Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!
The top news this week is, without a doubt, Sea Turtle. Wednesday, we posted our research related to this DNS hijacking campaign that has impacted countries around the world and is going after government agencies, many dealing with national security. You can check out all the details here. This week’s episode of the Beers with Talos podcast also discusses Sea Turtle.
And while it didn’t grab as many headlines, we also wrote this week about HawkEye Reborn, a variant of the HawkEye malware. The keylogger recently changed ownership, and the new actors behind the malware have recently made a sizable push to infect users.
Also, take a look below to find out new information regarding LokiBot.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Upcoming public engagements with Talos
Event: Cisco Connect Salt Lake City
Location: Salt Lake City, Utah
Date: April 25
Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.
Cyber Security Week in Review
- Law enforcement agencies are increasingly using location data from Google to find crime suspects. A new report says the company scans mobile devices to create a "net" of people who were in the area of a given crime.
- Ecuador says it was targeted by nearly 40 million cyber attacks last weekend after the arrest of WikiLeaks' founder Julian Assange. Assange was being held in Ecuador's embassy.
- Several phony apps on the Google Play store are stealing users' Instagram logins. The apps have been downloaded hundreds of thousands of times and claim to help users boost their number of followers.
- Oracle's latest quarterly security update includes fixes for nearly 300 vulnerabilities. Forty-two of the bugs could be exploited by attackers with no user credentials.
- WhatsApp will soon add a new feature that will allow users to block others from taking screen captures of their messages. However, the feature will only be blocked at the local level, not the conversation level.
- Cisco patched a critical vulnerability in its ASR 9000 line of switches. The most serious bug had a severity score of 9.8 out of a possible 10. An attacker could exploit this flaw to launch denial-of-service attacks against the router's owner.
- Attackers may have been able to read users' emails in Hotmail, MSN and Outlook. Microsoft confirmed earlier in the week that some of the company's email services were targeted in a cyber attack. But one employee who was witness to the attacks says the attackers were able to read some emails.
- The fallout of Julian Assange's arrest continues. Some critics say that the indictment against him could have wide-reaching consequences, especially for journalists who publish classified government information.
Notable recent security issues
Title: Formbook, LokiBot attacks target Middle Eastern energy companies
Description: From mid-February through mid-March, Talos monitored phishing campaigns purporting to be sent from a legitimate domain registered to a large organization in the oil and gas industry. Cisco Talos recently discovered yet another campaign using specially crafted, malicious — yet persuasive — emails to target a legitimate organization in the oil and gas industry in the Middle East. The campaign deploys malware that exhibits similarities to the data-stealing malware families of LokiBot and Formbook. At the end of this newsletter, you’ll see a list of IOCs related to these attacks.
Title: Zero-day in Internet Explorer could be exploited even if user isn’t running web browser
Description: A vulnerability in the way Microsoft Internet Explorer handles MHT files. If a user were to open a specially crafted MHT file, an attacker could gain the ability to exfiltrate local files and carry out additional spying on locally installed program version information. The interaction could even be carried out automatically without any user interaction.
Snort SIDs: 49799, 49800
Most prevalent malware files this week
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
Typical Filename: max.exe
Claimed Product: 易语言程序
Detection Name: Win.Dropper.Armadillo::1201
SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
Typical Filename: cab.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201
SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
Typical Filename: ups.exe
Claimed Product: TODO: <产品名>
Detection Name: W32.Variant:XMRig.22fc.1201
SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd
Indicators of compromise
e27d1d4de73d75968cacc3a581e54f71fef372a8661297c59a8d1a8cea60a51d .hta file
FILES REFERRING TO ALKZONOBEL[.]COM
FILES REFERRING TO WEB2PROX[.]COM