Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We are excited to finally share this LockBit research paper with you all after months of work. Some of our researchers spoke to a ransomware operator, which provided us insight into a threat actor’s day-to-day goals and tactics.

The paper includes information on how the attacker chooses its targets and why it’s easier for the attacker to operate in some countries than others.

Upcoming public engagements with Talos

Title: “The Crimeware Arms Race: Modern Techniques in Malware Armoring and Evasion”

Event: CactusCon

Date: Feb. 6 - 7

Speakers: Edmund Brumaghin and Nick Biasini

Overview: As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection. Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed, as well as how to defend against them more effectively.

Title: Cisco Live 2021

Date: March 30 – April 1

Speakers: Nick Biasini, more TBA

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.

Cybersecurity week in review

  • A joint effort by American and European law enforcement agencies led to the takedown of the Emotet botnet. The joint effort dismantled the infamous threat by taking over C2 domains and redirecting that traffic.
  • Facebook is working on a notification that will prompt users to opt into personalized ads as Apple works on a change to its privacy settings. A future version of iOS will allow users to restrict what types of information apps collect on them.
  • A separate state-sponsored actor may have exploited a different SolarWinds vulnerability than the one already disclosed. The attackers may have breached the U.S. Department of Agriculture.
  • Fewer ransomware victims are opting to pay the requested extortion payments in return for access to their locked files. But this has driven up the price of the ransom requests actors are making.
  • The popular WallStreetBets forum on Reddit was flooded with bots this week looking to capitalize on its recent rise of fame. The subreddit is at the center of the recent rise in GameStop stock, and bots were hoping to capitalize by convincing users to invest in other stocks.
  • Last month’s riot on the U.S. Capitol showed how accessible facial recognition technology has become. Average internet users have been able to identify several participants and report them to law enforcement.
  • A county in South Carolina is still reeling weeks after a cyber attack. Officials from the local government say it could be days before the court system and treasurer’s office are back to normal operations.
  • Cryptocurrency scams are on the rise on Discord. The popular chatting platform has seen private servers targeted by promises of free virtual currency, pointing users to malicious links.
  • A new version of the Agent Tesla trojan adds new delivery and evasion techniques. Security researchers say the malware is targeting Microsoft Anti-Malware Software Interface to bypass detection.

Notable recent security issues

Title: Campaign involving SolarWinds could extend to other software

Description: U.S. officials say a suspected state-sponsored attack on U.S. government agencies and companies may have further-reaching consequences than just SolarWinds products. A new report states that the attackers linked to the SolarWinds breach may have exploited other vulnerabilities to gain an initial foothold on victims’ networks other than the ones already disclosed in SolarWinds products. The effects of this campaign are potentially staggering, and officials and security researchers are still unpacking the attack. Victims reportedly include government agencies and consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye. Several reports also indicate that the U.S. Treasury and Commerce departments were also targeted in what is likely related to the same activity.

Snort SIDs: 56660 - 56668

AMP: Trojan.Sunburst.[A-Z], Trojan.Teardrop.[A-Z]

ClamAV: Win.Countermeasure.Sunburst-9816012-0, Win.Countermeasure.Sunburst-9809153-0, Win.Countermeasure.Sunburst-9816013-0, Win.Countermeasure.Sunburst-9809152-0, Win.Dropper.Teardrop-9808996-3, PUA.Tool.Countermeasure.DropperRaw64TEARDROP-9808998-0

Title: LockBit ransomware operator provides insight into targets, vulnerabilities exploited

Description: Cisco Talos recently spent several weeks speaking to an operator associated with the LockBit ransomware. The actor’s TTPs they disclose are yet another reminder for all organizations to remain vigilant about these seemingly unsophisticated, common cybercriminals who, despite their straightforward approach to targeting and operations, continue to be highly successful in compromising companies and wreaking havoc on unsuspecting victims. Other findings include that many cybercriminals rely almost exclusively on common open-source tools that are readily available on the internet and easy to use and they rely solely on victims who have unpatched environments.

Snort SIDs: 54910-54917

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4

MD5: 176e303bd1072273689db542a7379ea9

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.24cl.1201

SHA 256: b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6

MD5: 6a7401614945f66f1c64c6c845a60325

Typical Filename: pmropn.exe

Claimed Product: PremierOpinion

Detection Name: PUA.Win.Adware.Relevantknowledge::231753.in02

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name:

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: santivirusservice.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name:  PUA.Win.Dropper.Segurazo::tpd

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.