Welcome to this week’s edition of the Threat Source newsletter.

By now, anyone on the internet has pondered the question: “Is a hot dog a sandwich?” (My two cents: Yes, absolutely.)

Now as we move into the new internet age and onto Web 3.0 and NFTs instead of classic memes, I’ve had another question stuck in my head: “Is Fortnite the Metaverse?”

This came up again for me last week as we published new research into Web 3.0 and the Metaverse, examining what potential security pitfalls lie ahead, and how attackers are already using the Metaverse to spread spam and malware.

My first introduction to the Metaverse was actually through video games and my dad asking me if he should mint his original artwork as an NFT without getting sued by Disney. I first started hearing about NFTs on various video game podcasts that I listen to, because every video game company was putting out some vague statement about how they were “looking into” getting into NFTs and the Metaverse because that’s what investors wanted to hear at the time.

“Fortnite” was way ahead of EA and Ubisoft, though. The third-person shooter-turned-free-to-play-battle-royale became its own Metaverse a few years ago already by hosting virtual concerts, becoming a platform for presidential campaigns and bringing together pretty much any IP you could think of into the same game.

Other video game developers and publishers have wanted to get in on the action now, too, as Jaeson Schultz and I talked about in last week’s Talos Takes episode. And it only took a few weeks for them to start backpedaling as consumers expressed concerns over the potential for scams on the metaverse and the environmental concerns associated with NFTs.

Fortnite’s push into the metaverse has slightly slowed down recently, especially with the return of in-person concerts and friendly hangouts, players don’t necessarily need a virtual environment anymore to visit with their friends or see Ariana Grande perform. And at the end of the day, Fortnite’s focus is still on being a video game.

This trend around video game companies in the Metaverse reminds me of the fervor around virtual reality in 2012-13 when the first consumer VR headsets were released. At the time, there was speculation that everything would become VR in a few years, and it’d be the best way to play video games. Yet these headsets only ended up being adopted by a small portion of the population, and VR is only used in highly specific cases, such as training for surgeons.

So even though games like Fortnite and Roblox may have their own Metaverses, I’m not sure that means good news for the broader “Metaverse.” Just because it’s worked for Fortnite doesn’t mean “Assassins Creed” fans want to bid against one another for a one-of-a-kind sword they can also bring into “Far Cry 10” come 2026. Let’s just hope the bad guys don’t start disguising malicious cryptominers as Fortnite cheats.

The one big thing

The Transparent Tribe actor just won’t go away. We’ve been following this threat actor for more than a year now as it targets the Indian subcontinent. Most recently, we’re seeing the group add new tools to its arsenal to again target Indian government agencies and users, including a previously unknown Python-based stager that leads to the deployment of .NET-based reconnaissance tools and RATs.

This campaign, which has been ongoing since at least June 2021, uses fake domains mimicking legitimate government and related organizations to deliver malicious payloads, a common Transparent Tribe tactic.

Why do I care? 

For now, it’s clear that this actor is focused on targeting users in Asia, specifically India. So, if you’re reading this from that region, it goes without saying that you should be keeping an eye out for this threat actor and make sure you have mitigations in place like Snort rules and ClamAV signatures to block their malware and infection tools. 

Even outside of that region, this is a threat actor to watch — there’s no guarantee that their targeting won’t expand over time to include more of the globe. We’ve been watching this actor since March 2021, and since then they’ve added new RATs, malware for specific operating systems and new methods of spoofing high-profile government organizations.  

So now what? 

The use of multiple types of delivery vehicles and file formats indicates that the group is aggressively trying to infect their targets with their implants. They have continued the use of fake domains masquerading as government and quasi-government entities, as well as the use of generically themed content-hosting domains to host malware. To avoid that trap, type in the domain of the organization you’re looking to visit rather than clicking on any embedded links or images. Our blog post also has a new list of IP addresses and domains to block. 

Organizations should remain vigilant against this actor, as they are likely to proliferate in the future. In-depth defense strategies based on a risk analysis approach can deliver the best results in prevention. However, this should always be complemented by a good incident response plan which has been not only tested with tabletop exercises and reviewed and improved every time it's put to the test on real engagements. 

Other newsy nuggets

Despite several arrests of alleged members of the Lapsus$ ransomware group, the threat actor continues to leak data and claim several successful ransomware attacks. The group posted on its website that it was “back from vacation” and showed a screenshot that allegedly showed access to the systems of software developer Globant. The screengrab potentially indicates other larger companies are affected as part of the Globant breach, including Apple. Researchers believe the leader of Lapsus$ is a 16-year-old British male who works with other teenagers. (BBC, VentureBeat, Krebs on Security)

Some of the U.S.’ most critical sectors are on high alert after U.S. President Joe Biden’s warning last week that Russian state-sponsored actors could launch cyber attacks against American networks. The FBI warned defenders in a recent alert that attackers had scanned the computer networks of at least five U.S. energy groups. Financial systems, water delivery networks and health care are all also on high alert after the alert. Some private companies are feeling ill-equipped to handle the threat, especially smaller public utilities that don’t have a large security team or budget. (Bloomberg, Politico)

As the war in Ukraine continues to shift, cyber attacks continue against the country aiming to disrupt its critical infrastructure. State-sponsored actors appeared to attack Ukraine’s state-run telecommunications company and internet provider, forcing some users offline earlier this week. A large satellite network that supports Ukraine also was hit with a cyber attack, disrupting thousands of broadband internet users across Europe. The attack against Viasat happened early on in Russia’s invasion of Ukraine but was only recently publicly disclosed. (ABC News, Reuters)

Can’t get enough Talos?

Upcoming events where you can find Talos

RSA 2022 (June 6 – 9, 2022)
San Francisco, California

Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
MD5: 4c9a8e82a41a41323d941391767f63f7  
Typical Filename: !!mreader.exe  
Claimed Product: N/A  
Detection Name: Win.Dropper.Generic::sheath

SHA 256: 5516d898970854dbab9e3a49aced96186f3e748a56ed2f7cd7809447b7dd5c1a  
MD5: 814358af9c54b6eb66333cd117f38423
Typical Filename: USPSSIBDSJDSS.zip  
Claimed Product: N/A
Detection Name: Win.Dropper.Upatre::hw

SHA 256: 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97
MD5: 258e7698054fc8eaf934c7e03fc96e9e  
Typical Filename: samsungfrp2021.exe  
Claimed Product: N/A  
Detection Name: W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34

SHA 256: dc6a484441c59a75fe586ea789a9637921b33dc86e3ac5b57fdb376c9f6e5d7e
MD5: 94e1b019cc2720b7e33a94c2f643216f  
Typical Filename: 2012f643216f_1.exe  
Claimed Product: N/A  
Detection Name: Win.Dropper.Generic::90.tpd2.ret.sbx.tg