The second annual Cisco Talos Year in Review draws on a massive amount of threat data to analyze the major trends that shaped the threat landscape in 2023.

Tuesday, December 5, 2023 18:25

The 2023 Cisco Talos Year in Review is now available to download. 

Once again, the Talos team has meticulously combed through a massive amount of data to analyze the major trends that have shaped the threat landscape in 2023. Global conflict influenced a lot of these trends, altering the tactics and approaches of many threat actors. In operations ranging from espionage to cybercrime, we’ve seen geopolitical events have a significant impact on the way these are carried out.

At the beginning of the Year in Review is a “Top Trends” section comprised of regional trends over time and the influence of geopolitical events, the CVEs attackers exploited most often, spam tactics, and the top MITRE ATT&CK techniques that have been used within attacks.  The report then deep dives on four topics:  

The evolution of ransomware and extortion. The concerning rate of attacks against network infrastructure devices. The activities of advanced persistent threat (APT) actors in China, Russia, and the Middle East. This section also includes the major threats our Ukraine Task Unit dealt with this year. The shifting activities and impact of commodity loaders. 

Cisco’s global presence and Talos’ world-class expertise provided a massive amount of data to research — endpoint detections, incident response engagements, network traffic, email corpus, sandboxes, honeypots and much more. Thankfully, our teammates include subject matter experts from all ends of the cybersecurity space to help us turn this intelligence into actionable information for defenders and users.  

So, what is the main story of the 2023 Year in Review? Despite the accelerated pace of many threat actor campaigns and the geopolitical events that shaped them, the defensive community’s diligence, inventiveness and collaborative efforts are helping to push adversaries back.  

Download the Cisco Talos Year in Review today, and please share it with your colleagues and communities. This report was written by defenders, for defenders, and we hope it proves a useful and insightful resource for you. 

For more Year in Review content, visit the 2023 Year in Review landing page.

The malware, attacker trends and more that shaped the threat landscape in 2023

Project PowerUp is the story of how Cisco Talos worked with a multi-national, multi-company coalition of volunteers and experts to help “keep the lights on” in Ukraine, by injecting a measure of stability in Ukraine’s power transmission grid.

Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare

Fake Facebook ads seem to be the flavor of the month for scammers.

Thursday, November 30, 2023 14:00

I know I’m a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. 

I also know I’m far from the only person to warn consumers about scams during this season, so I’m trying to split the difference and highlight a few specific scams and spam campaigns that are already circulating in the wild, some of which popped up right on Black Friday, so you don’t get caught in the remaining days leading up to the winter holidays. 

Fake Facebook ads seem to be the flavor of the month for scammers. This is completely anecdotal, but my mom almost got “got” with a fake Facebook post in a group she belongs to claiming to have some great deals on Nintendo Switch games on Amazon that were not actually real (thankfully she hadn’t clicked the link before she asked me if “Mario Odyssey” was a good deal at $15).  

Still, several other reports have shown that scammers are using Facebook ads to advertise a deal for a $19 Stanley cup — these are the water bottles all the influencers are using nowadays and, even when they are on sale, don’t go for any less than about $35. In this case, it looks like the actors are just looking to take your money or credit card information with a fake ordering process and no plans to send you anything. 

Adversaries have also set up fake Facebook pages and web pages disguising themselves as the retailer Big Lots. These fake ads and posts offer vague deals and sales on various products but instead point to typo-squatted Big Lots websites (or URLs that vaguely seem like they could be connected to Big Lots).  

Scammers are also sending mass emails to subscribers of various streaming services like Amazon Prime, Paramount+ and Peacock claiming that their subscription has lapsed, but they can resubscribe for a deeply discounted price, or even free, as part of a Black Friday special.  

Amazon also issued a warning recently that attackers have been sending emails with malicious attachments asking for users' personal information in exchange for having their “accounts” unlocked. 

This is just a sampling of the likely hundreds of different scams and spam campaigns attackers are deploying right now, so in general, when shopping online, here are a few tips: 

*   Only download apps from trusted and official app stores like the Google Play store and iOS App Store. 
*   Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features. 
*   Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com). 
*   Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it. 
*   Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals. 
*   Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure. 
*   Use unique, complex passwords, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords. 
*   Manually type in URLs to sites you want to visit rather than clicking on links. 
*   Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access. 

Next week, Talos will have a holiday special of our own! On Dec. 5, we’ll be launching our second-ever Year in Review report, complete with all new data and insights about the attacks and malware we’ve seen in 2023. Stay tuned to our social media channels or blog for that release.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. 

**Why do I care? **

If infected, SugarGh0st serves as a fully functional backdoor for the adversary that can execute most remote-control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell. SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services. 

**So now what? **

Since this seems to be an offshoot of GhostRAT, we certainly can’t rule out any other variants that may be floating out there. Talos also has new ClamAV signatures, Snort rules and other Cisco Secure protection to specifically detect and stop SugarGh0st.  

**Top security headlines of the week **

**Cisco Talos and other teams across Cisco recently worked with multiple government partners to help protect the Ukrainian power grid and ensure it runs appropriately.** The effort, spearheaded by Talos’ Joe Marshall, involved creating bespoke hardware for Ukraine’s energy supplier, Ukrenergo, to operate in place of traditional GPS devices that the Ukrainian power grid relies on to keep running on time. GPS satellites and Ukrainian substations have constantly been the target of kinetic and cyber threats during Russia’s invasion of Ukraine. Officials from multiple U.S. government agencies assisted in the project.  The Pentagon set up flights to physically deliver the manipulated switches, the Department of Energy helped coordinate the equipment’s delivery, and, as Ukrenergo told CNN, the Department of Commerce was a part of critical meetings that first outlined this project. Taras Vasyliv, who oversees power dispatching for Ukrenergo, told CNN that the custom-built switches were the equivalent of a “flashlight” for a surgeon who is trying to operate in the dark. (CNN, Business Insider) 

**Leaked government documents show that some local, federal and state law enforcement officers have been able to view the phone records of millions of Americans,** even those who have not been accused or suspected of a crime. The little-known Pentagon program was partially uncovered because of a letter sent from U.S. Sen. Ron Wyden of Oregon to U.S. Attorney General Merrick Garland, in Wyden’s office requested more information on the project and encouraged the federal government to publicly disclose this knowledge. The letter states the White House pays wireless company AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Known as the “Hemisphere Project,” this program has apparently been around since 2007 and reported on by the New York Times in 2013 but has largely gone unnoticed since. Wyden is attempting to challenge the legality of the Hemisphere Project. (Wired) 

**Security researchers have found a way to bypass the Microsoft Hello login authentication system** used in many fingerprint readers and face ID scanners on devices from Dell, Lenovo and Microsoft. Researchers hired by Microsoft to test the security of the readers have since informed the company of these vulnerabilities. The attack the researchers outlined could provide access to a stolen laptop or carry out what's called an “evil maid” attack on an unattended device. Microsoft introduced Hello with its Windows 10 operating system, and since then has included fingerprint scanners on all its devices (though in some cases, Microsoft’s own hardware like the Surface tablet did not use Hello). Though the manufacturers are now aware of these vulnerabilities, the variety of attacks means it can be difficult to patch for these issues. However, all the attacks ultimately required physical access to a device. (Ars Technica, The Verge) 

**Can’t get enough Talos? **

*   Tech giant Cisco built special device to help Kyiv ward off cyberattacks on power grid 
*   Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks 
*   Talos Takes Ep. #163: Why has the Phobos ransomware been working for so long? 
*   The Need to Know: What is threat hunting? 
*   Vulnerability Roundup: Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution 

**Upcoming events where you can find Talos **

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

Virtual (Please note: This presentation will only be given in German) 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead** **(Dec. 13, 11 a.m. PT)** 

Virtual 

> _Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them._ 

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** streamer.exe   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** Hacktool:PUP.26ld.in14.Talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.”

*   Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” 
*   We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. 
*   We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code.
*   We observed two infection chains leveraging Windows Shortcut embedded with malicious JavaScript to deliver the components to drop and launch the SugarGh0st payload.
*   In one infection chain, the actor leverages the DynamixWrapperX tool to enable Windows API function calls in malicious JavaScript for running the shellcode.
*   Talos assesses with low confidence that a Chinese-speaking threat actor is operating this campaign based on the artifacts we found in the attack samples.

**Suspected Chinese Actor targeting Uzbekistan and South Korea**

Talos discovered four samples deployed in this campaign that are likely targeting users in Uzbekistan and South Korea based on the language of the decoy documents, the lure content, and distribution indicators Talos found in the wild. 

One of the samples is sent to users in the Ministry of Foreign Affairs of Uzbekistan. The sample is an archive embedded with a Windows ShortCut LNK file which, upon opening, drops the decoy document “Investment project details.docx'' with Uzbek content about a presidential decree in Uzbekistan focused on enhancing state administration in technical regulation. The lure content of the decoy document was published in multiple Uzbekistan sources in 2021. The initial vector of the campaign is likely a phishing email with an attached malicious RAR archive file sent to an employee of the Ministry of Foreign Affairs.  

Decoy document in Uzbek language.

Besides Uzbekistan, we also observed indications of targets in South Korea. We found three other decoy documents written in Korean dropped by the malicious JavaScript file embedded in the Windows Shortcut, seemingly distributed in South Korea. The decoy document named “Account.pdf” was forged as a Microsoft account security notification for confirming an account registration with a generated password. Another decoy named “MakerDAO MKR approaches highest since August.docx'' uses the copied content from 코인데스크코리아 (CoinDesk Korea, a Korean news outlet that covers the blockchain). The third decoy document, named “Equipment\_Repair\_Guide.docx,” has the lure information with instructions for computer maintenance in an organization. To reinforce our assessment of South Korean targets, we also observed C2 domain requests from IPs originating from South Korea. 

The decoy documents found in the samples collected by Talos.

During our analysis, we observed a couple of artifacts that suggested the actor might be Chinese-speaking. Two of the decoy files we found have the “last modified by” names shown as “浅唱丶低吟” (Sing lightly, croon) and “琴玖辞” (seems to be the name of a Chinese novel author), which are both Simplified Chinese. 

The author and last editor’s information on decoy documents.

Besides the decoy document metadata, the actor prefers using SugarGh0st, a Gh0st RAT variant. The Gh0st RAT malware is a mainstay in the Chinese threat actors’ arsenal and has been active since at least 2008. Chinese actors also have a history of targeting Uzbekistan. The targeting of the Uzbekistan Ministry of Foreign Affairs also aligns with the scope of Chinese intelligence activity abroad. 

**SugarGh0st is a new Gh0st RAT variant**

Talos discovered a RAT that we call SugarGh0st delivered as a payload in this campaign. Talos assesses with high confidence that SugarGh0st is a customized variant of the Gh0st RAT. Gh0st RAT was developed by a Chinese group called 红狼小组 (C.Rufus Security Team), and its source code was publicly released in 2008. The public release of the source code has made it easy for threat actors to get access to it and tailor it to fulfill their malicious intentions. There are several variants of Gh0st RAT in the threat landscape, and it remains a preferred tool for many Chinese-speaking actors, allowing them to conduct surveillance and espionage attacks.

Compared with the original Gh0st malware, SugarGh0st is equipped with some customized features in its reconnaissance capability in looking for specific Open Database Connectivity (ODBC) registry keys, loading library files with specific file extensions and function name, customized commands to facilitate the remote administration tasks directed by the C2, and to evade earlier detections. The C2 communication protocol is also modified. The first eight bytes of the network packet header are reserved as magic bytes versus the first five in the earlier Gh0st RAT variants. The remaining features, including taking full remote control of the infected machine, providing real-time and offline keylogging, hooks to the webcam of an infected machine, and downloading and running other arbitrary binaries on the infected host are aligned with the features of earlier Gh0st RAT variants. 

**A multi-stage infection chain **

Talos discovered two different infection chains employed by the threat actor to target the victims in this campaign. One of the infection chains decrypts and executes the SugarGh0st RAT payload, the customized variant of the Gh0st RAT. Another infection chain leverages the DynamicWrapperX loader to inject and run the shellcode that decrypts and executes SugarGh0st. 

**Infection Chain No. 1**

The first infection chain starts with a malicious RAR file containing a Windows Shortcut file with a double extension. When a victim opens the shortcut file, it runs a command to drop and execute an embedded JavaScript file. The JavaScript eventually drops a decoy, an encrypted SugarGh0st payload, DLL loader and batch script. Then, the JavaScript executes the batch script to run the dropped DLL loader by sideloading it with a copied rundll32. The DLL loader will decrypt the encrypted SugarGh0st payload in memory and run it reflectively. 

**Shortcut file embedded with malicious JavaScript dropper**

The Windows shortcut file discovered in this attack is embedded with JavaScript and has command line arguments to drop and execute it. Upon the victim opening the LNK file, the command line argument of the LNK file runs to locate and load the JavaScript with the string start of “var onm=” which is the beginning of the JavaScript dropper and drops the JavaScript into the %temp% location. After that, the dropped JavaScript is executed using the living-off-the-land binary (LoLBin) cscript. 

Sample of malicious LNK file.

**JavaScript dropper **

The JavaScript dropper is a heavily obfuscated script embedded with base64 encoded data of the other components of the attack. The JavaScript decodes and drops the embedded files into the %TEMP% folder, including a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document. It first opens the decoy document to masquerade as legitimate action, then copies the legitimate rundll32 executable from the “Windows\\SysWow64” folder into the %TEMP% folder. Finally, it executes the batch script loader from the %TEMP% location and runs the customized DLL loader. The JavaScript deleted itself from the file system afterward. 

