Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Our main focus this week is on Astaroth. This is a malware family that has been targeting Brazil with a variety of lures, including COVID-19-themed documents, for the past nine to 12 months. Astaroth implements a robust series of anti-analysis/evasion techniques, among the most thorough we've seen recently. We have the full rundown of the threat and our protections against it.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Dynamic Data Resolver IDA plugin” at NSEC Online
Location: Streaming on Twitch
Date: May 15
Speakers: Holger Unterbrink
Synopsis: Holger will walk through a recent plugin he developed for IDAPro. The plugin can significantly improve the analyzing time of malware samples. Additionally, I think the plugin architecture and the DynamoRIO features are opening many interesting opportunities for own extensions and use cases.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • The U.S. government is blaming multiple state-sponsored actors for cyber attacks targeting research on potential COVID-19 vaccines. An alert from the FBI says “cyber actors and nontraditional collectors” are targeting intellectual property and public health data.
  • Democrats in Congress are working on legislation to direct the Department of Homeland Security to go after bad actors who are pushing disinformation about the coronavirus pandemic. Some posts and videos on social media have sowed distrust regarding vaccinations and improper treatments for COVID-19.
  • A new bill in Congress would set guidelines for representatives to vote “by proxy” for other members who cannot attend votes in-person. The bill’s introduction came with several FAQs regarding the proposal’s impact on cyber security.
  • The FBI seized an iPhone belonging to a U.S. senator as part of an investigation into their stock trades. Since then, the agency has issued a warrant to Apple to provide information on the senator’s iCloud account.
  • The Department of Homeland Security is working on guidelines for telecommunications companies to protect 5G towers. There’s been an increase in physical attacks on the towers as several conspiracy theories have circulated online regarding 5G’s connection to COVID-19.
  • A hacker went after a website belonging to the state of Ohio where employers can report employees who refuse to work due to the COVID-19 pandemic. After the denial-of-service attack, the state revised its policies on providing unemployment benefits to those who refuse to work during the pandemic.
  • A threat group claims to have sensitive information and non-disclosure agreements on many high-profile celebrities. The hackers say they stole the data from famous English law firm Grubman Shire Meiselas & Sacks.
  • As Apple and Google continue to develop their coronavirus contact-tracing app, many local governments are torn. Local leaders say they are hesitant to use the technology if it tracks and stores users’ locations.
  • Package logistics company Pitney Bowes fell victim to a ransomware attack for the second time this year. The firm says it believes only “limited” data was accessed.
  • Some companies are using tracking software to keep tabs on their employees’ online activities while they work from home. Some software promises to flag employees who are storing sensitive information in unsafe locations.

Notable recent security issues

Title: Microsoft discloses 111 vulnerabilities as part of monthly security update
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 111 vulnerabilities. Fifteen of the flaws Microsoft disclosed are considered critical. There are also 95 "important" vulnerabilities and six low- and moderate-severity vulnerabilities each. This month’s security update also covers security issues in a variety of Microsoft services and software, including SharePoint, Media Foundation and the Chakra scripting engine.
Snort SIDs: 53916 - 53919, 53924 - 53933, 53940, 53941, 53950, 53951
Title: Adobe releases fixes for 36 vulnerabilities, 12 of which are critical
Description: Adobe disclosed 36 vulnerabilities this week in Acrobat, Reader and DNG. Twelve of the bugs are considered critical. Specifically, in Acrobat, there are six different vulnerabilities that could allow an adversary to execute arbitrary code on the victim machine. The DNG Software Development Kit also contains four heap overflow issues (CVE-2020-9589, CVE-2020-9590 , CVE-2020-9620, CVE-2020-9621) that can all lead to remote code execution attacks.
Snort SIDs: 53563, 53564, 53485, 53486

Most prevalent malware files this week

SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4
MD5: c6dc7326766f3769575caa3ccab71f63
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos