Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Beers with Talos chugs on during quarantine with the latest episode of “The In-Between.” Once again, the hosts talk about everything but security, answering listener questions from Twitter.

The most pressing threat we have this week is WolfRAT, a variant of the DenDroid Android malware. WolfRAT is attempting to exploit users on different messaging apps like Facebook Messenger, WhatsApp and Line — specifically, users in Thailand.

And if you’re really ready to get into security nitty-gritty, we have a deep dive on a vulnerability some Cisco researchers recently discovered that leave cars with on-board computers open to attack.

Upcoming public engagements

Event: Cisco Live U.S.
Location: Streaming online
Date: June 2 - 3
Speakers: Craig Williams and Sean Mason
Synopsis: Join the free, virtual Cisco Live U.S. conference. There will be many talks spread across two days. Specific to Talos, Craig Williams of the Outreach team will give an overview of recent threats and provide viewers with an update on Talos’ latest research efforts. Sean Mason, the head of Cisco Talos Incident Response, will also give a separate talk on IR’s advancements over the past year and go over how CTIR can help you prepare for the worst.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Hackers used a never-before-seen backdoor to infect several online multiplayer video games. In one case, the adversaries stole in-game virtual currency, and another led to victims being infected with additional malware.
  • A group of malicious actors may be overwhelming states' unemployment websites with fraudulent claims. There have been reports of adversaries brute-forcing these sites with stolen data to attempt to claim unemployment benefits during the COVID-19 pandemic.
  • A Swiss airline recently suffered a data breach, exposing 9 million customers' information. The company says it has no evidence that this information has been used maliciously yet.
  • Ukrainian officials arrested the actor behind a major data leak in 2019. The "Collection#1" data dump disclosed 773 million email addresses.
  • Several so-called "malware testing services" offer malicious actors quality assurance for their campaigns. These groups attempt to eliminate vulnerabilities that security researchers may use to reverse-engineering the malware or develop detection.
  • A group of U.S. senators are pushing for all calls between all members of Congress to be encrypted. As more lawmakers work and vote remotely, the group is asking for the Senate to develop an encryption plan by June 12.
  • Hundreds of Israeli websites were hit with the same cyber attackthis week, with adversaries posting anti-Israel materials. The sites were defaced with videos of many major Israeli cities burning, along with an additional warning.
  • An existing Android malware has changed its tactics to be themed around COVID-19. Once infected, the malware can steal users' contacts and SMS messages.
  • France is defending its government-developed COVID-tracing app, saying that all the data it keeps will be centralized and protected. Countries across Europe are struggling balancing privacy with tracking the pandemic as private companies and governments develop their own solution.
  • An online cyber security school is gaining traction in the U.K., with free classes encouraging teenagers to enter the field. And interest is expected to rise as summer camps and other in-person activities are being canceled due to the pandemic.

Notable recent security issues

Title: Researchers believe Gh0st RAT played large role in Asian spying campaign
Description: A joint analysis from two security firms found that malicious actors in Asia are using the Gh0st RAT backdoor to conduct espionage campaigns across Asia. The targets allegedly include a government agency, a telecommunications company and a gas company. The RAT allows the adversaries to take screenshots, execute console commands and exfiltrate data to a command and control (C2) server.
Snort SIDs: 53961, 53962
 Title: DenDroid variant goes after Android users in Thailand
Description: Thai Android devices and users are being targeted by a modified version of DenDroid researchers at Cisco Talos are calling "WolfRAT," that is looking to exploit messaging apps like WhatsApp, Facebook Messenger and Line. Talos assesses with high confidence that this modified version is operated by the infamous Wolf Research. This actor has shown a surprising level of amateur actions, including code overlaps, open-source project copy/paste, classes never being instanced, unstable packages and unsecured panels.
Snort SIDs: 54004

Most prevalent malware files this week

SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b
MD5: 42143a53581e0304b08f61c2ef8032d7
Typical Filename: JPMorganChase Instructions SMG 82749206.pdf
Claimed Product: N/A
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos