Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We recently took a deep dive into the Remcos remote access tool (RAT) that exists in somewhat of a gray area. While the creators of the RAT say they sell it only for legal purposes, our researchers have seen it being used in the wild to run an illegal botnet. Here’s a closer look at Remcos, including the multiple malware campaigns it has been involved in.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
Location: CactusCon, Mesa Convention Center in Mesa, Arizona
Synopsis: The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected, but the impact has been. From an adversary's perspective, there are two primary ways of getting these currencies: ransom payouts or mining. Cryptocurrency mining has been around as long as cryptocurrency, and it's always been a trade-off. Can you earn enough currency to offset the electricity and hardware costs? Well, imagine if you didn't have to worry about either of them. This talk will provide a deep dive into pool mining, and how it is being leveraged by attackers.
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
Location: Texas Cyber Summit at Wyndham River Walk Hotel in San Antonio, Texas
Synopsis: Wiper malware has been leveraged by attackers for years to facilitate the destruction of data and systems. In many cases, this malware has caused widespread operational issues for organizations and critical infrastructure all over the globe. Attackers have increasingly been leveraging and improving upon their wiper malware over the past several years. This talk will cover several notable examples of wiper malware, how they were distributed and the impacts that resulted from these attacks.
Description: A remote code execution vulnerability exists in Apache Struts 2 due to a coding deficiency. It is possible to carry out the attack if the namespace value isn’t set properly, while the upper action(s) configurations also have a blank namespace field. This can also occur with the URL tag.
Description: The Marap malware has been spotted targeting financial institutions over the past month. It is spread through a variety of email campaigns in the hopes of getting a user to download multiple malicious attachments. Marap is moduled and flexible, meaning the attackers can download other payloads onto a victim machine once the initial installation is complete.
Description: A new ransomware known as “KeyPass” has been spreading over the past month, encrypting data is more than 20 different countries. The malware uses fake installers disguised as harmless software to download the module. KeyPass makes a copy of its executable in the LocalAppData folder, launches the ransomware, and then deletes the file.
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.