The JavaScript dropper.

**Batch script loader**

The batch script, in this instance, is named “ctfmon.bat” and has the commands to run the dropped customized DLL loader. When executed, it sideloads the DLL loader with rundll32.exe and executes the function which is DllUnregisterServer, typically used by COM (Component Object Model) DLLs.

The batch script loader.

**DLL Loader decrypts and reflectively loads the SugarGh0st payload**

The customized DLL loader named “MSADOCG.DLL” (name of the DLL associated with Microsoft's ActiveX Data Objects (ADO) technology) is a 32-bit DLL written in C++ and implemented as a COM object component. The loader includes packed code that is unpacked with custom unpacking code. When the DLL is run, it unpacks the code to read the dropped encrypted SugarGh0st payload file named “DPLAY.LIB '' from the %TEMP% location, decrypts it and runs it in the memory. 

Stub code to unpack code.

Function to load the encrypted payload.

**Infection chain No. 2**

Similar to the first infection chain, this attack also starts with a RAR archive file containing a malicious Windows Shortcut file forged as the decoy document. The Windows shortcut file, by executing the embedded commands, drops the JavaScript dropper file into the %TEMP% location and executes it with cscript. The JavaScript in this attack drops a decoy document, a legitimate DynamicWrapperX DLL, and the encrypted SugarGh0st. The JavaScript uses the legitimate DLL to enable running the embedded shellcode for running the SugarGh0st payload. 

**JavaScript leverages DynamicWrapperX to run shellcode that launches SugarGh0st**

The JavaScript used in this infection chain is also heavily obfuscated and is embedded with base64-encoded data of other components of the attack, including a shellcode. When the JavaScript is executed, it drops an encrypted SugarGh0st, a DLL called “libeay32.dll” and the decoy document. The JavaScript opens the decoy document and copies Wscript.exe to the %TEMP% folder as dllhost.exe. It runs the dropped JavaScript again using the dllhost.exe and creates a registry subkey called “CTFMON.exe” in the Run registry key to establish persistence. 

Registry Key

HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

Subkey

CTFMON.exe

Value

“cmd /c start C:\\Users\\user\\AppData\\Local\\Temp\\dllhost.exe C:\\Users\\user\\AppData\\Local\\Temp\\~204158968.js”

The file “libeay32.dll” is a tool called DynamicWrapperX (originally named “dynwrapx.dll”) developed by Yuri Popov. This tool is an ActiveX component that enables Windows API function calls in scripts (JScript, VBScript, etc.). The attacker can use this to run shellcode via the JavaScript dropper. But, they must first run regsvr.exe to install the component. 

C:\\Windows\\system32\\regsvr32 /i /s C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\libeay32.dll

The DynamicWrapperX DLL registers its member functions in the victim’s machine by creating a registry subkey CLSID with the value “89565275-A714-4a43-912E-978B935EDCCC” in Software\\Classes\\DynamicWrapperX registry key. The JavaScript containing the ActiveX components executes the embedded shellcode using the DynamixWrapperX DLL. 

The shellcode has the API hashes and instructions to load and map to the functions necessary for process injection from Kernel32.dll. It also loads two other DLLs, User32.dll and shlwapi.dll. Then, it loads the encrypted SugarGh0st “libeay32.lib” from the %TEMP% location, decrypts it, and reflectively loads it into the memory space allocated in the dllhost.exe process. 

Shellcode that loads and decrypts the encrypted SugarGh0st. 

**Analysis of SugarGh0st   **

The SugarGh0st sample analyzed by Cisco Talos is a 32-bit dynamic link library in C++ compiled on Aug. 23, 2023. During its initial execution, SugarGh0st creates a mutex on the victim’s machine using the hard-coded C2 domain as an infection marker and starts the keylogging function. The keylogger module creates a folder “WinRAR'' in the location %Program Files% and writes the keylogger file “WinLog.txt.” 

The Keylogging function of SugarGh0st.

SugarGh0st uses “WSAStartup” functions, a hardcoded C2 domain and port to establish the connection to the C2 server. Talos discovered two C2 domains, login\[.\]drive-google-com\[.\]tk and account\[.\]drive-google-com\[.\]tk, used by the threat actor in this campaign.

The C2 communication function of SugarGh0st.

After launching, SugarGh0st attempts to establish the connection to C2 every 10 seconds. If successful, the first outgoing packet always consists of the same eight bytes “0x000011A40100” as a heartbeat. After the heartbeat is successfully sent, SugarGh0st sends the buffer data, which includes the following:

*   Computer name
*   Operating system version 
*   Root and other drive information of victim machine
*   Registry key “HKEY\_LOCAL\_MACHINE\\Software\\ODBC\\H” if exist
*   Campaign codes 1 (Month and Year) and code 2 (in our samples are “default”)
*   Windows version number
*   Root drive’s volume serial number

A sample packet that was sent by SugarGh0st to C2.

SugarGh0st is a fully functional backdoor that can execute most remote control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell.

The Reverse shell function.

SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. 

It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services.

Function to operate services.

SugarGh0st can take screenshots of the victim machine’s current desktop and switch to multiple windows. It can access the victim’s machine camera to capture the screen and compress the captured data before sending it to the C2 server. SugarGh0st can perform various file operations, including searching, copying, moving and deleting the files on the victim’s machine.

It also clears the machine’s Application, Security and System event logs to hide the malicious operations logged to evade detection. 

Function to clean event logs.

SugarGh0st performs the remote control functionalities, including those discussed earlier, as directed by the C2 server with the four-byte hex commands and accompanying data. 

**Command**

**Action**

0x20000001

Adjust process privilege to “SeShutdownPrivilege” and force shut down the host.

0x20000002

Adjust process privilege to “SeShutdownPrivilege” and force reboot the host.

0x20000003

Adjust process privilege to “SeShutdownPrivilege” and force terminate the processes.

0x20000004

Clear event log

0x20000005

Create register key HKEY\_LOCAL\_MACHINE\\Software\\ODBC\\H

0x20000011

Press a key in the default window 

0x20000012

Release a key in the default window 

0x20000013

Set mouse cursor position

0x20000014

Click mouse left button

0x20000015

Release mouse left button

0x20000016

Double click the mouse left button

0x20000017

Click mouse right button

0x20000018

Release mouse right button

0x20000019

Double click the mouse left button

0x21000002

Get the logical drive information of the victim's machine. 

