Good afternoon, Talos readers.

In the latest example of attackers trying to capitalize on current headlines, we've spotted a group using the recent fervor around the Pegasus spyware to spread malware.

We've detailed a campaign in which the attackers have copied (nearly perfectly) Amnesty International's website and is advertising a tool to sniff out the spyware and remove it. The problem is, there is no such software, and instead, it just downloads a RAT on your device.

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at

Upcoming Talos public engagements

Snort 3 and Me: The rule writers speak

Date: Oct. 5, 11 a.m. ET

Location: Virtual

Description: In the latest entry into the Snort 3 and Me webinar series, Talos analysts will join us to discuss the ins and outs of Snort rules.

Workshop: Analysing Android malware at VirusBulletin localhost 2021

Speaker: Vitor Ventura

Date: Oct. 7 - 8

Location: Virtual

Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

National Cybersecurity Awareness Month with Cisco Talos Incident Response

Speaker: Brad Garnett

Date: Oct. 18 at 9:30 a.m. ET

Location: Livestream on all Talos social media accounts

Description: Join Cisco Talos Incident Response as we go live to celebrate National Cybersecurity Awareness Month. Brad Garnett, CTIR's general management, will be live to answer your questions, talk about the trends he's seeing on the threat landscape, and the growing threat of ransomware. Please use this page to drop us any questions ahead of time, or join us in the chat live. A recording will be made available shortly after on our YouTube page at

Cybersecurity week in review

  • Microsoft added new features to Exchange Server that mitigate several high-profile vulnerabilities disclosed earlier this year. Attackers may have exploited a set of ProxyLogon vulnerabilities for months, and these mitigations should protect users until admins are able to apply a formal patch.
  • Google released an emergency update for its Chrome web browser after researchers discovered the 11th zero-day vulnerability in the software this year. The use-after-free vulnerability, identified as CVE-2021-37973, is still being kept relatively secret as to not tip off attackers while users can patch.
  • A new letter to Congress revealed that the U.S. National Security Agency and other federal agencies urge their employees to use ad blockers on web browsers. The NSA stated that “seemingly innocuous online advertisements” can infect users with malware that can “steal, modify or wipe sensitive government data, or record conversations by remotely enabling a computer’s built-in microphone.”
  • A British payroll company was forced offline last week after a cyber attack, leaving some contractors unpaid. The company had to disable its network, integrated IT infrastructure, phone and email systems.
  • The U.S. Senate is considering legislation that would require critical infrastructure to report any cyber attacks to the federal government. The bill would also create a new Cyber-Incident Review Office within the Cybersecurity and Infrastructure Security Agency.
  • The Port of Houston, one of the largest shipping hubs in the U.S., fought off a cyber attack last month. State-sponsored actors reportedly tried to exploit ManageEngine ADSelfService Plus, a password management program.
  • Proof-of-concept code for a brute-force vulnerability in Microsoft Azure Active Directory is now available in the wild. Microsoft has called the mechanism that contains the vulnerability a design choice, though it allows anyone to perform username enumeration and password brute-forcing.
  • YouTube is cracking down on vaccine disinformation, banning several high-profile accounts this week. The site says it will remove any videos that claim vaccines do not reduce transmission rates or contain content that includes false information on the actual makeup of vaccines.

Notable recent security issues

Operation: ArmorPiercer hits Indian subcontinent

Cisco Talos recently discovered a malicious campaign we’re calling “Operation: ArmorPiercer” targeting government employees and military personnel in the Indian subcontinent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets, predominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and I.T.-related guides in the form of malicious Microsoft Office documents and archives (RARs, ZIPs) containing loaders for the RATs. This campaign illustrates another instance of a highly motivated threat actor using a set of commercial and commodity RAT families to infect their victims. These RATs are packed with many features out-of-the-box to achieve comprehensive control over the infected systems. It is also highly likely that these malware families establish footholds into the victim's networks to deploy additional plugins and modules.

Snort SIDs: 58115 - 58119

Proof-of-concept code in the wild for remote code execution vulnerability in VMWare vCenter

A remote code execution vulnerability for VMWare vCenter is circulating on the internet and actively being exploited in the wild. CVE-2021-22005 can allow an attacker to open a reverse shell on a vulnerable server, allowing them to remotely execute arbitrary code. VCenter is a server virtualization management platform that allows users to manage VMs and containers. Working proof-of-concept code became available online Tuesday, Sept. 28. VMWare disclosed this vulnerability and patched it last week. This vulnerability is considered critical, with a CVSS severity score of 9.8 out of a possible 10.

Snort SIDs: 58217 - 58219

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18

MD5: 830ffb393ba8cca073a1c0b66af78de5

Typical Filename: smbscanlocal0902.exe

Claimed Product: N/A

Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c

MD5: 04c1f4395f80a3890aa8b12ebc2b4855

Typical Filename: zReXhNb

Claimed Product: N/A

Detection Name: Auto.FAD16599A8.241842.in07.Talos

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af

Typical Filename: SqlBase.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.