|
After Microsoft blocked macros by default in Office documents, attackers needed to find a new file format for their lure documents that could execute malware or malicious code without users noticing. To start off 2023, adversaries shifted toward Shell Link (LNK) files, which provide security researchers the opportunity to capitalize on information that can be provided by LNK metadata. We used this data to uncover new information about the Qakbot botnet and Gamaredon threat actor, and previously unknown connections between multiple threat actors.
|
|
|
|
The operators behind the Prometei botnet continued to level up their operations, adding new functions and anti-detection methods. Talos reported on what we identified as “version 3” of the botnet in March, including an alternative C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell that’s deployed onto victim hosts. At the time of writing, the botnet had over 10,000 compromised machines. In other botnet news, the infamous Emotet malware came back online after a relatively quiet period, this time deploying malicious Microsoft Word documents as lures. Emotet is famous for going through brief periods of inactivity, often spanning months, and then re-appearing. Its newest efforts involved infection chains that Talos had not observed the operators using before. Talos discovers a new threat actor we called “YoroTrooper” targeting government and energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS). YoroTrooper’s activities seem largely centered around trying to steal sensitive information from these groups. We’d continued to follow this group for the remainder of the year, writing about their malware and TTPs multiple times in 2023. |
|
Although it was released earlier in the year, Talos disclosed a newly discovered “V2” version of the Typhon Reborn information-stealing malware. The updated version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult. At the time, we predicted that Typhon Reborn would appear in future cyber attacks. A large-scale attack on global network infrastructure known as “Jaguar Tooth” goes public, including extensive reporting from Talos and Cisco. In this campaign, state-sponsored actors targeted older networking devices like wireless routers, including Cisco devices. The UK’s National Cyber Security Centre (NCSC) also released a report on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco had published a patch for in 2017. These ongoing discussions about defending network infrastructure and ensuring organizations use up-to-date devices eventually led to Cisco and other partners co-founding the new Network Resilience Coalition in July. |
|
A new phishing-as-a-service tool called “Greatness” appears in the wild, offering attackers the ability to pay a subscription fee for their infrastructure. Greatness allows users to send spam emails, pointing targets to convincing Microsoft 365 login pages. The “as-a-service" model for threat actors had long been around, but the trend received increased attention in 2022 as several large ransomware groups shifted to new affiliate models, which offered their services and code to anyone who wanted to use it for a fee. With the help of our partners at The Citizen Lab, Talos revealed new details about the “ALIEN” and “PREDATOR” mobile spyware suites. Many groups that we called “mercenary spyware” groups use these tools to create spyware, software that is considered illegal in many countries and is often used to target at-risk individuals like politicians and activists. Talos revealed a new threat actor we called “RA Group” targeting users globally, including companies in manufacturing, wealth management, insurance providers and pharmaceuticals. RA Group uses a modified version of the Babuk ransomware, which was leaked online in September 2021. |
|
Talos discloses the details of a botnet that’s been active for nearly three full years, “Horabot.” The actor delivers a known banking trojan and spam tool onto victim machines, specifically targeting Spanish-speaking users in North and South America. At the time, Talos believed the actor behind this botnet was located in Brazil. A month after the .zip top-level domain was released for the public to register, our researchers noticed attackers using it in scams designed to get users to leak sensitive information. As a result of user applications increasingly registering “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server. |
|
We discovered multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. Our research indicates that RedDriver has been active since at least 2021. This attack primarily targets Chinese-speaking users, and we suspected the creators of RedDriver are also native Chinese speakers. An unnamed actor started targeting government agencies in Ukraine and Poland, looking to steal sensitive information and setting up a backdoor for potential future attacks. Ukraine’s Computer Emergency Response Team (CERT-UA) attributed attacks, first spotted in July, to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government. |
|
Talos’ Vulnerability Research team disclosed dozens of vulnerabilities that affect several small and home office (SOHO) routers. That team spent years on this research in the wake of the massive VPNFilter attack. Adversaries could chain together many of these vulnerabilities to directly access or those an adversary could chain together to gain elevated access to the devices. A new attacker appeared to use a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The actor, apparently of Vietnamese origins, was targeting users in targets Bulgaria, China, Vietnam and other countries since at least June. The new wrinkle to this ransomware attack is that the adversary asks the target to download the ransom note via their publicly available GitHub, rather than including some strings in the binary. The U.S. Department of Health and Human Services (HHS) released a warning to the healthcare industry about Rhysida ransomware activity. Rhysida appears to have first popped up back in May, with several high-profile compromises posted on their leak site since then, causing the U.S. government to release a specific warning alerting hospital systems and doctor’s offices about the activity. Talos released several new Snort rules to detect the Rhysida ransomware and details on the actor’s TTPs, including a new ransom note in which they pose as a legitimate cybersecurity company. Talos discloses new information about the infamous Lazarus Group APT, including several new RATs they’re using in the wild. The North Korean state-sponsored actor targeted internet infrastructure and healthcare entities in Europe and the United States with what we called “QuietRAT.” Additional research into the group found that Lazarus Group is increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase. SapphireStealer, an open-source information stealer, is disclosed after Talos observed the malware across public malware repositories with increasing frequency since its initial public release in December 2022. We assessed with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants. |
|
Talos discovered a new malware family we called “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant called “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Both tools are believed to be created and owned by the ShroudedSnooper threat actor, which built the intrusion set. Our researchers spot threat actors abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. These attacks specifically target graphic designers or other artists who use computers with exceptionally large graphics cards — thus making them more valuable for cryptocurrency mining. |
|
Cloudflare and other internet hosting providers reported what was considered the largest distributed denial-of-service attack ever. Though the actual attack occurred earlier in the year, the official disclosure came in October, including details of a vulnerability in the HTTP/2 protocol that the attackers exploited. Talos released an advisory about these attacks, urging users to patch immediately and releasing new Snort rules to detect the exploitation of CVE-2023-44487. YoroTrooper, which Talos initially reported on earlier in the year, started using new TTPs, including new obfuscation techniques and the use of commodity malware. The actor is likely operating out of Kazakhstan, but these new tactics were made to look as if their lure documents came from the government of Azerbaijan. Arid Viper, a threat actor believed to be based out of Gaza, is disclosed. The APT used malicious apps designed as software for the Android operating system to collect sensitive information from targets and deploy additional malware onto infected devices. Although Arid Viper is believed to be based out of Gaza, Cisco Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war, which also began in October. |
|
Talos identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure. Our researchers looked at observed Phobos activity and analyzed more than 1,000 Phobos samples from VirusTotal dating back to 2019. We found that the 8Base group was increasingly deploying variants of Phobos via the SmokeLoader backdoor. We also found indications that Phobos could be available as a pay-for ransomware-as-a-service model. Talos discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. SugarGh0st is believed to be a variant of the infamous Gh0st RAT, a years-old malware of Chinese origin. SugarGh0st is believed to be targeting users in Uzbekistan and South Korea. |
|
Talos releases the details of Project PowerUp, an effort from multiple teams across Cisco to create a new, bespoke hardware device used to protect Ukraine’s power grid. The modified IoT switches allow the country’s power grid to be protected against GPS-jamming attacks, which traditionally tried to disrupt the way timing on the network worked. CNN first wrote about these efforts, and Joe Marshall, Talos’ researcher who spearheaded the project, wrote a firsthand account for the Talos blog.
|
