Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

With all of us working from home, Beers with Talos episodes are coming out faster than ever. This week, we have an actual episode with security discussions rather than the “Cats” movie, including the importance of split-tunneling.

There are also two Vulnerability Spotlights out alerting users of bugs in 3S CODESYS and Accusoft ImageGear.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Dynamic Data Resolver IDA plugin” at NSEC Online
Location: Streaming on Twitch
Date: May 15
Speakers: Holger Unterbrink
Synopsis: Holger will walk through a recent plugin he developed for IDAPro. The plugin can significantly improve the analyzing time of malware samples. Additionally, I think the plugin architecture and the DynamoRIO features are opening many interesting opportunities for own extensions and use cases.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Countries across the globe are starting to launch their COVID-19 contact-tracing apps to help their recovery from the pandemic. A security researcher already discovered a vulnerability in India’s national app that could leak the exact location of users who report a positive diagnosis.
  • A committee in U.K.’s parliament also warned the country that its contact-tracing apps lack basic security protocols. Some lawmakers are asking for more promises from the government about how users’ data will be stored and used.
  • Cybercriminals are trying to capitalize on the global pandemic every day, which for some means more income. But other malicious actors have seen their costs to operate rise and their supply lines interrupted.
  • A new bill introduced in Congress would install new rules to prevent the exploitation of children online. This Democrat-backed bill is a direct response to one introduced earlier by Republicans that also promises to protect children but also could open the doors for the elimination of encryption.
  • Fresenius, the largest private hospital operating in Europe, was recently the victim of a ransomware attack. The organization says the breach has impacted some of its operations but patient care is continuing uninterrupted.
  • Threat actors are rolling out new attack methods to steal American taxpayers’ information and siphon their COVID-19 stimulus checks. This data is also being sold on dark web forums between malicious actors.
  • A new variant of the Dacls remote access trojan is infecting Mac users via a malicious two-factor authentication app. The app seems to mainly targeted users who speak Chinese.
  • A new ransomware family called “ColdLock” is targeting organizations in Taiwan. The threat appears to target servers and databases, encrypting them until the victim pays an extortion payment.
  • Congressional leaders continue to debate the validity of remote voting as lawmakers debate whether to return to in-person sessions. However, some have raised concerns about vote manipulation and the ability of lawmakers to install and update software securely.

Notable recent security issues

Title: Aggah spam campaign upgrades, finds new ways to avoid detection

Description: A new Aggah campaign pushes malicious Microsoft Office documents (maldocs) via malicious spam (malspam) emails distributing a multi-stage infection to a target user's endpoint. The final payload of the infection consists of a variety of Remote-Access-Tool (RAT) families such as Agent Tesla, njRAT and Nanocore RAT. Consistent with previous Aggah campaigns, this campaign also focuses on the use of pastebin[.]com for all its infrastructure needs. However, this campaign now utilizes multiple Pastebin accounts to host different stages of the attack.

Snort SIDs: 53745 - 53748

Title: Microsoft warns of Remcos campaign using COVID-19-themed lures

Description: A series of Remcos campaigns launched across the globe are using COVID-19-themed lure files to infect users. Microsoft says attackers are using specially crafted disk image files that contain malware, targeting major government agencies such as the U.S. Small Business Administration and manufacturing companies in South Korea. The phishing emails use subject lines related to the COVID-19 pandemic to trick users into opening the emails.

Snort SIDs: 53793 – 53796

Most prevalent malware files this week

SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4
MD5: c6dc7326766f3769575caa3ccab71f63
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos