![“Pig butchering” is an evolution of a social engineering tactic we’ve seen for years](https://blog.talosintelligence.com/content/images/2024/03/threat-source-newsletter-2.jpg) Whether you want to call them "catfishing," "pig butchering" or just good 'old-fashioned "social engineering," romance scams have been around forever. I was first introduced to them through the MTV show "Catfish," but recently they seem to be making headlines as the term "pig butchering" enters the public lexicon. John Oliver [_recently covered it on "Last Week Tonight,"_]() which means everyone my age with an HBO account heard about it a few weeks ago. And one of my favorite podcasts going, "Search Engine," just [_covered it in an episode_](). The concept of "pig butchering" scams generally follows the same chain of events: * An unknown phone number texts or messages a target with a generally harmless message, usually asking for a random name disguised as an "Oops, wrong number!" text. * When the target responds, the actor tries to strike up a conversation with a friendly demeanor. * If the conversation persists, they usually evolve into "love bombing," including compliments, friendly advice, ego-boosting, and saying flattering things about any photos the target has sent. * Sometimes, the relationship may turn romantic. * The scammer eventually "butchers" the "pig" that has been "fattened up" to that point, scamming them into handing over money, usually in the form of a phony cryptocurrency app, or just straight up asking for the target to send the scammer money somehow. There are a few twists and turns along the way based on the exact scammer, but that's generally how it works. What I think is important to remember is that this specific method of separating users from their money is not actually new. The FBI seems to [_release a renewed warning_]() about romance scams every Valentine's Day when people are more likely to fall for a stranger online wanting to make a real connection and then eventually asking for money. I even found [_a podcast from the FBI in 2015_]() in which they warned that scammers "promise love, romance, to entice their victims online," estimating that romance-related scams cost consumers $82 million in the last half of 2014. The main difference that I can tell between "pig butchering" and past romance scams is the sheer scale. Many actors running these operations are [_relying on human trafficking_]() and sometimes [_literal imprisonment_](), forcing these people against their will to send these mass blocks of messages to a variety of targets indiscriminately. Oftentimes in these groups, scammers who are less "successful" in luring victims can be verbally and physically harassed and punished. That is, of course, a horrible human toll that these operations are taking, but they also extend far beyond the world of cybersecurity. In the case of pig butchering scams, it's not really anything that can be solved by a cybersecurity solution or sold in a package. Instead, it relies on user education and the involvement of law enforcement agencies and international governments to ensure these farms can't operate in the shows. The founders who run them are brought to justice. It's never a bad thing that users become more educated on these scams, because of that, but I also feel it's important to remember that romance-related scams, and really any social engineering built on a personal "relationship," has [_been around for years_](), and "pig butchering" is not something new that just started popping up. These types of scams are ones that our culture has kind of just accepted as part of daily life at this point (who doesn't get surprised when they get a call about their "car's extended warranty?), and now the infrastructure to support these scams is taking a larger human toll than ever. ## The one big thing Talos has [yet another round of research]() into the Turla APT, and now we're able to see the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclsions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service. ### Why do I care? Turla, and this recently discovered TinyTurlaNG tool that Talos has been writing about, is an international threat that's been around for years, so it's always important for the entire security community to know what they're up to. Most recently, Turla used these tactics to [_target Polish non-governmental organizations (NGOs)_]() and steal sensitive data. ## So now what? During Talos' research into TinyTurla-NG, we've released several new rounds of detection content for Cisco Secure products. Read our [_past two blog posts_]() on this actor for more. # Top security headlines of the week **The Biden administration issued a renewed warning to public water systems and operators this week,** saying state-sponsored actors could carry out cyber attacks soon, citing ongoing threats from