Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!
We made waves this week with an article on malicious groups on Facebook. We discovered thousands of users who were offering to buy and sell various malicious services, such as carding, spamming and the creation of fake IDs. News outlets across the globe covered this story, including NBC News, Forbes and WIRED.
There’s also new research on the Gustuff malware. Researchers discovered this banking trojan earlier this year, and recently, we tracked it targeting Australian users in the hopes of stealing their login credentials to financial services websites.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Event: Cisco Connect Salt Lake City
Location: Salt Lake City, Utah
Date: April 25
Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.
Title: Microsoft patches 74 vulnerabilities, 14 critical
Description: Microsoft released its monthly security update Tuesday, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated “critical” and 58 that are considered “important.” This release also includes a critical advisory covering a security update to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine, Microsoft Office and Windows 10.
Snort SIDs: 45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755
Title: Adobe fixes vulnerabilities in Flash Player, Acrobat
Description: Adobe patched vulnerabilities in 15 of its products this week as part of its monthly security update. The vulnerabilities disclosed include critical memory corruption bugs in Shockwave, as well as remote code execution vulnerabilities in Acrobat Reader.
Snort SIDs: 48293, 49294
SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
Typical Filename: max.exe
Claimed Product: 易语言程序
Detection Name: Win.Dropper.Armadillo::1201
SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
Typical Filename: cab.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201
SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
Typical Filename: ups.exe
Claimed Product: TODO: <产品名>
Detection Name: W32.Variant:XMRig.22fc.1201
Top 5 spam subjects observed
Top 5 most used ASNs for sending spam