Cisco Threat Research Blog

By Ben Baker, Edmund Brumaghin, JJ Cummings and Arnaud Zobec.

Threat summary

• After initially compromising corporate networks, the attacker behind WastedLocker performs privilege escalation and lateral movement prior to activating ransomware and demanding ransom payment.
• The use of “dual-use” tools and “LoLBins” enables adversaries to evade detection and stay under the radar as they further operate towards their objectives in corporate environments.
• WastedLocker is one of the latest examples of adversaries’ continued use of lateral movement and privilege escalation to maximize the damage caused by ransomware.
• The use of “big-game hunting” continues to cause significant operational and financial damages to organizations around the globe.

Background

Ransomware is a serious threat to organizations around the world. It is used to disrupt operations on computing systems so that attackers can extort victims and demand payment, typically in the form of cryptocurrency, to restore normal operations on infected systems. As the threat actors behind ransomware attacks have matured in their capabilities, they have refined their approach to generating revenue using this business model. One recent evolution has been the use of privilege escalation and lateral movement techniques prior to the activation of ransomware payloads within organizational environments.

By delivering and activating ransomware on many different systems within corporate networks simultaneously, attackers can maximize the damage they inflict. This often results in a situation where organizations may be more likely to pay a ransom demand than they otherwise would have been, had only a single endpoint been affected. In some cases organizational backup and recovery strategies may not have been adequately tested against situations in which a significant portion of their production environment is adversely affected at the same time, which may cause them to be more willing to pay a ransom demand. It also allows adversaries to increase the amount of the ransom they are demanding, often resulting in ransom demands for hundreds of thousands of dollars or more to recover infected systems. This approach is sometimes referred to as “big-game hunting.”

Adversaries have used this approach more frequently over the past year. One of the most recent examples of this is with the emergence of a threat actor that is currently leveraging a ransomware family known as “WastedLocker.” The adversary behind these attacks is taking advantage of various “dual-use” toolsets like Cobalt Strike, Mimikatz, Empire, and PowerSploit to facilitate lateral movement across environments being targeted. These toolsets are typically developed to aid with penetration testing or red-teaming activities, but their use is often co-opted by malicious adversaries as well. Additionally, the use of native operating system functionality, and what are commonly referred to as “LoLBins” allows attackers to evade detection and operate under the radar until they are ready to activate the ransomware and make their presence known.

Read More >>

By Nick Biasini, Edmund Brumaghin and Mariano Graziano.

Threat summary

• Attackers are actively distributing the Valak malware family around the globe, with enterprises, in particular, being targeted.
• These campaigns make use of existing email threads from compromised accounts to greatly increase success.
• The additional use of password-protected ZIP files can create a blind spot in security protections.
• The overwhelming majority of campaigns occurred over the last couple of months and targeted organizations in the financial, manufacturing, health care and insurance verticals.

Executive summary

Valak is a modular information-stealer that attackers have deployed to various countries since early-to-mid 2019. While Valak features a robust feature set, it is often observed alongside secondary malware payloads, including Gozi/Ursnif and IcedID. This malware is typically delivered via malicious spam email campaigns that leverage password-protected ZIP archives to evade detection by email security solutions that may inspect the contents of emails entering corporate networks. While previous analysis focused on campaigns targeting the United States and Germany, Cisco Talos has observed ongoing campaigns targeting other geographic regions including countries in North America, South America, Europe and likely others. The email campaigns distributing downloaders associated with Valak also appear to be leveraging existing email threads to lend credibility to the emails and increase the likelihood that victims will open file attachments and initiate the Valak infection process.

Read More >> 

The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, Cisco Talos identified around 30 new C2 domains. We assess that PROMETHIUM activity corresponds to five peaks of activity when clustered by the creation date month and year.
Talos telemetry shows that PROMETHIUM is expanding its reach and attempts to infect new targets across several countries. The samples related to StrongPity3 targeted victims in Colombia, India, Canada and Vietnam. The group has at least four new trojanized setup files we observed: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player).
Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. This leads us to believe that just like in the past, the initial vector may be either a watering hole attack or in-path request interception like mentioned in a CitizenLab report from 2018. This group mainly focuses on espionage, and these latest campaigns continue down the same path. The malware will exfiltrate any Microsoft Office file it encounters on the system. Previous research even linked PROMETHIUM to state-sponsored threats. The fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission.

Read more >>>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between June 19 and June 26. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20200626-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between June 5 and June 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20200612-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

By Asheer Malhotra.

• Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities.
• These maldocs use malicious macros to deliver a multistage and highly modular infection.
• This campaign appears to target military and government organizations in South Asia.
• Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

What’s new?

Cisco Talos has recently discovered a new campaign distributing a multistage attack used to infect target endpoints with customized Cobalt Strike beacons. Due to the theme of the malicious documents (maldocs) employed, it is highly likely that military and government organizations in South Asia were targeted by this attack.

Read More>>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 29 and June 5. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20200605-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 22 and May 29. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20200529-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Executive summary

Static reverse-engineering in IDA can often be problematic. Certain values are calculated at run time, which makes it difficult to understand what a certain basic block is doing. If you try to perform dynamic analysis by debugging a piece of malware, the malware will often detect it and start behaving differently. Today, Cisco Talos is releasing the 1.0 beta version of Dynamic Data Resolver (DDR) — a plugin for IDA that makes reverse-engineering malware easier. DDR is using instrumentation techniques to resolve dynamic values at runtime from the sample. For the 1.0 release, we have fixed a couple of bugs, ported it to the latest IDA version, added multiple new features, plus a new installer script that automatically resolves all dependencies.

Read More >>