Iran and China. The White House and U.S. Environmental Protection Agency sent a letter to every U.S. governor this week warning them that cyber attacks could disrupt access to clean drinking water and "impose significant costs on affected communities." The letter also points to the U.S. Cyber and Infrastructure Security Agency's list of known exploited vulnerabilities catalog, asking the managers of public water systems to ensure their systems are patched against these vulnerabilities. The EPA pointed to Volt Typhoon, a recently discovered Chinese APT that has reportedly been hiding on critical infrastructure networks for an extended period. A meeting among federal government leaders from the EPA and other related agencies is scheduled for March 21 to discuss threats to public water systems and how they can strengthen their cybersecurity posture. ([_Bloomberg_](), [_The Verge_]()) **UnitedHealth says it's still recovering from a cyber attack that's halted crucial payments to health care providers across the U.S.,** but has started releasing some of those funds this week, and expects its payment processing software to be back online soon. The cyber attack, first disclosed in February, targeted Change Healthcare, a subsidiary of United, that handles payment processing and pharmaceutical orders for hospital chains and doctors offices. UnitedHealth's CEO said in a statement this week that the company has paid $2 billion to affected providers who spent nearly a month unable to obtain those funds or needing to switch to a paper billing system. A recently published survey from the American Hospital Association found that 94 percent of hospitals that responded experienced financial disruptions from the Change Healthcare attack, and costs at one point were hitting $1 million in revenue per day. ([_ABC News_](), [_CNBC_]()) **Nevada's state court system is currently weighing a case that could undo end-to-end encryption across the U.S.** The state's Attorney General is currently suing Meta, the creators of Facebook, Instagram and WhatsApp, asking the company to remove end-to-end encryption for minors on the platform, with the promise of being able to catch and charge users who abuse the platform to lure minors. However, privacy advocates are concerned that any rulings against Meta and its encryption policies could have larger ripple effects, and embolden others to challenge encryption in other states. Nevada is arguing that Meta's Messenger a "preferred method" for individuals targeting Nevada children for illicit activities. Privacy experts are in favor of end-to-end encryption because it safeguards messages during transmission and makes it more difficult for other parties to intercept and read them -- including law enforcement agencies. ([_Tech Policy Press_](), [_Bloomberg Law_]()) # Can't get enough Talos? * [_The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions_]() * [_Cisco Closes $28B Splunk Deal: 5 Big AI, Security And Partner Things To Know_]() * [_Talos Takes Ep. #176: Why no one should be relying on passive security in 2024_]() * [_Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word_]() * [_Netgear wireless router open to code execution after buffer overflow vulnerability_]() # Upcoming events where you can find Talos [**_Botconf_**]()** (April 23 - 26)** _Nice, Cote d'Azur, France_ > _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._ []() [**_CARO Workshop 2024_**]()** (May 1 - 3)** _Arlington, Virginia_ > Over the past year, we've observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years. [**_RSA_**]()** (May 6 - 9)** _San Francisco, California_ ## Most prevalent malware files from Talos telemetry over the past week **SHA 256:** [0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647]() **MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790 **Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir **Claimed Product:** N/A **Detection Name:** Win.Dropper.Scar::1201 **SHA 256:** [9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507]() **MD5: **2915b3f8b703eb744fc54c81f4a9c67f **Typical Filename:** VID001.exe **Claimed Product:** N/A **Detection Name: **Win.Worm.Coinminer::1201 **SHA 256:** [a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91]() **MD5:** 7bdbd180c081fa63ca94f9c22c457376 **Typical Filename:** c0dwjdi6a.dll | **Claimed Product:** N/A **Detection Name: **Trojan.GenericKD.33515991 **SHA 256:** [7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5]() **MD5:** ff1b6bb151cf9f671c929a4cbdb64d86 **Typical Filename:** endpoint.query **Claimed Product: **Endpoint-Collector **Detection Name:** W32.File.MalParent **SHA 256:** [e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3]() **MD5:** c16df0bfc6fda86dbfa8948a566d32c1 **Typical Filename:** CEPlus.docm **Claimed Product:** N/A **Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc

Query Builder