Cisco Blogs


Cisco Blog > Threat Research

Threat Spotlight: TeslaCrypt – Decrypt It Yourself

This post was authored by: Andrea Allievi, Earl Carter & Emmanuel Tacheau

After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.

 

TeslaCrypt-1

Click for Larger Image

Read More »

Tags: , , , ,

Threat Spotlight: Upatre – Say No to Drones, Say Yes to Malware

This post was authored by Nick Biasini and Joel Esler

Talos has observed an explosion of malicious downloaders in 2015 which we’ve documented on several occasions on our blog. These downloaders provide a method for attackers to push different types of malware to endpoint systems easily and effectively. Upatre is an example of a malicious downloader Talos has been monitoring since late 2013. However, in the last 24-48 hours, things have shifted dramatically. We’ve monitored at least fifteen different spam campaigns that are active between one and two days.  While the topic associated with the spam message has varied over time, the common attachment provided is a compressed file (.zip or .rar) that contains an executable made to look like a PDF document by changing the icon.

Execution

When Upatre is executed, a PDF document is quickly downloaded and displayed while Upatre is delivered in the background. The document displayed has been either one of two PDFs.  The first PDF, which was used until March 17, contained some information about Viagra:

Figure 1: Sexual Dysfunction, what’s your function?

Figure 1: Sexual Dysfunction, what’s your function?

Read More »

Tags: , , ,

Microsoft Patch Tuesday for April 2015: 11 Bulletins Released

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products.  This month’s release sees a total of 11 bulletins being released which address 26 CVEs.  The first 4 bulletins are rated Critical and address vulnerabilities within Internet Explorer, Office, IIS, and Graphics Component. The remaining 7 bulletins are rated Important and cover vulnerabilities within SharePoint, Task Scheduler, Windows, XML Core Services, Active Directory, .NET, and Hyper-V. Read More »

Tags: , , , , ,

Threat Spotlight: SSHPsychos

This post was authored by Nick Biasini, Matt Olney, & Craig Williams

 

Isolate_Image_Export

Introduction

Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. Although our research efforts help inform and protect Cisco customers globally, sometimes it is our relationships that can multiply this impact. Today Cisco and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected.

Graphic Showing SSH Psychos SSH Traffic vs Rest of Internet (Green)

Read More »

Tags: , , , ,

Threat Spotlight: Spam Served With a Side of Dridex

This post was authored by Nick Biasini with contributions from Kevin Brooks

Overview

The use of macro enabled word documents has exploded over the last year, a primary example payload being Dridex. Last week, Talos researchers identified another short lived spam campaign that was delivering a new variant of Dridex. This particular campaign lasted less than five hours and was successful at mutating the subject and attachments to avoid detection. The five hour campaign actually consisted of two separate emails that both had malicious word documents as attachments. A sample of the two different subject lines are shown below.

Campaign One Subject:
Debit Note [97994] information attached to this email

Campaign Two Subject:
48142 – Your Latest Documents from RS Components 822379272

*Note: Italicized text used to identify mutating portions of email subject

Both campaigns centered on invoices being sent as word document attachments. Not only did the attackers use different subjects for every email they also rarely reused an attachment name. Less than five percent of the emails observed contained re-used attachment names.

Read More »

Tags: , , , ,