Cisco Talos Blog

June 22, 2020 13:40

IndigoDrop spreads via military-themed lures to deliver Cobalt Strike

By Asheer Malhotra. * Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. * These maldocs use malicious macros to deliver a multist

June 15, 2020 10:55

Quarterly report: Incident Response trends in Summer 2020

By David Liebenberg and Caitlin Huey. For the fourth quarter in a row, Ryuk dominated the threat landscape in incident response. As we mentioned in last quarter’s report, Ryuk has shifted from relying on commodity trojans to using living-off-the-land tools. This has led to a dec

June 11, 2020 14:53

Tor2Mine is up to their old tricks — and adds a few new ones

By Kendall McKay and Joe Marshall. Threat summary * Cisco Talos has identified a resurgence of activity by Tor2Mine, a cryptocurrency mining group that was likely last active in 2018. Tor2Mine is deploying additional malware to harvest credentials and steal more money, includ

May 19, 2020 13:00

The wolf is back...

By Warren Mercer, Paul Rascagneres and Vitor Ventura. News summary * Thai Android devices and users are being targeted by a modified version of DenDroid we are calling "WolfRAT," now targeting messaging apps like WhatsApp, Facebook Messenger and Line. * We assess w

April 13, 2020 11:03

Quarterly Report: Incident Response trends in Spring 2020

By David Liebenberg. Cisco Talos Incident Response (CTIR) engagements continue to be dominated by ransomware and commodity trojans. As alluded to in last quarter’s report, ransomware actors have begun threatening to release sensitive information from victims as a means of further

February 5, 2020 13:12

Quarterly Report: Incident Response trends in fall 2019

By David Liebenberg and Kendall McKay. While many Cisco Talos Incident Response (CTIR) engagements have shown similar patterns over the past two quarters, we’re seeing a dangerous trend emerge this winter. Threat actors are increasingly combining the exfiltration of sensitive da

November 20, 2019 11:00

Cryptominers, ransomware among top malware in IR engagements in Q4

By David Liebenberg and Kendall McKay. This summer’s most popular malware families were common and used in unsophisticated attacks, with phishing being the top infection vector, according to Cisco Talos Incident Response (CTIR) data. In addition to threat actors repeatedly deplo

May 30, 2019 10:19

10 years of virtual dynamite: A high-level retrospective of ATM malware

ATM malware has evolved to include a number of different families and different actors behind them, ranging from criminal groups to actors affiliated with nation states.

May 20, 2019 11:00

Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

By Danny Adamitis, David Maynor, and Kendall McKay. Cisco Talos assesses with moderate confidence that a campaign we recently discovered called "BlackWater" is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indica