  

0x21000003

Search files on the victims machine filesystem

0x21000004

Delete files on the victim's machine file system

0x21000005

Moves files to the %TEMP% location 

0x21000006

Runs arbitrary shell commands

0x21000007

Copies files on the victim machine 

0x21000008

Move files on the victim's machine

0x21000009

Sends files to the C2 server 

0x2100000A

Sends the data to the windows socket

0x2100000B

Receives files from the C2 server

0x22000001

Sends the screenshot to the C2 server

0x24000001

Read file %ProgramFiles%/WinRAR/~temp.dat (which is encoded with XOR 0x62)

0x24000002

Delete file %ProgramFiles%/WinRAR/~temp.dat

0x23000000

Provides the reverse shell access to the C2 server 

0x25000000

Gets the process information and terminates the process 

0x25000001

Enumerate process information

0x25000002

Terminate Process

0x25000003

Access the victims machine service manager 

0x25000004

Access the configuration files of the running services

0x25000005

Starting service

0x25000006

Terminating and deleting the services. 

0x25000010

Performs the Windows operations

0x25000011

Get window list

0x25000012

Get message from Window

0x28000000

Capture window and perform a series of Window operations based on the command with SendMessage API.

0x28000002

Find a . OLE file under “%PROGRAMFILES%\\\\Common Files\\\\DESIGNER'' and launch

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat is 62647.

ClamAV detections available for this threat:

Win.Trojan.SugarGh0stRAT-10014937-0

Win.Tool.DynamicWrapperX-10014938-0

Txt.Loader.SugarGh0st\_Bat-10014939-0

Win.Trojan.SugarGh0stRAT-10014940-0

Lnk.Dropper.SugarGh0stRAT-10014941-0

Js.Trojan.SugarGh0stRAT-10014942-1

Win.Loader.Ramnit-10014943-1

Win.Backdoor.SugarGh0stRAT-10014944-0

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the links:

*   SugarGh0st RAT file detected
*   SugarGh0st RAT Registry key 

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

New SugarGh0st RAT targets Uzbekistan government and South Korea

Many organizations are curious about the idea of threat hunting, but what does this really entail? In this video, four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about searching for the unknown.

Tuesday, November 28, 2023 08:00

Many organizations are curious about the idea of threat hunting, but what does this really entail?  

What should you be hunting for? And what do you need to put in place to threat hunt properly? 

Four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about “searching for the unknown.” In this video, we cover: 

*   The core principles of threat hunting. 
*   What are attackers looking for? And therefore, what should defenders be putting in place? 
*   Stories and experiences of threat hunting. 
*   How to approach failure.  

Talos Incident Response can help organizations review specific areas of your network and its systems for indicators of potential compromise. Threat hunting is hypothesis-driven and backed by the most current threat intelligence available from Talos. 

If you are interested in how Talos Incident Response can help you with your threat hunting goals, or even help you plan a compromise assessment, take a look at the various services our team can help you with.

What is threat hunting?

Adobe recently patched two use-after-free vulnerabilities in its Acrobat PDF reader that Talos discovered, both of which could lead to arbitrary code execution.

Wednesday, November 22, 2023 12:00

Cisco Talos’ Vulnerability Research team recently worked with Adobe and Microsoft to patch multiple vulnerabilities in the Acrobat and Excel software, respectively, that could lead to arbitrary code execution. 

Talos also disclosed six vulnerabilities in the Weston Embedded µC-HTTP HTTP server implementation, some of which could also lead to code execution. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Adobe Acrobat Reader use-after-free vulnerabilities **

_Discovered by Jaewon Min and Aleksandar Nikolic of Cisco Talos._ 

Adobe recently patched two use-after-free vulnerabilities in its Acrobat PDF reader that Talos discovered, both of which could lead to arbitrary code execution. Acrobat is one of the most popular PDF readers currently available, especially in the U.S., and many browsers utilize an Acrobat plugin. This means an attacker could trick a user into opening a specially crafted, malicious file in the browser as a file or tricking them into opening it in the desktop application. 

a TALOS-2023-1794 (CVE-2023-44336) exists in the Thermometer JavaScript object in Acrobat Reader. An attacker who exploits this vulnerability could use specially crafted JavaScript code to cause a use-after-free vulnerability, which can lead to memory corruption and arbitrary code execution. 

TALOS-2023-1842 (CVE-2023-44372) works in the same way, but in this case, the vulnerability affects the page event processing in Acrobat Reader. 

**Arbitrary code execution vulnerability in Microsoft Excel **

_Discovered by Marcin “Icewall” Noga of Cisco Talos._ 

Talos discovered a vulnerability in Microsoft Office Professional Plus 2019 (specifically the spreadsheet creation software Excel) that could lead to arbitrary code execution. 

Microsoft patched this vulnerability, CVE-2023-36041 (TALOS-2023-1835), as part of its monthly security update earlier this month. 

This use-after-free vulnerability exists in the ElementType attribute parsing in Microsoft Office Professional Plus 2019 Excel and could allow an attacker to execute remote code on the targeted machine. An adversary would need to trick the targeted user into opening a specially crafted Excel spreadsheet to exploit this vulnerability. 

**6 vulnerabilities in open-source embedded operating system **

_Discovered by Kelly Patterson of Cisco Talos._ 

Cisco Talos recently discovered multiple vulnerabilities in Weston Embedded µC-HTTP, the open-source embedded HTTP server and client module for µC/TCP-IP. µC/TCP-IP is an embedded operating system first developed by Micrium, and is now maintained by Weston Embedded Solutions. 

TALOS-2023-1732 (CVE-2023-28391), TALOS-2023-1738 (CVE-2023-28379) and TALOS-2023-1746 (CVE-2023-31247) are memory corruption vulnerabilities that could lead to arbitrary code execution on the targeted device. An adversary could exploit these vulnerabilities by sending a specially crafted packet. There are various mitigation options for these issues, as outlined in Talos’ advisories, that can prevent the exploitation of these vulnerabilities. 

TALOS-2023-1726 (CVE-2023-25181) and TALOS-2023-1733 (CVE-2023-27882) both also lead to code execution, but in these cases, are caused by buffer overflows in the operating system triggered by a specially crafted packet. 

There is also TALOS-2023-1725 (CVE-2023-24585), an out-of-bounds write vulnerability that could lead to memory corruption. This vulnerability occurs when parsing the method of an HTTP request and could lead to heap corruption.

Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution

Cisco Talos has recently observed an increase in activity conducted by 8Base, a ransomware group that uses a variant of the Phobos ransomware and other publicly available tools to facilitate their operations.

A deep dive into Phobos ransomware, recently deployed by 8Base group

Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants

Friday, November 17, 2023 08:01

*   Cisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019.
*   We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples we analyzed. 
*   The affiliates use similar TTPs to deploy Phobos and commonly target high-value servers, likely to pressure victims into paying the ransom. 
*   We assess with moderate confidence that the Phobos ransomware is closely managed by a central authority, as there is only one private key capable of decryption for all campaigns we observed.
*   There are also indications that Phobos may be sold as a ransomware-as-a-service (RaaS). We discovered hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base, which is commonly seen among RaaS affiliates.

