Welcome to this week’s edition of the Threat Source newsletter.

The deadline to file taxes in the United States is Monday. That means a few things: everyone should probably make sure their liquor cabinet is fully stocked, your spam filters are all turned on in your email and the bad guys are going to crawl out of the woodwork from every crevasse of the internet.

As Nick Biasini and I talked about on the latest Talos Takes episode, attackers always use Tax Day as a jumping-off point to launch a barrage of run-of-the-mill scam campaigns. These can range anywhere from bogus emails asking for personal information, fake tax forms sent in the mail and phone calls warning that the “IRS” will come to your home if you don’t pay the person on the other end of the phone line immediately.

The COVID-19 pandemic adds another wrinkle to this, because attackers are now also leveraging topics like stimulus payments and unemployment benefits to try and steal users’ money or personal information.

At the end of the day, there is no skeleton key approach to avoiding these scams, because they’re going to come through text messages, phone calls, letters, emails and more. No antivirus program is going to stop your grandmother from believing a man who “sounds so nice” on the other end of a phone call. So it’s all about user education around this time of year. With that said, here are a few things I felt it was important to remind people of this time of year that can help you avoid becoming a victim of these tax scams:

  • The IRS will never use email to initiate contact with taxpayers.
  • The IRS cannot, and will not, threaten taxpayers with potential arrest or deportation over alleged unpaid tax bills.
  • If you do have a bill from the IRS, they will likely contact you via physical mail, informing you of your right to contest said bill. They will never demand immediate payment upon first contact with the taxpayer.
  • The IRS does not demand taxpayers pay their bills with a specific method (I.e., if someone says you have to give a credit card number over the phone) without first mailing out a physical bill.
  • The IRS very rarely calls a taxpayer over the phone or visits your home or workplace (relax, you’re not Bernie Madoff).
  • If you are deaf or hard of hearing, do not inherently trust any calls that come through a video relay service (VRS). VRS services do not screen calls for validity.
  • When in doubt, reach out to the IRS directly via any of the phone numbers listed here. Do not call a number back directly who leaves a voicemail or text message claiming to be from the IRS.

The one big thing

Over the past several months, Talos researchers have observed a series of campaigns that leverage a new version of 3LOSH crypter. The threat actor(s) behind these campaigns have been using 3LOSH to generate obfuscated code responsible for infecting victims with various remote access trojans and information stealers. Based on our analysis of the embedded configuration stored within the samples associated with these campaigns, we have identified that the same operator is likely distributing a variety of commodity RATs, such as AsyncRAT and LimeRAT.

Why do I care? 

The 3LOSH crypter is under active development and will likely only become more effective over time. For the end user, this means more RAT infections. AsynchRAT can cause all sorts of problems for victims, including infecting their machines with a keylogger and the attacker being able to remotely monitor the victim machine. Similarly, LimeRAT can be used in several malicious ways, including downloading other malware families and cryptocurrency miners. It can also force-enable Windows RDP and works around antivirus tools.  

So now what? 

Organizations should be aware that even commodity malware can take advantage of the complexity and evasiveness offered by crypters to increase their operational effectiveness as adversaries attempt to leverage them to achieve their mission objectives. A layered defense-in-depth security architecture should be implemented to ensure that organizations maintain the ability to successfully defend against these threats. Talos also released several Snort rules to protect users against the deployment of these RATs and the 3LOSH crypter.  

Other newsy nuggets

Ukrainian officials said they successfully fended off a cyber attack from Russian state-sponsored actors targeted at the country’s power grid. If successful, the attack could have turned off power to two million people. Security experts say this is the most sophisticated cyber attack launched since Russia’s invasion of Ukraine, and more are likely on the way. Similar attacks were successful in 2015 and 2016 against the power grid. Experts and officials were quick to blame the Sandworm APT for the attack and their Industroyer malware. (Wired, New York Times)

This week’s Patch Tuesday update led to the disclosure of several major vulnerabilities in Microsoft and Adobe products. For Microsoft, it was the most vulnerabilities in a single monthly security update since September 2020 after several months of relatively light releases. Of particular concern this month is CVE-2022-24521, a “privilege escalation” vulnerability in the Windows common log file system driver that is actively being exploited in the wild. Adobe also released its own round of updates, releasing patches for 78 software vulnerabilities, many of them considered to be “critical.” (Talos, Security Week, Krebs on Security)

An international law enforcement effort disrupted the popular RaidForums site, a network mainly used for threat actors to buy and sell victims’ personal information and login details. A message on the site says the domain was seized by the FBI, Secret Service and U.S. Department of Justice. Law enforcement officials in the U.K. also arrested a 21-year-old Portuguese citizen who is the alleged creator and leader of the operation. Department of Justice officials estimate RaidForums was responsible for the sale of more than 10 billion individuals’ information across the globe. (BBC, Ars Technica)

Can’t get enough Talos?

Upcoming events where you can find Talos

RSA 2022 (June 6 – 9, 2022)
San Francisco, California

Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 12459a5e9afdb2dbff685c8c4e916bb15b34745d56ef5f778df99416d2749261  
MD5: 3e2dbdfa5e58cb43cca56a3e077d50bf  
Typical Filename: NirCmd.exe  
Claimed Product: NirCmd  
Detection Name: Win.PE.SocGholish.tii.Talos

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0
MD5: b46b60327c12290e13b86e75d53114ae  
Typical Filename: NAPA_HQ_SetW10config.exe  
Claimed Product: N/A
Detection Name: W32.File.MalParent