Welcome to this week’s edition of the Threat Source newsletter.

I’m covering for Jon this week whilst he takes some well-deserved holiday. What’s on my mind this week? Well, apart from a new horror film that I just read about called “Slotherhouse” where the killer is, um, a sloth (I predict nothing but a masterpiece), there are a couple of things on my mind relating to open-source.

Firstly, on the bad actor side of things, we’re seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which you can read about below.

When I spoke to Cisco Talos’ Head of Outreach, Nick Biasini, about the biggest trends 2023 so far, he called out how attackers are increasingly using malicious open-source tooling. This has been a large part of the reason we are seeing a continuous fracturing of the ransomware and extortion landscape, as threat actors find what they need online, and then adapt these tools to suit their needs, and in many cases add on anti-detection mechanisms.

Speaking of 2023 trends, I just uploaded a new playlist of 1–2-minute long videos featuring Nick’s thoughts and explanations on some of the biggest threats we’ve seen so far this year - including the evolution of ransomware, the rise in commercial spyware, and supply chain attacks. Check out the playlist. As a preview, here's Nick talking about the evolution of ransomware in 2023:

On the flip side, open-source is of course one of the most important ways in which security defenders can learn, upskill, and share their findings with the community. That’s one of the reasons why Talos creates and releases open-source software, for free.

Just in case you don’t know about our open-source tools, which have been developed by some of the smartest brains on the planet, you should check them out. We have around 27 tools which are available to download on our website at talosintelligence.com/software and on GitHub. The latest and greatest of these is the NIM-IDA-FLIRT Generator tool.

Oh, I just read that “Slotherhouse” will not only feature a killer sloth, it’s called Alpha, and their weapon of choice is a samurai sword. One ticket please.

The one big thing

SapphireStealer, an open-source information stealer, has been increasingly observed across public malware repositories since its initial release in December 2022. SapphireStealer is an example of a new type of information stealer, which is mostly designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information.

While infostealers have been around for a very long time, Talos has recently seen an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces.

Why do I care?

As is often the case following the release of a new open-source malware codebase, threat actors have acted quickly, and began to experiment. Some threat actors have even extended SaphireStealer to support added functionality, and used other tooling to make the detection of SapphireStealer infections more difficult (again, another increasing trend that we’re seeing across the threat landscape). Infostealers remain a popular choice for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information to adversaries.

So now what?

A comprehensive blog written by Edmund Brumaghin covers the background behind SapphireStealer, and our research on the tool, including a case study where we saw multiple failures on the part of the threat actor to maintain sound operational security. The blog includes Snort SIDs, and indicators of compromise.

Top security headlines of the week

  • Operation “Duck Hunt" proactively removes Qakbot malware from 700,000 infected machines. In one of the largest operations of its kind, federal law enforcement took decisive action against one of the most widely used and longstanding botnets. According to the U.S Department of Justice, these efforts resulted in Qakbot being “neutralized” from hundreds of thousands of devices. According to TechCrunch, “The Department of Justice also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims”. Dark Reading TechCrunch
  • What’s in a name? Strange behaviors at top-level domains creates uncertainty in DNS. When Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, it ignited a firestorm of controversy as security organizations warned against the confusion that was certain to occur. Talos researcher Jaeson Schultz recently wrote about the consequences of Google’s decsion, including how, in the worst case scenario, confusion over whether some name is a public DNS name, or another private resource can cause sensitive data to fall into the hands of unintended recipients. Talos blog.
  • OpenAI rolls out a business edition of ChatGPT, promising “enterprise-grade security”. OpenAI says it is making a commitment not to use client-specific prompts and data in the training of its models. SecurityWeek writes that “the security-centric features of the new ChatGPT Enterprise are meant to address ongoing business concerns about the protection of intellectual property and the integrity of sensitive corporate data when using LLM (large language model) algorithms.” SecurityWeek

Can’t get enough Talos?

Upcoming events where you can find Talos

LABScon (Sept. 20 - 23)

Scottsdale, Arizona

Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6

MD5: 4c9a8e82a41a41323d941391767f63f7

VirusTotal: https://www.virustotal.com/gui/file/1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6/details

Typical Filename: !!Mreader.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::sheath

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b

MD5: f5e908f1fac5f98ec63e3ec355ef6279

VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details

Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::tpd