Cisco Blogs


Cisco Blog > Threat Research

Ding! Your RAT has been delivered

This post was authored by Nick Biasini

Talos is constantly observing malicious spam campaigns delivering various different types of payloads. Common payloads include things like Dridex, Upatre, and various versions of Ransomware. One less common payload that Talos analyzes periodically are Remote Access Trojans or RATs. A recently observed spam campaign was using freeware remote access trojan DarkKomet (a.k.a DarkComet). This isn’t a novel approach since threat actors have been leveraging tools like DarkKomet or Hawkeye keylogger for quite sometime.

Some interesting techniques in this campaign were used by the threat actor to bypass simplistic sandbox methods including use of sub folders, right to left override, and excessive process creation. This threat also had surprising longevity and ample variations, used over time, to help ensure the success of the attack.

What is DarkKomet?

dc_panel_controller

Read More »

Tags: , , ,

Dridex Attacks Target Corporate Accounting

In February, Cisco Managed Threat Defense (MTD) security investigators detected a rash of Dridex credential-stealing malware delivered via Microsoft Office macros. It’s effective, and the lures appear targeted at those responsible for handling purchase orders and invoices. Here’s a breakdown of the types of emails we’ve observed phishing employees and inserting trojans into user devices.

Subjects captured from Dridex campaign in February 2015

Subjects captured from Dridex campaign in February 2015

Read More »

Tags: , , , , ,

Improving Email at Cisco Part 1 – The IT Technology Side

My personal email has 4 characteristics that drive me crazy:

  • I get way too much email
  • Most of my emails are a waste of time
  • Emails carry the risk of, very rarely, nasty virus payloads (or link you to sites that have worse)
  • Despite all this, I can’t live without email Read More »

Tags: , , , , , , ,

Duqu: The Next Stuxnet?

Reports of the recently discovered Duqu trojan have spawned much speculation and even resulted in the trojan being dubbed “the son of Stuxnet” or “Stuxnet 2.0.”

So what is Duqu and how does it compare to Stuxnet?

Duqu is an infostealer trojan designed to sniff out sensitive data and send it to remote attackers. Conversely, Stuxnet was a worm with a malicious payload designed to programmatically alter industrial control systems.

I’ve heard Duqu called Stuxnet 2.0. Why is that?

Read More »

Tags: , , , ,

Cisco Releases IPS Signature to Detect Alleged German Government Trojan

Earlier today we released IPS Signatures 39866-0 and 39866-1 as part of the S603 update to our Cisco Services for IPS customers. These signatures detect or block network traffic associated with the “R2D2 trojan” allegedly used by German authorities to surveil individuals of interest. Originally discovered and announced by the Chaos Computer Club in Germany, this software contains functionality to install software, monitor and remotely control any computer it is installed upon.

This is not the first time Cisco Security Intelligence Operations has reported on this software. We released a public Malware Alert on 10/13 and discussed it in our weekly Cyber Risk Report. The following caption is from the Cyber Risk Report entry:

Read More »

Tags: , ,