Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Are you heading to Vegas next week for Hacker Summer Camp? Talos will. We’ll be at Black Hat and DEFCON holding a series of talks, taking resumes, answering questions and hosting a number of challenges. Check out our talk lineup for Black Hat here and a rundown of our activities at DEFCON here.

Everyone on the internet has seen the ads on web pages that suck you in with enticing headlines, too-good-to-be-true sales or highly specific offers. But many times, these ads can lead to malware. We took a deep dive into adware to talk about a slew of recent campaigns we’ve seen that have targeted some of the most popular sites on the web.

If you work with Snort rules at all, you have to check out our new Re2PCAP tool, which allows you to generate a PCAP file in seconds just from a raw HTTP request or response.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos Event: "DNS on Fire" at Black Hat USA
Location: Mandalay Bay, Las Vegs, Nevada
Date: Aug. 7
Speaker: Warren Mercer
Synopsis: In this talk, Warren will go over two recent malicious threat actors targeting DNS protocol along with the methodology used to target victims, timeline, and technical details. The first is a piece of malware, "DNSpionage," targeting government agencies in the Middle East and an airline. The second actor, more advanced and aggressive than the previous one, is behind the campaign we named “Sea Turtle.”
Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

  • Capital One was hit with a data breach that affected more than 100 million customers. Information stolen included names, addresses, ZIP codes, credit scores, credit limits, contact information and more.
  • The person behind the breach is a former Amazon Web Services employee who made little attempt to hide after the attack. She even went as far to boast about the data she had stolen in a Slack room.
  • The Federal Trade Commission warned consumers that Equifax will not be able to meet the $125 per person payout it promised as part of a settlement over a 2016 data breach. More consumers requested the payment than expected, and only $31 million of the total $700 million settlement was set aside for cash payments.
  • The latest Google Chrome update automatically blocks Adobe Flash Player and makes it harder for sites to detect Incognito mode. The new Incognito feature will make it possible for users to bypass paywalls on many sites, which had developed scripts to detect the secret browsing mode.
  • Honda Motor Co. left an ElasticSearch database containing critical information about its global systems exposed. The server included information on which devices aren’t up to date or protected by security solutions, as well as approximately 134 million documents.
  • Democratic lawmakers are going after Senate Majority Leader Mitch McConnell for sitting on election security bills. FBI head Christopher Wray and former special counsel Robert Mueller recently testified to Congress that Russia will likely attempt to disrupt the 2020 presidential election.
  • The cyber threats posed to the oil and gas industry are “high and rising.” A new report also states that these companies are at “high risk” for a cyber attack that could lead to potential loss of life.
  • Apple patched five vulnerabilities in iMessage that could allow an attacker to read iPhone users’ messages without their interaction. One of the bugs could only be fixed by completely restoring the device to factory settings.
  • A new Android malware is being spread through malicious Reddit posts. The ransomware attempts to spread to the contacts on victims’ phones and then encrypting all files on a device.

Notable recent security issuesTitle: New coverage available for Godlua malware
Description: Attackers recently targeted Linux and Windows machines with respective versions of the Godlua malware. The backdoor secures its communication via DNS over HTTPS. The attackers primarily use Godlua as a distributed denial-of-service bot, even launching an HTTP flood attack against one domain.
Snort SIDs: 50808 - 50811 (Written by Kristen Houser)
 Title: New protection rolled out for Microsoft vulnerability exploited in the wild
Description: The OceanLotus APT recently launched a new malware known as "Ratsnif," which comes in four different variant forms. These rules fire when Ratsnif attempts to make an outbound connection to a command and control (C2) server, or if the malware attempts to download any files. Ratsnif remained undetected after its C2 went online back in August 2018, though researchers believe it’s low level of infection kept it under the radar.
Snort SIDs: 50800 - 50802 (Written by Kristen Houser)

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe  
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
 SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6  
MD5: f7145b132e23e3a55d2269a008395034
Typical Filename: r2
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos  
 SHA 256: 2f4e7dba21a31bde1192ca03b489a9bd47281a28e206b3dcf245082a491e8e0a  
MD5: cc0f21a356dfa1b7ebeb904ce80d9ddf
Typical Filename: f1cf1595f0a6ca785e7e511fe0df7bc756e8d66d.xls
Claimed Product: Microsoft Excel
Detection Name: W32.2F4E7DBA21-100.SBX.TG    
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG  
 SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A  
Detection Name: W32.46B241E3D3-95.SBX.TG