Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers and welcome to the first Threat Source newsletter of 2021.
We hit the ground running already this year with a new Beers with Talos episode. It was recorded back in 2020, but the lessons regarding ransomware attacks and how actors choose their targets are still very much relevant.
On the written word front, we have a full, technical breakdown of a recent Lokibot strain we’ve seen in the wild. Check out the full post to see how this malware infects a target and what defenders can learn from this.
Upcoming public engagements with Talos
Speakers: Edmund Brumaghin and Nick Biasini
Overview: As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection. Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed, as well as how to defend against them more effectively.
Cybersecurity week in review
- A mob of U.S. President Donald Trump’s supporters stormed the U.S. Capitol building Wednesday. There are many factors that fed into this insurrection, but chief among them is misinformation that’s been spreading online for years and riling up Americans with more extreme views.
- The mob, while being a safety concern for lawmakers and the demonstrators themselves, also presented several cybersecurity concerns. Some lawmakers say computers were stolen from their offices, and there is no way to truly know if any hardware or software was tampered with while the mob gained accessed to the Capitol.
- Outside of the political spectrum, misinformation and disinformation campaigns are still swirling online regarding the COVID-19 vaccine. There are many false reports, memes and studies circulating that claim the vaccine is unsafe or will cause unwanted side effects as a global vaccination effort gets underway.
- U.S. President-elect Joe Biden’s incoming National Security Adviser said the recent SolarWinds security breach will the administration’s top international priority.
- In the weeks following the initial disclosure of the so-called “SUNBURST” attack, researchers and journalists have discovered that the attack is more widespread than initially thought. The focus on election security this year also may have directed attention away from resources that could have detected this breach earlier.
- In investigating the SolarWinds campaign, Microsoft said it found some of its source code was stolen. However, the company says there is no immediate security risk.
- The U.S. formally linked the SUNBURST attack to Russia this week. A joint statement from major American defense agencies said the campaign is believed to be motivated by intelligence gathering.
- Physical security keys played a major role in election security this year. Campaign managers and security experts say the use of products from Google and Yubikey, among others, helped keep politicians' emails safe.
Notable recent security issues
Description: The FBI issued a warning this week alerting users of a global campaign using the Egregor ransomware. The agency said at least 150 organizations have been targeted worldwide in attacks dating back to September. The attackers used phishing emails with malicious attachments and insecure Remote Desktop Protocol(RDP) or Virtual Private Networks to initially infect victims. The actors also use tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner and AdFind for privilege escalation and lateral network movement.
Snort SIDs: 56813, 56814
Description: The actors behind the njRAT trojan have changed their tactics to now include Pastebin as their command and control server. Researchers say the site is now being used to download and execute second-stage payloads, doing away with the traditional C2 structure. njRAT, also known as Bladabindi, hijacks victim machines and can take screenshots, exfiltrate data, log keystrokes and shutting down certain antivirus programs.
Snort SIDs: 56811, 56812
Most prevalent malware files this week
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.23nh.1201
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: W32.6FDFCD0510-100.SBX.VIOC
Typical Filename: santivirusservice.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.