Malware Analysis
Custom dropper hide and seek
Most users assume they are safe when surfing the web on a daily basis. But information-stealing malware can operate in the background of infected systems, looking to steal users’ passwords, track their habits online and hijack personal information. Cisco Talos has monitored adversaries which a…
GhIDA: Ghidra decompiler for IDA Pro
Cisco Talos is releasing two new tools for IDA Pro: GhIDA and Ghidraaas. GhIDA is an IDA Pro plugin that integrates the Ghidra decompiler in the IDA workflow, giving users the ability to rename and highlight symbols and improved navigation and comments. GhIDA assists the reverse-engineering process…
RAT Ratatouille – Backdooring PCs with leaked RATs
Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously r…
GlitchPOS: New PoS malware for sale
Warren Mercer and Paul Rascagneres authored this post with contributions from Ben Baker. Executive summary Point-of-sale malware is popular among attackers, as it usually leads to them obtaining credit card numbers and immediately use that information for financial gain. This type of malware is gene…
Combing Through Brushaloader Amid Massive Detection Uptick
Nick Biasini and Edmund Brumaghin authored this blog post with contributions from Matthew Molyett. Executive Summary Over the past several months, Cisco Talos has been monitoring various malware distribution campaigns leveraging the malware loader Brushaloader to deliver malware payloads to systems…
Metamorfo Banking Trojan Keeps Its Sights on Brazil
This blog post was authored by Edmund Brumaghin, Warren Mercer, Paul Rascagneres, and Vitor Ventura. Executive Summary Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card informat…
Advanced Mobile Malware Campaign in India uses Malicious MDM – Part 2
This blog post is authored by Warren Mercer and Paul Rascagneres and Andrew Williams. Summary Since our initial post on malicious mobile device management (MDM) platforms, we have gathered more information about this actor that we believe shows it is part of a broader campaign targeting multiple pla…
Advanced Mobile Malware Campaign in India uses Malicious MDM
This blog post is authored by Warren Mercer and Paul Rascagneres and Andrew Williams. Summary Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled…
GravityRAT – The Two-Year Evolution Of An APT Targeting India
This blog post is authored by Warren Mercer and Paul Rascagneres. Summary Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years while it continues to be developed. Several weeks ago, we identified the use of the latest version of this RAT…