Update: Alive and Well
* During our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new functionality. * Multiple new versions of LodaRAT have been spotted being used in the wild. * These new versions of LodaRAT abandoned their previous obfuscation techniques.