Cisco Blogs

Threat Research

  • Go RAT, Go! AthenaGo points “TorWords” Portugal

    - February 8, 2017 - 0 Comments

    This post was authored by Edmund Brumaghin with contributions from Angel Villegas

    Summary

    Talos is constantly monitoring the threat landscape in an effort to identify changes in the way attackers are attempting to target organizations around the world. We identified a unique malware campaign that was distributed via malicious Word documents. The campaign appeared to be targeting victims in Portugal. The malware being distributed was interesting for a variety of reasons. As the author of this malware refers to it as “Athena” in their source code working directory and the fact that the C2 domain used by the malware begins with “athena”, we have identified this malware as “AthenaGo”. We were unable to locate a detailed analysis of this particular malware.

    AthenaGo appears to be a Remote Access Trojan (RAT) that also features the capability to download and run additional binaries on infected systems when instructed to do so by an attacker. The malware was written using the Go programming language. Windows-based malware written in Go is not commonly seen in the wild. Additionally the command and control (C2) communications used by the malware made use of Tor2Web proxies, which is part of a trend of increased reliance on these proxying services by various malware authors. As this was an interesting/unique infection chain, Talos decided to examine the malware itself as well as the campaigns that were distributing it.

    Read More >>

  • When a Pony Walks Out Of A Pub

    - February 6, 2017 - 1 Comment

    This blog was authored by Warren Mercer and Paul Rascagneres.

    Talos has observed a small email campaign leveraging the use of Microsoft Publisher files. These .pub files are normally used for the publishing of documents such as newsletters, allowing users to create such documents using familiar office functions such as mail merging. Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a ‘Protected View‘ mode. This is a read only mode which can help end users remain protected from malicious document files. Microsoft Publisher is included and installed by default in Office 365.

    The file used in this campaign was aimed at infecting the victim with the, well known, Pony malware. Whilst Pony is well documented in technical capability it has not been known to use the .pub file format until now. Pony is a credential harvesting piece of malware with other trojan capabilities. In addition to credential harvesting, it is also commonly deployed as a malware loader and used to infect systems with additional malware in multi-stage infection chains. Pony is still used heavily as the sources of multiple Pony versions leaked thus making it much easier for other malicious actors to implement Pony into their infection chain.

  • Cisco Coverage for Shamoon 2

    - January 31, 2017 - 0 Comments

    Shamoon is a type of destructive malware that has been previously associated with attacks against the Saudi Arabian energy sector we’ve been tracking since 2012. We’ve observed that a variant of Shamoon, identified as Shamoon 2, has recently been used against several compromised organizations and institutions. Talos is aware of the recent increase in Shamoon 2 activity and has responded to ensure our customers are protected. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.

    Propagation

    Shamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.

    Read more >>

  • EyePyramid: An Archaeological Journey

    - January 30, 2017 - 0 Comments

    The few last days, a malware sample named EyePyramid has received considerable attention, especially in Italy. The Italian police have arrested two suspects and also published a preliminary report of the investigation. This malware is notable due to the targeting of Italian celebrities and politicians.

    We conducted our analysis on one of the first public samples attributed to EyePyramid. Sources in the security community have described this malware campaign as unsophisticated, and the malware samples involved as uninteresting. However Talos was intrigued to determine just how EyePyramid managed to stay hidden under-the-radar for years.

    Read more

  • Matryoshka Doll Reconnaissance Framework

    - January 27, 2017 - 0 Comments

    This post authored by David Maynor & Paul Rascagneres with the contribution of Alex McDonnell and Matthew Molyett

    Mat1

    Overview

    Talos has identified a malicious Microsoft Word document with several unusual features and an advanced workflow, performing reconnaissance on the targeted system to avoid sandbox detection and virtual analysis, as well as exploitation from a non-embedded Flash payload. This document targeted NATO members in a campaign during the Christmas and New Year holiday. Due to the file name, Talos researchers assume that the document targeted NATO members governments. This attack is also notable because the payload was swapped out with a large amount of junk data which was designed to create resource issues for some simplistic security devices.

    Read More

  • Vulnerability Spotlight – LibBPG Image Decoding Code Execution

    - January 23, 2017 - 0 Comments

    Overview

    Talos is disclosing TALOS-2016-0259 / CVE-2016-8710. An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be triggered via attempting to decode a crafted BPG image using libbpg.

    Details

    BPG (Better Portable Graphics) is an image format created in 2014 based on the HECV video compression standard. BPG has been praised for its ability to produce the same quality image as the well known JPEG format, but in a much smaller file size. Talos is disclosing the presence of a remote code execution vulnerability in the libbpg library which is widely used to support the file format. During the decoding of a BPG, in the `restore_tqb_pixels` function, an attacker controlled integer underflow can occur during the calculation of offsets for the `src` and `dst` operands of a `mempcy`. Because of the underflows, the resulting addresses passed to the `memcpy` are outside the bounds of the original heap structures, resulting in an out of bounds write condition. This vulnerability can be used to create a specially crafted BPG image file which results in remote code execution when opened with any application using a vulnerable version of the libbpg library.
    Read more >>