Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers and welcome to the first Threat Source newsletter of 2021.

We hit the ground running already this year with a new Beers with Talos episode. It was recorded back in 2020, but the lessons regarding ransomware attacks and how actors choose their targets are still very much relevant.

On the written word front, we have a full, technical breakdown of a recent Lokibot strain we’ve seen in the wild. Check out the full post to see how this malware infects a target and what defenders can learn from this.

Upcoming public engagements with Talos

Title: “The Crimeware Arms Race: Modern Techniques in Malware Armoring and Evasion”

Event: CactusCon

Speakers: Edmund Brumaghin and Nick Biasini

Overview: As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection. Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed, as well as how to defend against them more effectively.

Cybersecurity week in review

  • A mob of U.S. President Donald Trump’s supporters stormed the U.S. Capitol building Wednesday. There are many factors that fed into this insurrection, but chief among them is misinformation that’s been spreading online for years and riling up Americans with more extreme views.
  • The mob, while being a safety concern for lawmakers and the demonstrators themselves, also presented several cybersecurity concerns. Some lawmakers say computers were stolen from their offices, and there is no way to truly know if any hardware or software was tampered with while the mob gained accessed to the Capitol.
  • Outside of the political spectrum, misinformation and disinformation campaigns are still swirling online regarding the COVID-19 vaccine. There are many false reports, memes and studies circulating that claim the vaccine is unsafe or will cause unwanted side effects as a global vaccination effort gets underway.
  • U.S. President-elect Joe Biden’s incoming National Security Adviser said the recent SolarWinds security breach will the administration’s top international priority.
  • In the weeks following the initial disclosure of the so-called “SUNBURST” attack, researchers and journalists have discovered that the attack is more widespread than initially thought. The focus on election security this year also may have directed attention away from resources that could have detected this breach earlier.
  • In investigating the SolarWinds campaign, Microsoft said it found some of its source code was stolen. However, the company says there is no immediate security risk.
  • The U.S. formally linked the SUNBURST attack to Russia this week. A joint statement from major American defense agencies said the campaign is believed to be motivated by intelligence gathering.
  • Physical security keys played a major role in election security this year. Campaign managers and security experts say the use of products from Google and Yubikey, among others, helped keep politicians' emails safe.

Notable recent security issues

Title: FBI warns of global Egregor campaign

Description: The FBI issued a warning this week alerting users of a global campaign using the Egregor ransomware. The agency said at least 150 organizations have been targeted worldwide in attacks dating back to September. The attackers used phishing emails with malicious attachments and insecure Remote Desktop Protocol(RDP) or Virtual Private Networks to initially infect victims. The actors also use tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner and AdFind for privilege escalation and lateral network movement.

Snort SIDs: 56813, 56814

Title: njRAT actors now using Pastebin for C2

Description: The actors behind the njRAT trojan have changed their tactics to now include Pastebin as their command and control server. Researchers say the site is now being used to download and execute second-stage payloads, doing away with the traditional C2 structure. njRAT, also known as Bladabindi, hijacks victim machines and can take screenshots, exfiltrate data, log keystrokes and shutting down certain antivirus programs.

Snort SIDs: 56811, 56812

Most prevalent malware files this week

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

SHA 256: 20f0ce6ae08d954767bdd8445017453475d53fe1e448c07da7a8a6a1194374c6

MD5: 6902aa6dd0fbd0d1b647e8d529c7ad3f

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.23nh.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name:

SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30

MD5: 0083bc511149ebc16109025b8b3714d7

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name: W32.6FDFCD0510-100.SBX.VIOC

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: santivirusservice.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name:  PUA.Win.Dropper.Segurazo::tpd

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.