Welcome to this week’s edition of the Threat Source newsletter.

It's everyone’s favorite time of year again and no, I don’t mean the impending holidays. The Snort 2023 calendar is finally here, and y’all, it’s a good one. Packed full of classic memes and punny Snorties, the calendar is sure to delight all year long. The Talos creative team really knocked it out of the park with these original designs. I won’t spoil the whole calendar and reveal too much, but I’ve shared a favorite below...

Want a copy? NEED a copy? Simply fill out our short survey here. Calendars will begin shipping after December 1, 2022. U.S. shipping only, available while supplies last.

The one big thing

Contributed by Chris Neal

This week Cisco Talos has published a blog detailing new variants and versions of LodaRAT, a remote access tool and stealer written in the AutoIt scripting language. Additionally, we identified several instances where LodaRAT was deployed alongside more advanced malware, including RedLine, Neshta and a VenomRAT clone known as S500.

Why do I care?

These new iterations and the pairing with other malware families represent a growth phase for LodaRAT throughout 2022. Many of the variations we observed added functionality to LodaRAT, making it a more capable malware; including one notable variant that copies LodaRAT to all attached removable storage for proliferation. These changes signal that more advanced variants will likely appear in the threat landscape in the future.

So now what?

Cisco Talos will continue its research into LodaRAT and provide coverage for future variants. We have also provided full Snort and ClamAV coverage for all samples observed during this research. As always, Cisco Talos recommends ensuring all products are updated to the most recent version, as well as maintaining a thorough standardized security posture.

Top security headlines of the week

Australia takes an offensive approach after two high-profile cyber-attacks targeting Australian telecommunications company Optus and insurance provider Medibank.  Cybersecurity Minister Clare O’Neil has vowed to “hack the hackers” as the country establishes a permanent task force. O’Neil stated, “The joint standing operation will not simply respond to crimes as they affect Australians; they will be hunting these gangs around the world and disrupting the actives of these people.” (itnews)

If you’ve yet to hit it big will Mega Millions, give bug bounties a try. One lucky security researcher found an “accidental” security bug but came away $70,000 richer. Privately reported, the bug allowed anyone to unlock Google Pixel phones without knowing the passcode. Tracked as CVE-2022-20465, the bypass allows for users to access the devices data without ever having to enter the passcode through the lock screen. (TechCrunch)

Consistent with cybersecurity trends this year, Education continues to be a top target of ransomware. The education space creates an ideal context for high impact lures with time pressure built in, like back-to-school time and student loan deadlines and information. “Impacts have ranged from restricted access to the network, delayed exams, canceled school days, to unauthorized access to personal information regarding students and staff,” Jen Easterly, director of Cybersecurity and Infrastructure Security Agency, shared during the CISA national summit on k-12 school safety and security. Just prior to the summit, The Center for Internet Security released a report citing sector-wide cyber maturity concerns with 81% of schools not implementing multi-factor authentication. However, 83% of schools hold cyber insurance, a topic Talos’ own Martin Lee just wrote on. (SC Media)

Can’t get enough Talos?

Upcoming events where you can find Talos

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)
Josun Palace, Seoul

AVAR (Association of Anti-Virus Asia Researchers), 2022.ON (Dec. 1-2)
Carlton Hotel, Singapore

CactusCon (Jan 27-28)
Mesa, AZ

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d
MD5: 26f927fb7560c11e509f0b8a7e787f79
VirusTotal: https://www.virustotal.com/gui/file/1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d/details
Typical Filename: Iris QuickLinks.exe
Claimed Product: N/A
Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Worm.Generic.914973

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details
Typical Filename: Wextract
Claimed Product: N/A
Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details
Typical Filename: LwssPlayer
Claimed Product: N/A
Detection Name: Auto.125E12.241442.in02

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
VirusTotal: https://www.virustotal.com/gui/file/00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
Typical Filename: outlook.exeClaimed
Claimed Product: MS OutlookDetection
Detection Name: W32.00AB15B194-95.SBX.TG