Cisco Blogs


Cisco Blog > Threat Research

Ding! Your RAT has been delivered

This post was authored by Nick Biasini

Talos is constantly observing malicious spam campaigns delivering various different types of payloads. Common payloads include things like Dridex, Upatre, and various versions of Ransomware. One less common payload that Talos analyzes periodically are Remote Access Trojans or RATs. A recently observed spam campaign was using freeware remote access trojan DarkKomet (a.k.a DarkComet). This isn’t a novel approach since threat actors have been leveraging tools like DarkKomet or Hawkeye keylogger for quite sometime.

Some interesting techniques in this campaign were used by the threat actor to bypass simplistic sandbox methods including use of sub folders, right to left override, and excessive process creation. This threat also had surprising longevity and ample variations, used over time, to help ensure the success of the attack.

What is DarkKomet?

dc_panel_controller

Read More »

Tags: , , ,

Hook, Line & Sinker: Catching Unsuspecting Users Off Guard

This post was authored by Earl Carter.

Attackers are constantly looking for ways to monetize their malicious activity. In many instances this involves targeting user data and accounts. Talos continues to see phishing attacks targeting customers of multiple high profile financial institutions.  In the past couple of months, we have observed phishing attacks against various financial customers including credit card companies, banks, credit unions, and insurance companies, as well as online businesses such as Paypal and Amazon. These phishing attacks have gone old-school in that they either attach an HTML document or include HTML data in the actual email to present the user with official looking pages that appear to be from the actual businesses being targeted.

Read More »

Tags: , , ,

My Resume Protects All Your Files

This post was authored by Nick Biasini

Talos has found a new SPAM campaign that is using multiple layers of obfuscation to attempt to evade detection.  Spammers are always evolving to get their messages to the end users by bypassing SPAM filters while still appearing convincing enough to get a user to complete the actions required to infect the system. The end payload for this campaign is Cryptowall 3.0. Talos has covered this threat repeatedly and this is another example of how the success of Ransomware has pushed it to one of the top threats we are seeing today. Whether its Exploit Kits or SPAM messages threat actors are pushing as many different variants of Ransomware as possible.

Email Details

The use of resume based SPAM isn’t anything new.  An analysis of our telemetry has found countless messages in the last 30 days related to Resumes. Threat actors have tried many different techniques associated with these messages including using password protected zip files, word documents with embedded macros, and malicious URLs redirecting back to a malicious sample. This threat combined a series of techniques to try and avoid detection that has been surprisingly successful against some products. Below is a sample of one of the emails that we saw in our telemetry.

Sample Email

Sample Email

Read More »

Tags: , , ,

Little Links, Big Headaches

This post was authored by Earl CarterJaeson Schultz.

Talos is always fascinated by the endless creativity of those who send spam. Miscreants who automate sending spam using botnets are of particular interest. Talos has been tracking a spam botnet that over the past several months that has been spamming weight loss products, male erectile dysfunction medication, and dating/casual sex websites.  These are all typical products one would expect to be purveyed through spam. What interests us about this spam are some of the ways the spam is constructed to try and evade detection (a.k.a. spam filters).

Beginning in March, Talos noted an absolute explosion in the usage of link shortening services in spam. After looking into the cause we found botnet ‘unknown2250’, as it is called by the Composite Block List (CBL), to be one of the primary parties responsible for this massive increase.

Click For Larger Image

Click For Larger Image

Read More »

Tags: , ,

Be More Effective, Be More Efficient: The Mantra for Many Adversaries in 2014

Adversaries are committed to continually refining or developing new techniques to conceal malicious activity, decrease their reliance on other techniques that may be more detectable, and become increasingly more efficient and effective in their attacks. Below are just three examples—explored in detail in the newly released Cisco 2015 Annual Security Report—of how malicious actors met these goals in 2014. These trends were observed by Cisco Talos Security Intelligence and Research Group throughout last year, and analyzed by the team using a global set of telemetry data:

  • Use of malvertising to help deliver exploit kits more efficiently—Talos noted three exploit kits we observed “in the wild” more than others in 2014: Angler, Goon, and Sweet Orange. More than likely, their popularity is due to their technical sophistication in terms of their ability to evade detection and remain effective. The Sweet Orange kit, for example, is very dynamic. Its components are always changing. Adversaries who use Sweet Orange often rely on malvertising to redirect users (often twice) to websites that host the exploit kit, including legitimate websites.
  • Increase in Silverlight exploitation—As we reported in both the Cisco 2014 Midyear Security Report and the Cisco 2015 Annual Security Report, the number of exploit kits able to exploit Microsoft Silverlight is growing. While still very low in number compared to more established vectors like Flash, PDF, and Java, Silverlight attacks are on the rise. This is another example of adversaries exploring new avenues for compromise in order to remain efficient and effective in launching their attacks. The Angler and Goon exploit kits both include Silverlight vulnerabilities. Fiesta is another known exploit kit that delivers malware through Silverlight, which our team reported on last year.

snowshoe

  • The rise of “snowshoe spam”—Phishing remains an essential tool for adversaries to deliver malware and steal users’ credentials. These actors understand that it is more efficient to exploit users at the browser and email level, rather than taking the time and effort to attempt to compromise servers. To ensure their spam campaigns are effective, Talos observed spammers turning to a new tactic last year: snowshoe spam. Unsolicited bulk email is sent using a large number of IP addresses and at a low message volume per IP address; this prevents some spam systems from detecting the spam, helping to ensure it reaches its intended audience. There is also evidence that adversaries are relying on compromised users’ machines as a way to support their snowshoe spam campaigns more efficiently. Snowshoe spam contributed to the overall increase of spam volume by 250 percent in 2014.

These are only a few of the threat intelligence findings presented in the Cisco 2015 Annual Security Report. We encourage you to read the whole report, but also, to stay apprised of security trends throughout the year by following our reports on the Cisco Security blog. Talos is committed to ongoing coverage of security threats and trends. In fact, in the Cisco 2015 Annual Security Report, you’ll find links to several posts that our researchers published throughout 2014, and were used to help shape and inform our threat intelligence coverage in the report.

Tags: , , , , ,