TALOS

By Jung soo An, Asheer Malhotra and Vitor Ventura. Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor. Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms. We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently. TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog. Executive Summary Cisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims ...

The India native has transitioned from a reverse-engineer hobbyist to a public speaker in just a few years   By Jon Munshaw.  Ninety percent of Asheer Malhotra’s work will never see the light of day. But it’s that 10 percent that keeps him motivated to keep looking for something new.  The Talos Outreach researcher spends most of his days looking into potential new threats. Many times, that leads to dead ends of threats that have already been discovered and blocked or don’t have any additional threads to pull on.  But eventually, the “lightbulb goes off,” as he puts it, which indicates something is a new threat the wider public needs to know about. During his time at Talos, Malhotra has spent much of his time looking into cyber attacks and state-sponsored threat actors in Asia, like the Transparent Tribe group he’s written about several times.  “At some point, I say ‘Hey, I don’t think I’ve seen this before.’ I start analyzing public disclosures, and slowly start gaining confidence and...

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 26 and Sept. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 2...

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  This week marks about 90 days before my wife’s due date with our first child, a baby girl. We’re both incredibly excited and nervous at the same time, and we have much to discuss, like how to lay out the nursery, what times we’ll put her down for a nap and who must be the one to get up the first time she starts crying at 2 a.m.  But the first true argument my wife and I have had about having a child is whether we should show the baby’s face on Instagram.  This child isn’t even born yet, and social media companies are probably already building out a data profile on her. I signed up for the What to Expect app so I could follow along with my wife’s pregnancy progress and learn more about what she’s going through and how the baby is developing. Already I’m getting targeted ads on the app and my Instagram for specific brands of baby food, the stroller that we’ve listed on our registry and an automati...

By Vanja Svajcer Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary. The final payload appears to be ModernLoader, which acts as a remote access trojan (RAT) by collecting system information and deploying various modules. In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had...

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 19 and Aug. 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 2...

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  Russia’s invasion of Ukraine was once the most talked about story in the world. Six months into the conflict, modern attention spans have moved on to other news stories. But Ukraine Independence Day yesterday should serve as a reminder to everyone that the threats to Ukraine have not gone anywhere.  The country still faces a physical conflict with Russia every day that seemingly has no easy end, and the barrage of cyber attacks is suspected to continue.   As discussed in our livestream yesterday, Talos continues to see evolving cybersecurity threats in the region, including the most recent GoMet backdoor. And as Joe Marshall highlighted in his blog post last week, Ukraine’s agriculture industry — which is vital to the global food supply chain — remains vulnerable to kinetic and virtual attacks. Because there’s been no one major cyber attack against Ukraine since Russia’s invasion began, the larg...

On Independence Day for Ukraine, Aug. 24, 2022, Cisco Talos provided a live update on its continued support for the region.   Six months since the invasion of Russia's invasion of Ukraine, Dmytro Korzhevin, a senior threat intelligence researcher, JJ Cummings, Talos' national intelligence principal, and Ashlee Benge, a strategic intelligence lead, provided insights into their past few months of work in the region. The discussion primarily focused on the resiliency of Ukrainians, who have worked tirelessly over the years to transform their cybersecurity capabilities. Ukrainian infrastructure has largely stayed operational and, in most cases, exceeded expectations. It seems to have baffled most pundits, but for those that have spent years working in Ukraine, it’s no surprise about the levels of dedication and commitment to protecting their critical infrastructure from those that would do it harm.   The team also covered how groundwork laid years ago is paying dividends now during t...

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 12 and Aug. 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 2...

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  As the data privacy landscape gets increasingly murky, app developers and device manufacturers are finding new ways to sure up users’ personal information. Of course, all users have to do is go out of their way to opt-in.  Apple recently announced a new Lockdown Mode for the iOS operating system that powers the company’s iPhones. When enabled, it turns off many of the features that attackers will exploit when targeting a mobile device with spyware. Spyware is a growing concern across the world, especially the NSO Group’s Pegasus tool.   With Lockdown Mode enabled, a hypothetical attacker would not have access to certain functions on the phone, and it blocks access to important APIs such as speech and facial recognition, which research has shown are relatively easy to bypass.  In a review of Lockdown Mode, Zack Whittaker of TechCrunch said, “...we didn’t find using our iPhone in Lockdown Mode t...