**Identifying the most prolific Phobos variants**

Phobos ransomware is an evolution of the Dharma/Crysis ransomware and, since it was first observed in 2019, has undergone only minimal developments despite its popularity among cybercriminal groups. This is a continuation of our analysis on Phobos ransomware, previously addressed in a blog on the ransomware group 8Base.

Talos identified five of the most prolific variants of the Phobos ransomware family, based on the volume of samples in VirusTotal. We examined several variations in the malware builder’s configuration settings, as this was the only distinguishing feature among the samples analyzed. The samples all contained the same source code and were configured to avoid encrypting files that other Phobos affiliated already locked, but the configuration changed slightly depending on the variant being deployed. 

For example, a Phobos sample deployed by the 8Base ransomware group contained a list of other Phobos variants that should not be encrypted, as seen below. A common trend for this configuration entry among all samples is that the group behind that specific sample had their name added to the beginning of the list.

__List of file extensions to be ignored by the encryption loop with names of previous campaigns.__

Once we extracted the samples’ configuration settings and identified the Phobos variant, Talos determined the most active Phobos affiliates by matching the most commonly observed variants with the unique IDs associated with each Phobos ransomware campaign. 

*   Eking: Active since at least 2019, usually targets users in the Asia-Pacific region.
*   Eight: Believed to be an older campaign run by the same group running 8Base now.
*   Elbie: Also seen targeting users in the APAC region and active since 2022.
*   Devos: Although this group has been active since 2019, not much has been written about it in terms of victimology or TTPs.
*   Faust: Another variant active since 2022 that does not target specific industries or regions.

The only differences between the samples of each variant are generally the contact email addresses used in the file extension for encrypted files, and the ransom note embedded in one of the settings, with all other settings being the same. The file extension used in all Phobos variants we analyzed follows the same template as the example shown below, where <<ID>> is replaced by the victim’s machine drive serial number. The next number is an identifier for the current campaign, then an email used to contact the ransomware actors is listed, and finally, the extension representing the variant is appended.

.id[<>-3253].[musonn@airmail[.]cc].eking

We defanged the email address for readers’ security, but the remaining square brackets are part of the actual extension used in all variants.

These variants have used hundreds of different contact emails over the past few years, as we can see in the graph below:

__Count of contact emails in use by each Phobos variant over the period of this research.__

These emails are generally created using free or secure email providers, shown below:

__Most common email providers in use for Phobos ransomware.__

In some cases, we have also seen affiliates using instant messaging services such as ICQ, Jabber and QQ to support their operations. The graph below illustrates the different providers chosen by the actors for each variant:

Devos

Eight

Elbie

Eking

Faust

email\[.\]tg

gmx\[.\]com

tutanota\[.\]com

tutanota\[.\]com

gmx\[.\]com

cock\[.\]li

aol\[.\]com

onionmail\[.\]org

airmail\[.\]cc

tutanota\[.\]com

protonmail\[.\]com

protonmail\[.\]com

tuta\[.\]io

aol\[.\]com

onionmail\[.\]org

libertymail\[.\]net

tutanota\[.\]com

techmail\[.\]info

firemail\[.\]cc

waifu\[.\]club

qq\[.\]com

onionmail\[.\]org

cock\[.\]li

tuta\[.\]io

tuta\[.\]io

pressmail\[.\]ch

cock\[.\]li

privatemail\[.\]com

protonmail\[.\]com

gmail\[.\]com

medmail\[.\]ch

keemail\[.\]me

gmail\[.\]com

cock\[.\]li

airmail\[.\]cc

tutanota\[.\]com

mailfence\[.\]com

yandex\[.\]ru

criptext\[.\]com

mailfence\[.\]com

cumallover\[.\]me

zohomail\[.\]eu

msgsafe\[.\]io

ctemplar\[.\]com

xmpp\[.\]jp

airmail\[.\]cc

zohomail\[.\]com

cyberfear\[.\]com

gmx\[.\]com

zohomail\[.\]eu

countermail\[.\]com

ICQ@HONESTHORSE

aol\[.\]com

techmail\[.\]info

cock\[.\]li

mailfence\[.\]com

ICQ@VIRTUALHORSE

  

msgsafe\[.\]io

zohomail\[.\]com

mail\[.\]fr

  

  

  

lenta\[.\]ru

  

  

  

  

proton\[.\]me

  

  

  

  

privatemail\[.\]com

We observed Devos affiliates using QQ\[.\]com, a Chinese instant message application, and eight affiliates using ICQ, an instant message service currently owned by a Russian company. We also saw the use of service providers that are considered to be more secure than others, like Proton Mail. This diversity of providers further supports our assessment that Phobos has a dispersed affiliate base and may be operating as a RaaS. 

Because of the varied use of the email service providers listed above, and the sheer number of different contact emails in use for each variant, Talos assesses with moderate confidence that multiple threat actors are behind each of these variants instead of a single threat actor moving to different providers to avoid being banned.

**Observed tactics, techniques and procedures in Phobos intrusions**

In early 2023, Talos observed an intrusion associated with the “Elbie” variant of Phobos. In this attack, the threat actor targeted the organization’s exchange server and then moved laterally, attempting to compromise additional server-side infrastructure including backup servers, database servers and hypervisor hosts. Rather than attempting to deploy the ransomware to a large number of systems concurrently, the attackers appeared to focus on specific infrastructure and attempted to deploy the ransomware on each system individually. We believe this is because Phobos affiliates usually go after high-value servers in the victim’s network as a way to increase the damage and chance of a payout.

After gaining initial access to the organization’s exchange server, the attackers created a working directory in the compromised user’s Desktop directory and attempted to drop various tools including, but not limited to:

*   Process Hacker: A process visualization tool which also contains a kernel mode driver used by malicious actors sometimes to delete files, services and kill processes.
*   Automim: This toolkit enables automated credential collection on compromised hosts and includes the LaZagne and Mimikatz utilities.
*   IObit File Unlocker: A tool used to remove a lock on files open by other applications, used by malicious actors to increase the chance of encrypting files like databases, open documents and similar files that are usually kept open.
*   Nirsoft Password Recovery Toolkit: A toolkit used to extract passwords for common applications like browsers and email clients.
*   Network Scanner (NS.exe): An executable used to scan the network for open services and move laterally over the network.
*   Angry IP Scanner: A tool used to scan the network for open services and identify network information for the machines found.

The attacker also dropped a variety of batch files responsible for various post-compromise activities.

One batch file clears Windows event logs on compromised systems to minimize forensic artifacts and make detection more difficult:

FOR /F "delims=" %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%%I")

Another was responsible for deleting Volume shadow copies, likely to make recovery following Phobos deployment more difficult:

vssadmin delete shadows /all /quiet  
wmic shadowcopy delete  
bcdedit /set {default} bootstatuspolicy ignoreallfailures  
bcdedit /set {default} recoveryenabled no  
wbadmin delete catalog -quiet  
exit

The script above is included in the Phobos configuration as we noted in our previous blog, which is extracted and saved as a temporary .BAT file before the encryption process starts.

