Good afternoon, Talos readers.

Thanks to everyone who joined us live yesterday for our talk on business email compromise. If you missed us live, the recording is up on our YouTube page now. Nick Biasini from Talos Outreach provided some great advice on avoiding business email compromise and detecting these malicious campaigns.

If you want a shorter version of Nick's talk, you can also listen to last week's episode of Talos Takes.

We also have new research out on the Solarmarker information stealer and keylogger. Find out how this threat is growing and how you can defend against it using Cisco Secure products.

Upcoming Talos public engagements

Talos at BlackHat USA 2021

Date: July 31 - Aug. 5

Location: Virtual and Mandalay Bay hotel and resort, Las Vegas, Nevada

Description: Join Talos and Cisco Secure for a series of sponsored talks, mock debates and incident response lessons at this year's hybrid BlackHat conference.

Workshop: Analysing Android malware at VirusBulletin localhost 2021

Speaker: Vitor Ventura

Date: Oct. 7 - 8

Location: Virtual

Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • Security researchers and privacy advocates uncovered a massive effort by international governments to acquire the NSO Group's Pegasus spyware. These regimes reportedly used the software to spy on journalists, activists and other politicians.
  • In the wake of this report, Mexico's government stated two previous administrations spent a combined $61 million on Pegasus. The contracts also included excess payments that may have been used to send kickbacks to government officials.
  • The Pegasus report has many users worried they may be affected. There are many ways to avoid spyware, including avoiding obvious social engineering messages, testing for man-in-the-middle attacks, and use newly released open-source software that checks for spyware.
  • U.S. President Joe Biden signed a new executive order directing federal agencies to create voluntary cybersecurity goals for companies that operate critical infrastructure. The order asks preliminary goals to be put in place by late September, and another set of cross-sector standards by the end of the year.
  • The Death Kitty ransomware is linked to an attack on several South African ports. A string of attacks late last week forced the company operating the ports to declare a force majeure at container terminals start manually processing cargo.
  • Apple released updates to macOS, iPadOS and iOS this week to fix multiple vulnerabilities, including one that attackers were actively exploiting in the wild. The most serious vulnerability could allow an attacker to execute arbitrary code with kernel privileges.
  • Kaseya obtained a decryptor for the recent REvil ransomware attack carried out against many of its users. The company says the key, which it obtained from a "trusted third-party" will allow users to retrieve missing files without paying the ransom.
  • A joint advisory from the U.S. and some of its allies outlined the most-exploited vulnerabilities in 2020 and 2021. So far this year, adversaries are most often targeting vulnerable Microsoft Exchange Servers.

Notable recent security issues

Title: Trickbot trojan re-emerges with a new module for spying

Description: After an attempted takedown attempt, security researchers are seeing increased command and control (C2) traffic around the Trickbot malware. The botnet also has a new version of its “vncDll” module, which is used for monitoring and intelligence gathering. This module appears to be actively updated with bug fixes and additional functionality. Currently, it creates a virtual desktop that mirrors the target’s desktop and steals information by monitoring the screen. Trickbot traditionally downloads new playloads to carry out additional attacks, opens the target’s documents and email and uploads data to the C2.

Snort SIDs: 57948 - 57950

Title: Shlayer malware still using fake Flash updates

Description: Even though Adobe has discontinued support for Flash Player, attackers are still capitalizing on it. Operators behind the Shlayer malware send macOS users fake Flash Player update notifications, hoping to trick users into clicking on malicious links. The malware completes its install when the user downloads the malicious file. Shlayer is a well-known malware that’s been targeting MacOS users for at least three years. Once installed, Shlayer deploys adware on the affected machine and eventually fetches additional payloads, usually also adware.

Snort SIDs: 57919, 57920

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4

MD5: 84452e3633c40030e72c9375c8a3cacb

Typical Filename: sqhost.exe

Claimed Product: N/A

Detection Name: W32.Auto:f0a5b257f1.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 302f58da597128551858e8d53229340941457cad6729af0d306ebfa18a683769

MD5: 39e14b83d48ab362c9a5e03f885f5669

Typical Filename: SqlServerWorks.Runner.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.302F58DA59-95.SBX.TG

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.