Threat Research

May 12, 2022

SECURITY

Network Footprints of Gamaredon Group

6 min read

This blog post contains observations of Cognitive Intelligence Team over Gamaredon Group's activities during the month of March 2022

November 18, 2020

THREAT RESEARCH

Back from vacation: Analyzing Emotet’s activity in 2020

1 min read

By Nick Biasini, Edmund Brumaghin, and Jaeson Schultz. Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems   attempting to infect […]

November 12, 2020

THREAT RESEARCH

CRAT wants to plunder your endpoints

1 min read

By Asheer Malhotra. Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT. Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint. One of the plugins is a ransomware known as “Hansom.” CRAT has been attributed to the Lazarus […]

July 22, 2020

SECURITY

Prometei botnet and its quest for Monero

1 min read

Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. The actor employs various methods to spread across the network, like SMB with […]

June 22, 2020

THREAT RESEARCH

IndigoDrop spreads via military-themed lures to deliver Cobalt Strike

1 min read

By Asheer Malhotra. Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. These maldocs use malicious macros to deliver a multistage and highly modular infection. This campaign appears to target military and government organizations in South Asia. Network-based detection, although […]

April 16, 2020

THREAT RESEARCH

PoetRAT Uses Covid-19 Lures To Attack Azerbajian

1 min read

Cisco Talos has discovered a new malware campaign based on a previously unknown family we’re calling “PoetRAT.” At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in […]

February 18, 2020

SECURITY

Building a bypass with MSBuild

1 min read

By Vanja Svajcer. In one of our previous posts, we discussed the usage of default operating system functionality and other legitimate executables to execute the so-called “living-off-the-land” approach to the post-compromise phase of an attack. We called those binaries LoLBins. Since then, Cisco Talos has analyzed telemetry we received from Cisco products and attempted to […]

February 13, 2020

SECURITY

Threat actors attempt to capitalize on coronavirus outbreak

1 min read

By Nick Biasini and Edmund Brumaghin. Coronavirus is dominating the news and threat actors are taking advantage. Cisco Talos has found multiple malware families being distributed with Coronavirus lures and themes. This includes emotet and several RAT variants. Executive Summary Using the news to try and increase clicks and drive traffic is nothing new for […]

February 12, 2020

SECURITY

Loda RAT Grows Up

1 min read

By Chris Neal. Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT. These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document […]