Threat Research

May 24, 2017


File2pcap – The Talos Swiss Army Knife of Snort Rule Creation

This post was authored by Martin Zeiser with contributions by Joel Esler At Talos we are constantly on the lookout for threats to our customers networks, and part of the protection process is creating Snort rules for the latest vulnerabilities in order to detect any attacks. To improve your understanding of the rule development process, consider […]

May 3, 2017


Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful

This post authored Sean Baird and Nick Biasini Attackers are always looking for creative ways to send large amount of spam to victims. A short-lived, but widespread Google Drive themed phishing campaign has affected a large number of users across a variety of verticals. This campaign would be bcc’d to a target while being sent […]

March 10, 2017


Threat Roundup for the Week of Mar 6 – Mar 10

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed over the past week. As with our previous threat round-up, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically […]

March 8, 2017


Content-Type: Malicious – New Apache Struts2 0-day Under Attack

This Post Authored by Nick Biasini UPDATE: It was recently disclosed that in addition to Content-Type being vulnerable, both Content-Disposition and Content-Length can be manipulated to trigger this particular vulnerability. No new CVE was listed, however details of the vulnerability and remediation are available in this security advisory. Talos has observed a new Apache vulnerability […]

January 31, 2017


Cisco Coverage for Shamoon 2

Shamoon is a type of destructive malware that has been previously associated with attacks against the Saudi Arabian energy sector we’ve been tracking since 2012. We’ve observed that a variant of Shamoon, identified as Shamoon 2, has recently been used against several compromised organizations and institutions. Talos is aware of the recent increase in Shamoon […]

January 27, 2017


Matryoshka Doll Reconnaissance Framework

This post authored by David Maynor & Paul Rascagneres with the contribution of Alex McDonnell and Matthew Molyett Overview Talos has identified a malicious Microsoft Word document with several unusual features and an advanced workflow, performing reconnaissance on the targeted system to avoid sandbox detection and virtual analysis, as well as exploitation from a non-embedded […]

January 18, 2017


Without Necurs, Locky Struggles

This post authored by Nick Biasini with contributions from Jaeson Schultz Locky has been a devastating force for the last year in the spam and ransomware landscape. The Locky variant of ransomware has been responsible for huge amounts of spam messages being sent on a daily basis. The main driver behind this traffic is the […]

November 28, 2016


Cerber Spam: Tor All the Things!

This post authored by Nick Biasini and Edmund Brumaghin with contributions from Sean Baird and Andrew Windsor. Executive Summary Talos is continuously analyzing email based malware always looking at how adversaries change and the new techniques that are being added on an almost constant basis. Recently we noticed some novel ways that adversaries are leveraging […]

November 22, 2016


Fareit Spam: Rocking Out to a New File Type

This post authored by Nick Biasini Talos is constantly monitoring the threat landscape including the email threat landscape. Lately this landscape has been dominated with Locky distribution. During a recent Locky vacation Talos noticed an interesting shift in file types being used to distribute another well known malware family, Fareit. We’ve discussed Fareit before, it’s […]