Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

How Adversaries Use Politics for Compromise

This blog post was authored by Nick Biasini and Edmund Brumaghin of Cisco Talos.

Executive Summary

With the U.S. presidential primaries just around the corner, even malware authors can’t help but get behind the frenzy. Cisco Talos recently discovered several malware distribution campaigns where the adversaries were utilizing the names and likenesses of several prominent political figures, chief among them U.S. President Donald Trump. We discovered a series of ransomware, screenlockers, remote access trojans (RATs) and other malicious applications that play off of Trump’s likeness, as well as former presidential candidate Hillary Clinton.

Some of the applications are designed to coerce victims into paying ransom demands, while others could be used to gain backdoor access to systems and provide attackers the ability to operate within organizational networks. In many cases, it is clear that the authors of these applications were motivated by their political beliefs, which were reflected in the software that they created. In this post, we’ll analyze several of these examples and provide a look at the types of malware they deployed.

There is a wide array of threats that adversaries are willing to deliver through any means necessary, including leveraging political themes and overtones. This is one of the reasons why organizations need to be diligent in protecting their environments through various technologies, applying best practices, and taking a thorough defense-in-depth approach when implementing various security controls. Additionally, ensure you have an employee information security education program that exposes users to the variety of lures that can be leveraged by adversaries to deliver these threats.

Read More >>

C2 With It All: From Ransomware To Carding

 

Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims’ infrastructure — all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack.

We found a great variety of malicious files on this server, ranging from ransomware like the DopplePaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2)

The data found on this server shows how malicious actors can diversify their activities to target different organizations and individuals, while still using the same infrastructure. The tools we studied paint a picture of an adversary that is resourceful and has a widespread infrastructure shared across different operations.

>>> Read More

Threat Roundup for October 25 to November 1

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 25 and Nov 1. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU11012019  – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The commoditization of mobile espionage software

Mobile stalkerware has all sorts of wide-ranging consequences. The creators of these types of apps can track user’s locations, see their social media usage and more. And they certainly open the door for abuse by governments hoping to spy on their citizens, parents looking to track their children or controlling spouses hoping to track every move their partners make. This class of software exists to surreptitiously get and provide this personal information, sometimes in real time.

Cisco Talos recently spotted a wave of vendors hawking this software, designed to spy on unsuspecting users. We observed apps across the globe — including activities in countries that have some of the worst human rights records — with vendors offering language- and country-specific services. In all, there were 87 vendors we discovered as part of our research, which we believes poses a serious threat to at-risk individuals. The stalkerware space is completely unregulated, and these apps are allowed to exist on many app stores for extended periods of time, with their creators even offering easy to follow tutorials online as to how to trick users into downloading these apps. This is an easily accessible, yet volatile, market.

Read More >>

Threat Roundup for October 18 to October 25

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 18 and Oct 25. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU10252019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Gustuff return, new features for victims

The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS.

The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions. On the capability side, the addition of a “poor man scripting engine” based on JavaScript provides the operator with the ability to execute scripts while using its own internal commands backed by the power of JavaScript language. This is something that is very innovative in the Android malware space.

The first version of Gustuff that we analyzed was clearly based on Marcher, another banking trojan that’s been active for several years. Now, Gustuff has lost some similarities from Marcher, displaying changes in its methodology after infection.

Today, Gustuff still relies primarily on malicious SMS messages to infect users, mainly targeting users in Australia. Although Gustuff has evolved, the best defense remains token-based two-factor authentication, such as Cisco Duo, combined with security awareness and the use of only official app stores.

Read More >>

 

Threat Roundup for October 11 to October 18

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 11 and Oct 18. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU10182019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Checkrain fake iOS jailbreak leads to click fraud

Attackers are capitalizing on the recent discovery of a new vulnerability that exists across legacy iOS hardware. Cisco Talos recently discovered a malicious actor using a fake website that claims to give iPhone users the ability to jailbreak their phones. However, this site just prompts users to download a malicious profile which allows the attacker to conduct click-fraud.

Checkm8 is a vulnerability in the bootrom of some legacy iOS devices that allows users to control the boot process. The vulnerability impacts all legacy models of the iPhone from the 4S through the X. The campaign we’ll cover in this post tries to capitalize off of checkra1n, a project that uses the checkm8 vulnerability to modify the bootrom and load a jailbroken image onto the iPhone. Checkm8 can be exploited with an open-source tool called “ipwndfu” developed by Axi0mX.

The attackers we’re tracking run a malicious website called checkrain[.]com that aims to draw in users who are looking for checkra1n.

This discovery made headlines and caught the attention of many security researchers. Jailbreaking a mobile device can be attractive to researchers, average users and malicious actors. A researcher or user may want to jailbreak phones to bypass standard restrictions put in place by the manufacturer to download additional software onto the device or look deeper into the inner workings of the phone. However, an attacker could jailbreak a device for malicious purposes, eventually obtaining full control of the device.

 

Read More >>>

Threat Roundup for October 4 to October 11

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 4 and Oct 11. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU10112019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.