Threat Research

July 22, 2020

SECURITY

Prometei botnet and its quest for Monero

Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. The actor employs various methods to spread across the network, like SMB with […]

June 22, 2020

SECURITY

IndigoDrop spreads via military-themed lures to deliver Cobalt Strike

By Asheer Malhotra. Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. These maldocs use malicious macros to deliver a multistage and highly modular infection. This campaign appears to target military and government organizations in South Asia. Network-based detection, although […]

April 16, 2020

SECURITY

PoetRAT Uses Covid-19 Lures To Attack Azerbajian

Cisco Talos has discovered a new malware campaign based on a previously unknown family we’re calling “PoetRAT.” At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in […]

February 18, 2020

SECURITY

Building a bypass with MSBuild

By Vanja Svajcer. In one of our previous posts, we discussed the usage of default operating system functionality and other legitimate executables to execute the so-called “living-off-the-land” approach to the post-compromise phase of an attack. We called those binaries LoLBins. Since then, Cisco Talos has analyzed telemetry we received from Cisco products and attempted to […]

February 13, 2020

SECURITY

Threat actors attempt to capitalize on coronavirus outbreak

By Nick Biasini and Edmund Brumaghin. Coronavirus is dominating the news and threat actors are taking advantage. Cisco Talos has found multiple malware families being distributed with Coronavirus lures and themes. This includes emotet and several RAT variants. Executive Summary Using the news to try and increase clicks and drive traffic is nothing new for […]

February 12, 2020

SECURITY

Loda RAT Grows Up

By Chris Neal. Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT. These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document […]

January 21, 2020

SECURITY

Breaking down a two-year run of Vivin’s cryptominers

News Summary There is another large-scale cryptomining attack from an actor we are tracking as “Vivin” that has been active since at least November 2017. “Vivin” has consistently evolved over the past few years, despite having poor operational security and exposing key details of their campaign. By Andrew Windsor. Talos has identified a new threat […]

October 15, 2019

THREAT RESEARCH

Checkrain fake iOS jailbreak leads to click fraud

Attackers are capitalizing on the recent discovery of a new vulnerability that exists across legacy iOS hardware. Cisco Talos recently discovered a malicious actor using a fake website that claims...

September 17, 2019

THREAT RESEARCH

Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”

A new threat actor named “Panda” has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware.