Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

While ransomware has made all the headlines this year, that doesn’t mean cryptocurrency miners are going anywhere. We recently discovered a new actor we’re calling “Xanthe” that’s mining Monero on targets’ machines. The main payload, in this case, is a variant of the XMRig Monero-mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration.

We’ll also have a string of Beers with Talos episodes to round out the year (hopefully one new one a week). This week, the guys discuss QR codes and whether we should still care about them, and how they could potentially aid in the robots’ uprising against Craig.

Cyber security week in review

  • The FBI released a warning this week that attackers are taking advantage of email forwarding rules to skirt by email sensors and send spam emails. Adversaries hope by inserting themselves in legitimate email threads, they’re more likely to be successful.
  • Home Depot settled with more than 40 states over a 2014 data breach. The company will pay out $17.5 million and agreed to implement several new security measures.
  • The Aspen Cybersecurity Group released a report outlining several key areas in which the incoming Biden administration can improve the U.S.’ cyber security posture. The report recommends specific actions President-elect Joe Biden could take along with Congress.
  • The Supreme Court is hearing arguments in a case that could change the U.S.’ broadest anti-hacking law. Some cyber security researchers say the law could be used to punish them for conducting basic internet research.
  • State-sponsored actors from North Korea have targeted at least six pharmaceutical companies across the globe this year. A new report indicates that organizations in the U.S., the U.K. and South Korea working on COVID-19 vaccines have been the targets of cyber attacks recently.
  • Adversaries have also started to target companies in charge of distributing future COVID-19 vaccines. IBM’s cyber security division says it’s unclear whether the actors are motivated by stealing technology or disrupting delivery operations.
  • Schools in Baltimore County, Maryland shut down remote learning for several days after a ransomware attack. Government officials there said no school-issued laptops to students were affected.
  • A Google security researcher recently discovered a major exploit that could take over iPhones by sending a massive Wi-Fi packet. The exploit, which Apple has patched, could also quickly spread to other nearby devices.
  • A new campaign utilizes phony Google Drive links to attempt to get users to open malicious web pages. Attackers have found a way to generate the messages in a way that they appear to be directly from Google.

Notable recent security issues

Title: Xanthe miner goes after Docker-based targets

Description: Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Xanthe," which attempted to compromise one of Cisco's security honeypots for tracking Docker-related threats. The infection starts with the downloader module, which downloads the main installer module, which is also tasked with spreading to other systems on the local and remote networks. The main module attempts to spread to other known hosts by stealing the client-side certificates and connecting to them without the requirement for a password. Two additional bash scripts terminate security services, removing competitor's botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts. The main payload is a variant of the XMRig Monero mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration.

OSQueries: https://github.com/Cisco-Talos/osquery_queries/blob/master/packs/linux_malware.conf

ClamAV: Unix.Coinminer.Xanthe-9791859-0, Unix.Coinminer.Xanthe-9791860-0, Unix.Coinminer.Xanthe-9791861-0

Title: WebKit fixes use-after-free, code execution vulnerabilities

Description: The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit. WebKit is utilized mainly in Apple’s Safari web browser, but is also utilized by some PlayStation consoles and all iOS web browsers.

Snort SIDs: 55844, 55845, 56126, 56127, 56379 - 56382

Most prevalent malware files this week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: vid001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 586d6b581a868f71c903097a3b7046f61a0797cda090a36687767189483e2360

MD5: 7e0bc1c01f44c7a663d82e4aff71ee6c

Typical Filename: dfsvc.exe

Claimed Product: N/A

Detection Name: Auto.586D6B.232349.in02

SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584

MD5: 920823d1c5cb5ce57a7c69c42b60959c

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.23mj.1201

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.