Cisco Threat Research Blog

This post was authored by Nick Biasini

Exploit Kits are constantly altering their techniques to compromise additional users while also evading detection. Talos sees various campaigns start and stop for different exploit kits all the time. Lately a lot of focus has been put on Angler, and rightly so since it has been innovating continually. Nuclear is another sophisticated exploit kit that is constantly active. However, over the last several weeks the activity had ramped down considerably to a small trickle. Starting several days ago that activity began ramping up again and Talos has uncovered some interesting findings during its analysis.

There are several large scale concurrent campaigns going on with Nuclear right now, but one in particular stood out. This campaign is using some familiar techniques borrowed from other exploit kits as well as a new layer of sophistication being added with mixed success. Attackers are always trying to work the balance of evasion and effectiveness trying to evade detection while still being effective in compromising systems. This is especially evident in those hacking for monetary gain in non-targeted attacks. Talos has found a Nuclear campaign using both Domain Shadowing and HTTP 302 cushioning prevalent in Angler. The biggest change is that it appears to be so sophisticated that it’s not working properly. (more…)

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 8 bulletins being released which address 45 CVE. Two of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer and Windows Media Player. The remaining six bulletins are marked as Important and address vulnerabilities in Microsoft Office, Windows Kernel, Active Directory, Microsoft Exchange Server, and Microsoft Common Controls.

(more…)

This post was authored by Nick Biasini

Talos has found a new SPAM campaign that is using multiple layers of obfuscation to attempt to evade detection.  Spammers are always evolving to get their messages to the end users by bypassing SPAM filters while still appearing convincing enough to get a user to complete the actions required to infect the system. The end payload for this campaign is Cryptowall 3.0. Talos has covered this threat repeatedly and this is another example of how the success of Ransomware has pushed it to one of the top threats we are seeing today. Whether its Exploit Kits or SPAM messages threat actors are pushing as many different variants of Ransomware as possible.

Email Details

The use of resume based SPAM isn’t anything new.  An analysis of our telemetry has found countless messages in the last 30 days related to Resumes. Threat actors have tried many different techniques associated with these messages including using password protected zip files, word documents with embedded macros, and malicious URLs redirecting back to a malicious sample. This threat combined a series of techniques to try and avoid detection that has been surprisingly successful against some products. Below is a sample of one of the emails that we saw in our telemetry.

(more…)

This post was authored by Nick Biasini

Late last week Talos researchers noticed a drastic uptick in Angler Exploit Kit activity. We have covered Angler previously, such as the discussion of domain shadowing. This exploit kit evolves on an almost constant basis. However, the recent activity caught our attention due to  a change to the URL structure of the landing pages. This type of change doesn’t occur often and was coupled with some other interesting tidbits including how the HTTP 302 cushioning has evolved and the payload of another ransomware has changed.

During research Talos identified several active Angler campaigns delivering different payloads via different methods.  The first campaign was delivering Cryptowall, which will be covered in detail here. The second delivered Bedep with click fraud and illustrates the variety with which Angler can be used to deliver different payloads.  The details of Bedep with click fraud has been covered thoroughly and will not be specifically discussed in this article.

(more…)

This post was authored by Earl Carter & Jaeson Schultz.

Talos is always fascinated by the endless creativity of those who send spam. Miscreants who automate sending spam using botnets are of particular interest. Talos has been tracking a spam botnet that over the past several months that has been spamming weight loss products, male erectile dysfunction medication, and dating/casual sex websites.  These are all typical products one would expect to be purveyed through spam. What interests us about this spam are some of the ways the spam is constructed to try and evade detection (a.k.a. spam filters).

Beginning in March, Talos noted an absolute explosion in the usage of link shortening services in spam. After looking into the cause we found botnet ‘unknown2250’, as it is called by the Composite Block List (CBL), to be one of the primary parties responsible for this massive increase.

(more…)

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products.  This month’s release sees a total of 13 bulletins being released which address 48 CVEs. Three of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer, GDI+ Font Parsing, and Windows Journal.  The remaining ten bulletins are marked as Important and address vulnerabilities in Microsoft Office, Sharepoint, .NET, Silverlight, Service Control Manager, Windows Kernel, VBScript/JScript, Microsoft Management Console, and Secure Channel.

(more…)

This post was authored by Ben Baker and Alex Chiu.

Executive Summary

Threat actors and security researchers are constantly looking for ways to better detect and evade each other.  As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples.  Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis.

Table of Contents
Executive Summary
The 10,000 Foot View at Rombertik
Analysis
A Nasty Trap Door
The Actual Malware
Coverage and Indicators of Compromise
Conclusion

It becomes critical for researchers to reverse engineer evasive samples to find out how attackers are attempting to evade analysis tools. It is also important for researchers to communicate how the threat landscape is evolving to ensure that these same tools remain effective. A recent example of these behaviors is a malware sample Talos has identified as Rombertik. In the process of reverse engineering Rombertik, Talos discovered multiple layers of obfuscation and anti-analysis functionality. This functionality was designed to evade both static and dynamic analysis tools, make debugging difficult. If the sample detected it was being analyzed or debugged it would ultimately destroy the master boot record (MBR).

Talos’ goal is to protect our customer’s networks.  Reverse engineering Romberik helps Talos achieve that goal by better understanding how attackers are evolving to evade detection and make analysis difficult.  Identifying these techniques gives Talos new insight and knowledge that can be communicated to Cisco’s product teams.  This knowledge can then be used to harden our security products to ensure these anti-analysis techniques are ineffective and allow detection technologies to accurately identify malware to protect customers. (more…)

This post was authored by: Andrea Allievi, Earl Carter & Emmanuel Tacheau

Update 4/28: Windows files recompiled with backward compatibility in Visual Studio 2008

Update 5/8: We’ve made the source code available via Github here

Update 6/9/2016: We’ve released a tool to decrypt any TeslaCrypt Version

After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.

(more…)

This post was authored by Nick Biasini and Joel Esler

Talos has observed an explosion of malicious downloaders in 2015 which we’ve documented on several occasions on our blog. These downloaders provide a method for attackers to push different types of malware to endpoint systems easily and effectively. Upatre is an example of a malicious downloader Talos has been monitoring since late 2013. However, in the last 24-48 hours, things have shifted dramatically. We’ve monitored at least fifteen different spam campaigns that are active between one and two days.  While the topic associated with the spam message has varied over time, the common attachment provided is a compressed file (.zip or .rar) that contains an executable made to look like a PDF document by changing the icon.

Execution

When Upatre is executed, a PDF document is quickly downloaded and displayed while Upatre is delivered in the background. The document displayed has been either one of two PDFs.  The first PDF, which was used until March 17, contained some information about Viagra:

(more…)