Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Never assume that a malware family is really dead. We’ve done it time and time again with things like Emotet, and Gustuff is proving it once again. The banking trojan, after we first discovered it earlier this year, is back with a version 2, targeting a new round of victims and deploying new anti-detection techniques.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
**Event:**Talos at BSides Belfast**** **Location: **Titanic Belfast, Belfast, Northern Ireland **Date: **Oct. 31 **Synopsis: Several researchers from Talos will be on hand at BSides Belfast to deliver four different talks. Martin Lee will provide a general overview of the benefits of threat hunting, Nick Biasini and Edmund Brumaghin will walk through a recent wave of supply chain attacks, then, Brumaghin and Earl Carter will deliver their “It’s Never DNS…It Was DNS” talk, and, finally, Paul Rascagneres walks through his recent research into attacks on iOS. **
****Event:“It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots” at SecureWV/Hack3rCon X
**Location:**Charleston Coliseum & Convention Center, Charleston, WV
**Date:**Nov. 15 - 17
**Speakers:**Edmund Brumaghin and Earl Carter
**Synopsis:**While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Title:Gustuff V2
**Description:**The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS. The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions.
**Snort SIDs:51908 - 51922
** ****Title:Attackers use malicious GIFs to attack WhatsApp
**Description:**The WhatsApp messaging app contains a double-free vulnerability. An attacker could exploit this vulnerability, identified as CVE-2019-11932, to carry out a variety of malicious activities, including memory leaks and arbitrary code execution. The exploitation of this bug requires the attacker to send a WhatsApp user a specially crafted GIF. These rules prevent attackers from carry out remote code execution through these GIFs. **** **Snort SIDs: **51953 - 51956 (By Tim Muniz)
SHA 256:7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
**MD5:**4a50780ddb3db16ebab57b0ca42da0fb
**Typical Filename:**xme64-2141.exe
**Claimed Product:**N/A
**Detection Name:**W32.7ACF71AFA8-95.SBX.TG
SHA 256:46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
**MD5:**db69eaaea4d49703f161c81e6fdd036f
**Typical Filename:**xme32-2141-gcc.exe
**Claimed Product:N/A
Detection Name:W32.46B241E3D3-95.SBX.TG **
****SHA 256:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
**MD5:**e2ea315d9a83e7577053f52c974f6a5a
**Typical Filename:**c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
**Claimed Product:**N/A
**Detection Name:**W32.AgentWDCR:Gen.21gn.1201
SHA 256:85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5**** **MD5: **8c80dd97c37525927c1e549cb59bcbf3 **Typical Filename: **Eternalblue-2.2.0.exe **Claimed Product: **N/A **Detection Name: **W32.WNCryLdrA:Trojan.22k2.1201
SHA 256:15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
**MD5:**799b30f47060ca05d80ece53866e01cc
**Typical Filename:**mf2016341595.exe
Claimed Product:N/A **Detection Name: **W32.Generic:Gen.22fz.1201