Cisco Blogs

Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Research

  • What we learned by unpacking a recent wave of Imminent RAT infections using AMP

    January 17, 2019 - 0 Comments

    This blog post was authored by Chris Marczewski

    Cisco Talos has been tracking a series of Imminent RAT infections for the past two months following reported data from Cisco Advanced Malware Protection’s (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but an initial analysis showed a strong indication that stages exist before the deployment of the RAT. Surprisingly, the recovered samples showed no sign of Imminent RAT, but instead a commercial grade packer.

    This was a series of attacks engineered to evade detection and frustrate analysis. From the outside, we have a commercially available, yet affordable packer called “Obsidium” that has been used in the past to protect the intellectual property of some legitimate software vendors. The payload results in a RAT called Imminent that has also been used previously for legitimate purposes. Imminent is a commercially available RAT that retails for $25 to $100, depending upon the size of the customer’s expected user base. While it is not intended for malicious use, in this case, its detection suggested otherwise.

    Although a Potentially Unwanted Application (PUA) detection approach could suffice, not everyone enables blocking of PUAs. We have other technologies in place, such as the Exploit Prevention engine, that are well-suited to detecting such threats. We hope that after reading this research, you’ll have a better understanding of not only what it takes to investigate an attack using a complex packer, but also how AMP is equipped to stop such attacks that planned on successfully evading static detection or thwarting the benefits of dynamic analysis from a malware sandbox.

    Read More

  • Emotet re-emerges after the holidays

    January 15, 2019 - 0 Comments

    While Emotet has been around for many years and is one of the most well-known pieces of malware in the wild, that doesn’t mean attackers don’t try to freshen it up. Cisco Talos recently discovered several new campaigns distributing the infamous banking trojan via email. These new campaigns have been observed following a period of relatively low Emotet distribution activity, corresponding with the observance of Orthodox Christmas in certain geographic regions. These new malicious efforts involve sending victims malicious Microsoft Word attachments with embedded macros that download Emotet.

    This latest strain has also gained the ability to check if the infected IP where the malicious email is being sent from is already blacklisted on a spam list. This could allow attackers to deliver more emails to users’ inboxes without any pushback from spam filters.


  • Vulnerability Deep Dive: TP-Link TL-R600VPN remote code execution vulnerabilities

    January 15, 2019 - 0 Comments

    Vulnerability discovery and research by Jared Rittle and Carl Hurd of Cisco Talos.


    TP-Link recently patched three vulnerabilities in their TL-R600VPN gigabit broadband VPN router, firmware version 1.3.0. Cisco Talos publicly disclosed these issues after working with TP-Link to ensure that a patch was available. Now that a fix is out there, we want to take the time to dive into the inner workings of these vulnerabilities and show the approach we took with our proof-of-concept code.


    The TP-Link TL-R600VPN is a five-port small office/home office (SOHO) router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. Except for a few proprietary instructions for handling unaligned load and store operations, these two instruction sets are essentially the same. The instructions that are not included in Lexra are LWL, SWL, LWR, and SWR. These proprietary instructions are often used when compiling a program for the more common MIPS-1 architecture and cause a segfault when encountered in Lexra. The knowledge of this key difference is imperative to assembling working code for the target.

    For more information about Lexra MIPS and its differences with the MIPS-1 architecture, refer to ‘The Lexra Story‘ and the MIPS-1 patent filing.

    Read more here

  • Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor

    January 10, 2019 - 0 Comments

    PyLocky is a family of ransomware written in Python that attempts to masquerade as a Locky variant. This ransomware will encrypt all files on a victim machine before demanding that the user pay a ransom to gain access to their decrypted files. To combat this ransomware, Cisco Talos is releasing a free decryption tool. Because our tool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will only work to recover the files on an infected machine where network traffic has been monitored. If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process. 

    For more information, check out the full post here.

  • Why we want users’ feedback on Snort rule documentation

    January 9, 2019 - 0 Comments

    Today, Talos is launching a new community survey to solicit feedback on SNORTⓇ documentation.

    When Snort alerts the end user, the rule documentation is their first and possibly only avenue to find information on malicious traffic in their network. We know this can be better, and we want your help in determining what we can do to make Snort users more knowledgeable and provide them more information.

    So, we’re polling the community to find out what they need. To facilitate this, we’re sending out a five-minute survey to all users. We also plan to add feedback options to Snort documentation pages so users can communicate with us on an ongoing basis.

    With the feedback we receive from the survey, our analysts can provide targeted information to communicate the most useful details on rule alerts. The more information we gather on customer frustrations, the better chance we have of finding ways to solve them to create a community and customer base with the right arsenal to overcome their security challenges.

    For more information on this survey process, read the entire Snort blog post on this matter here. You can fill out the survey here.


  • Microsoft Patch Tuesday — January 2019: Vulnerability disclosures and Snort coverage

    January 9, 2019 - 0 Comments

    Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, seven of which are rated “critical,” 40 that are considered “important” and one that is “moderate.” This release also includes a critical security advisory for multiple bugs in Adobe Flash Player.

    This month’s security update covers security issues in a variety of Microsoft’s products, including the Jet Database Engine, Office SharePoint and the Chakra Scripting Engine. Check out Talos’ complete coverage of Microsoft Patch Tuesday here.