Additionally, a batch file was created to configure the Windows Registry keys that enable the accessibility features present on the Windows logon screen to spawn a SYSTEM-level command prompt without requiring previous authentication. This may have been used as a persistence mechanism, allowing the attacker to regain full control of systems via RDP later in the attack. 

First, the script disables User Account Control (UAC) on the system by setting the following Registry entry:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

Next, the script sets the Image File Execution Options debugger entry for various accessibility features to the Windows Command Processor. This allows an attacker to execute an elevated command shell on the system by invoking the accessibility features from the Windows logon screen. Any time one of these applications is launched, the debugging application specified is launched with elevated permissions instead, which in this case, is the Windows command processor. 

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

Finally, the script configures various Registry entries responsible for enabling RDP and disabling network-level authentication. 

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"

An additional script dropped by the threat actor was responsible for making the following service configuration changes on compromised systems:

sc config Dnscache start= auto  
net start Dnscache  
sc config SSDPSRV start= auto  
net start SSDPSRV  
sc config FDResPub start= auto  
net start FDResPub  
sc config upnphost start= auto  
net start upnphost

File-sharing was enabled on compromised hosts via the following command execution:

dism /online /enable-feature /featurename:File-Services /NoRestart

The attacker also attempted to uninstall endpoint protection software on compromised hosts to minimize detection of various components used throughout the attack and prevent alerting security staff. 

Once the defenses were disabled and the persistence mechanisms enabled, the threat actor deployed the Phobos ransomware, encrypting the files in the server. In this case, the variant we observed during the infection was part of the “Elbie” campaign and displayed the same behavior we described in our previous blog. At the end of the process, the ransom note “_info.hta_” was dropped to the user’s Desktop with details on how to contact the attacker:

__Example of Phobos info.hta displaying the contact address.__

**Unveiling the developers and affiliates behind Phobos**

Through our analysis of Phobos campaigns and malware samples, we made several discoveries that helped shed light on mysteries surrounding the ransomware’s little-known affiliate structure and developers.

There is some indication that Phobos may be a RaaS, due to the variation in email addresses we observed. Each Phobos variant from VirusTotal was associated with at least a dozen emails that were provided to victims to maintain contact, and some had close to 200 unique email addresses with various domains. In some instances, ICQ and Jabber were used as the main contact address. While it’s possible that there is a single group behind Phobos, it would be uncommon to have a threat actor change their contact email address so often. This would take extra time and effort while many ransomware campaigns very successfully use just a few contact addresses. For example, when we observed the ransomware group 8base using Phobos as described in our other blog, they only used a single contact email, “_support@rexsdata\[.\]pro_”.

We also assess that Phobos is likely closely managed by a central authority that controls the ransomware’s private decryptor key. For each file Phobos decides to encrypt, it generates a random AES key to use in the encryption, then encrypts this key along with some metadata with an RSA key present in the configuration data, and saves this data at the end of the encrypted file. That means in order to decrypt the file, one needs the private key corresponding to that public RSA key.

Every Phobos sample we analyzed contains the same public RSA key in its configuration data, implying there is only one private key capable of decryption. We assess that a single threat actor controls the private key as every single sample we analyzed contains the same public key. It’s possible the Phobos developer offers the decryption service to their affiliates for a cut of their proceedings. 

During our research, we did find variants of these decryptors in the wild, like this sample found in VirusTotal which promises to decrypt samples for the “**_Elbie_**” variant. However, the decryptor needs two pieces of information that are not available in the file itself, so using it to decrypt samples is not possible. 

__Phobos decryption tool screen asks for base64-encoded data.__

The first piece needed seems to be a file with a base64-encoded encrypted blob of data which seems to be the RSA private key used to decrypt the samples. The second piece of information needed is a password which is used to decrypt the content of this blob. So, it may be possible for the RSA private key to be recovered if these two pieces of data are found, shared by a victim who paid for the decryption or leaked it in the wild. 

Further supporting our assessment that Phobos is run by a central authority, is how meticulously the ransomware’s extension block lists are updated. As we stated previously, Phobos avoids encrypting files that were previously locked by other Phobos affiliates. This is based on a file extension block list in the ransomware’s configuration settings. The extension blocklists appear to tell a story of which groups used that same base sample over time. When a malware builder tool usually generates a binary for a campaign, it does so based on a fixed and clean “stub” binary, which is then populated with whatever payload of configuration is necessary for that current build. This is not what happens with Phobos.

The extension block lists found in the many Phobos samples Talos analyzed are continually updated with new files that have been locked in previous Phobos campaigns. This may support the idea that there is a central authority behind the builder who keeps track of who used Phobos in the past. The intent could be to prevent Phobos affiliates from interfering with one another's operations.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

ClamAV detections are available for this threat:

**Win.Packed.Zusy  
Win.Ransomware.8base  
Win.Downloader.Generic  
Win.Ransomware.Ulise**

**IOCs**

Indicators of Compromise associated with this threat can be found here.

Understanding the Phobos affiliate structure and activity

YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations

Thursday, November 16, 2023 14:00

I don’t think this is a particularly bold take — but I’m not afraid to say that ad blockers are good! 

Ever since I started using one sometime in 2016, my experience of using the internet has improved exponentially. I can finally easily find a recipe for dinner on a random influencer’s blog, get a faster answer to “how to replace my car’s headlights” and likely avoid hundreds of pieces of malvertising. 

But their use has increasingly come into question with YouTube’s new policies on preventing users from using ad blockers on its site, with new warnings saying the user has a certain number of videos they can watch before they must allowlist youtube.com in their ad blocker, thus allowing the site to display ads before YouTube videos. 

The second this popped up for me two weeks ago, I immediately started researching workarounds and quickly found a secure solution that works for my browsing habits. The easy explanation for why Google (YouTube’s parent company) wants to get rid of ad blockers is, simply, money. They run the Google Ads service that provides the stereotypical ads everyone has been used to seeing on websites since the early aughts. Unfortunately, bad actors will often use enticing headlines, fake images or sales pitches to trick people into clicking on links that lead to malicious sites, attacker-run scams or downloads that are malware. 

Ad blockers are a major tool users can deploy to block this type of threat, so the explanation for why everyone should be using one is also clear. 

Google isn’t the only major company looking to bypass ad blockers, either. Spotify’s terms of service explicitly outlaws “circumventing or blocking advertisements or creating or distributing tools designed to block advertisements” on its platforms, and many news websites like CNBC have warnings about turning off your ad blocker before you can proceed to read an article. 

I am all for publishers charging for their content or putting it behind a paywall, or even “premium” subscriptions to disable ads from podcasts or videos. But we all need to universally agree that ad blockers (at least legitimate ones) are good for the internet at large and keep users safer. The FBI and CIA agree with me on this and have both advised that users enable ad blockers in web browsers before.

The argument that ads benefit the creators, and therefore we’re robbing them of money, is largely off-base from these corporations. 

Creators who are part of the YouTube Partner program, which means they have filled out an application and meet a minimum standard for views and subscribers, make between $1.61 and $29.30 for every 1,000 views on their videos through YouTube’s ads. So Mr. Beast might make a decent payday out of that every month, but I’m sure Mr. Beast would also be doing just fine without the extra few thousand dollars in his pocket currently. 

The people who are just trying to be helpful by showing me how to fix my washing machine or install a car seat properly are likely not missing my singular ad view when I use an ad blocker.  

Thankfully, YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations, and privacy advocates have already filed a formal challenge to the EU’s independent data regulator.  

**The one big thing **

Microsoft disclosed three zero-day vulnerabilities as part of its monthly security update this week, and all three have already been added to CISA’s Known Exploited Vulnerabilities catalog. However, Patch Tuesday only included three critical vulnerabilities, an unusually small number based on previous months’ Patch Tuesdays. CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library that could allow an attacker to gain SYSTEM-level privileges. According to Microsoft, this vulnerability has already been exploited in the wild and there is proof-of-concept code available. Another zero-day elevation of privilege vulnerability, CVE-2023-36036, exists in the Windows Cloud Files mini-filter driver that could also allow an attacker to gain SYSTEM privileges. 

**Why do I care? **

Unfortunately, zero-days have become commonplace for Patch Tuesdays this year, and it seems like a few more pop up each month. In these cases, attackers were able to discover the exploits before Microsoft had a chance to patch them, and CISA already acknowledged that attackers are exploiting these vulnerabilities in the wild.  

**So now what? **

All Microsoft users should ensure their updates are installed correctly if you have auto-update on, or make sure to manually download the patches as soon as possible otherwise. The Talos blog also has a rundown of Snort rules that can detect the exploitation of many of the vulnerabilities Microsoft disclosed this week. 

**Top security headlines of the week **

**U.S. intelligence agencies are warning that the Royal ransomware group could soon be headed for a rebrand and may already be operating under the name “BlackSuit.”** Government sanctions have previously limited Royal’s ability to make money off their ransomware attacks, but new research from private firms and government agencies indicate that Royal may be connected to BlackSuit, another threat actor that uses similar open-source tools. Royal is a prolific ransomware group that the FBI says is responsible for infecting more than 350 companies, generating revenue in excess of $275 million. Security researchers are also speculating that Royal may have formed from the splintering of the former Conti ransomware gang, which was also the victim of sanctions and government takedown efforts. The U.S. and U.K. announced sanctions against 11 individuals believed to be a part of Conti in September. (TechCrunch, The Register) 

**Fighting election misinformation has only gotten more difficult since the 2020 presidential election.** New reporting and testimony indicate that many key programs and partnerships dedicated to fighting fake news and disinformation online have eroded over the past few years after political attacks from right-wing leaders and organizations. FBI Director Chris Wray told a Senate committee last week that an alliance of federal agencies, tech companies, election officials and security researchers dedicated to fighting foreign propaganda has fallen apart recently, with little to no communication between the various parties involved. Other officials in charge of fighting election disinformation say its been months since they heard from the FBI after once connecting with the agency regularly about fighting fake news on social media platforms. Additionally, many poll workers and election officials are afraid to discuss the topic after years of online pushback from right-wing voters who view the word “misinformation” as a synonym for censorship. (NBC News, NPR) 

**Chip makers Intel and AMD disclosed new vulnerabilities this week that could lead to privilege escalation.** Some Intel CPUs are vulnerable to the newly discovered “Reptar” vulnerability (CVE-2023-23583) that was disclosed on Tuesday. Adversaries can exploit this high-severity flaw if they already have access to the targeted system, eventually causing a crash on the machine leading to privilege escalation or the disclosure of sensitive system information. Another attack on AMD CPUs called “CacheWarp” could allow an attacker to infiltrate encrypted virtual machines and perform privilege escalation. This vulnerability, identified as CVE-2023-20592, affects AMD's Secure Encrypted Virtualization (SEV) technology. Users do not need to take any additional actions to address these vulnerabilities other than ensuring drivers and operating systems are up-to-date and patched. (SecurityWeek, The Hacker News) 

**Can’t get enough Talos? **

Rather than putting a bunch of links here this week, I instead encourage you to watch this whole segment from Fox 11 in Los Angeles, featuring Nick Biasini from Talos Outreach. The story covers online scams, but features Nick discussing Talos’ recent research into various scams in the online video game “Roblox.” 

**Upcoming events where you can find Talos **

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

_Virtual (Please note: This presentation will only be given in German)_ 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

We all just need to agree that ad blockers are good

Avoiding some of these common mistakes ensures your organization’s plan will be updated faster and is more thorough, so you are ready to act when, not if, an incident happens.

Thursday, November 16, 2023 08:00

Cisco Talos recently covered the basics of NIS2, a new set of requirements for cybersecurity and security incident disclosures set to take effect next year in the European Union.

As part of these new guidelines, organizations with operations in the EU must have up-to-date “incident handling” procedures and “policies on risk analysis and information system security”

To comply, Talos IR recommends creating or updating your organization’s incident response (IR) plan, along with the Information Security Policy, Business Continuity and Crisis Management Plan. The IR plan is a crucial document for each organization’s cybersecurity practice and should be among the first documents to be updated to comply with NIS2.

Below, we’ll outline seven common pitfalls that organizations make when creating or updating an incident response plan. Avoiding some of these common mistakes ensures your organization’s plan will be updated faster and is more thorough, so you are ready to act when, not if, an incident happens.

**Part II: Pitfalls to avoid when creating an incident response plan**

**Failing to define a document hierarchy**

A common mistake when starting to work on a new or updated IR plan is to look at the plan in isolation, without consideration for all the cybersecurity documents that exist in your organization.

The term “document hierarchy" might sound complicated and foreign, but it describes exactly this simple concept: All documents within an organization should have a specific scope, purpose and intended audience — A bit like LEGO blocks that build upon each other.

Document B can deepen the information presented in Document A by providing more details on a specific part of the process without the need to repeat what was already presented in Document A. Having a clear overview on how the individual documents fit within the overall document hierarchy helps avoid duplication of information, thus keeping documents only as long as they really need to be. A shorter document with a clear focus is more likely to be read and effectively used by its intended audience.

In the context of cybersecurity, Talos IR recommends a document hierarchy consisting of the following building blocks:

The incident response plan focuses on the incident handling process. It is a second- or third-level document that builds on the higher-level information in the security policy or the security principal statement. In the plan, which has a narrower audience than the previous two documents, one can find details on the formation and operations of the incident response team, actions and available resources in each phase of the incident response process, escalation procedures and communication flows. The information in the incident response plan is applicable to all cybersecurity incidents and serves as a basis for the development of the next level of documentation, which is more procedural and scenario-based.

By failing to define and adhere to a clear document hierarchy you run the risk of overloading the IR plan with specific checklist type of information, which would be more fitting for a playbook. Playbooks usually build upon the incident response plan to provide step-by-step guidance for responding to a specific incident type, such as ransomware, suspicious emails, and unusual network traffic. Another risk is the plan is too broad, borrowing content from the policy and listing general cyber hygiene advice and end-user training topics. This makes it hard for the responders, who are the main audience of the plan, to find the vital information for their needs.

**Being too general**

An Incident Response Plan should at the very least answer the “Who, What, When and How?” of a cybersecurity incident.

If you break it down:

*   **Who** – What are the roles that are part of the IR process, what skillsets or capabilities are required for the members of the role (technical and in terms of crisis management and coordination), and what other supporting roles are involved during the different IR phases.
*   **What** – What activities are performed at each stage of the incident response process? Remember, an IRP is not a playbook, so you do not need to describe the details of, for example, investigating suspicious executable files on a host. Instead, the plan should have a description of the general triage process, available data sources within the organization and possible playbooks to follow once the incident has been narrowed down.
*   **When** – Time is precious during an incident, so it is good to have an order of actions that is pre-determined to take place whenever an incident occurs. For example, based on the priority classification of the incident (which is something that should also be in the plan) an escalation process might be started. Would a high-priority event occurring on the weekend necessitate calling immediately the manager immediately? Is such an escalation point available outside of normal working hours? Each action should also have a role owner identified.
*   **How** – An incident response plan should contain high-level information about the tools that would typically be used during an incident for the technical response (including data capturing, detection capabilities and analysis tools) and the incident communication (e.g., what alternative infrastructure can be used if the network is suspected to be compromised). Yet, the plan should offer only an overview of the capabilities of the tools, the toolkit at the team’s disposal, rather than procedural details on using them. The latter should be added to the organization’s playbooks.

**Being too specific**

An IRP is not a playbook. The information in the plan is the foundation that doesn’t need to be repeated in the other playbooks. For example, ensure that the plan does not include procedural information that is only applicable to one type of attack, such as ransomware or distributed denial-of-service (DDoS), because this will water down the scope of the document.

**Writing in isolation**

In all fairness, few technical personnel are truly enthusiastic about writing process documentation. This makes it even more important to ensure that whoever works on the IR plan is supported by the broader team.

One of the most successful ways to create a meaningful IR plan is to involve the company stakeholders, such as the primary business application owners, so they can have an understanding and make sure their needs and expectations are being met with the plan.

The initial plan draft should be reviewed by at least two team members who have process knowledge and will be responsible for the IR process implementation. Then, the next level of review should be done by teams outside of the core IR team, such as Networking and Storage Management, which play a key role during recovery. Supporting non-technical teams such as legal, communications and HR, should be provided with a final draft for review. The input of the latter is just as valuable as the technical ones, because some regulations, such as NIS2, will require incident notification within 24 hours. For example, it would be up to the legal team to confirm if, and who will be available on the weekend to contact law enforcement for an incident that started on a Friday afternoon and by Sunday needs to be reported.

**Not testing the IR plan**

We all know that testing processes are essential, but not all processes are created equal. How often do you test your backup recovery procedure? And how often do you test your incident response process?

An Incident Response Plan typically contains several sub-process descriptions, such as an escalation process, triage process, alternative communication channels activation process, etc. The plan is only as good as its use during a real incident, and the best way to identify any gaps in any of those sub-processes is to put them to a test.

How can you test the IR Plan? Start by breaking it down into key processes which are part of the overall incident handling. Then rank those processes according to their criticality for the overall response and their level of effort to test. Start with the sub-processes on top and work your way down.  

For example, look at the recovery action, “the incident lead contacts the backup management team to get the status of the backups.” Here are some of the questions that you might need to check:

*   How does the incident commander contact the backup management team? Is that communication channel available offline if the company’s communications tools are down or compromised?
*   Will the backup management team be available at this time of the day? What if the incident happens on the weekend or during a public holiday?
*   Where will the backup management team find the latest test date of the backups? Does the backup management team have a procedure to follow during the verification of the backup’s integrity? How quickly such an overview be created?
*   If backups have been isolated, could they be checked for integrity?
*   In case of a suspicion of compromise, does the backup management team have a list of all accounts that have access to the backups?
*   How will the incident commander keep track of all information sent to them during the incident and make them available to the larger team?

To test the tools, people and processes involved in this situation, Talos IR recommends conducting tabletop exercises at least once a year.  A tabletop is a dry run through a scenario customized to your organization, the attack being only on paper without environmental impact, to see how responsible teams will react. It might seem harmless but if done properly, the tabletop can empower teams to see their IR plan with new eyes, discovering both the power of a well-written document with up-to-date information and the areas that need improvement.

**Letting it get stale**

An IRP should be renewed and updated at least once a year, and additionally, whenever you have major software or hardware changes in your environment. Changes in the organization's legal structure, such as mergers and acquisitions, also necessitate a review. At the conclusion of any major incidents, it is also recommended to review the IR Plan and adjust based on the incident. Regular reviews also help ensure that in case of personnel changes — e.g., members rotating outside the team or the organization, or IT landscape changes — the plan is still effective.

**Being too IT-focused**

An IR plan should be created in consultation with other non-technical teams, starting with legal, compliance, HR and communications. Specific examples of when you will need to work closely with those teams are cases when the personal data of employees has been affected, when you have regulatory requirements to notify authorities about an incident, or when you need to publish a public statement about a major incident.

Another team that is often overlooked but should be part of the IR plan development is the service desk team. Are agents able to route a cybersecurity incident properly and get it quickly escalated to the IR team? Have they been trained to recognize, even with fewer affected users, high-confidence signs of common attacks such as ransomware, wipers and social engineering?

If you remain too focused on the technical aspects of handling an incident, you run the risk of creating an incomplete document. Supporting teams should be part of the development process, the distribution list of the final document, and the testing and training exercises. Raising a child takes a village, and so does protecting an organization.

Talos IR can support customers in preparing to meet the requirements of NIS2. The following services address one or more of the requirements of the directive:

*   **Preparing:** IR Plan, IR Playbooks, IR Readiness Assessment, Log Architecture Assessment
*   **Simulating:** Purple Team
*   **Training:** Tabletop , Cyber Range
*   **Hunting:** Compromise Assessment, Threat Hunting
*   **Core:** Emergency Response, Intel on Demand

The implementation of technical and procedural measures, which would support you in achieving compliance with NIS2, is a process that might require creating new processes and updating your technology stack. Time flies when you are having fun so we recommend that you start by reviewing the requirements you will need to comply with and putting together an actionable plan for how to achieve this in the course of the upcoming year.

Source

TALOS