Newsletter compiled by Jonathan Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!
This week was stacked with original research. First up was the Sodinokibi ransomware, which we saw being distributed via a zero-day vulnerability in Oracle WebLogic. Today, we also released our findings on a new variant of Qakbot, which is more difficult to detect than older versions.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Event: Copenhagen Cybercrime Conference
Location: Industriens Hus, Copenhagen, Denmark
Date: May 29
Speaker: Paul Rascagnères
Synopsis: Paul will give an overview of an espionage campaign targeting the Middle East that we called “DNSpionage.” First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security.
Title:Oracle vulnerability opens users to remote code execution attacks
**Description:**Oracle released an out-of-band pouch for WebLogic servers that could allow an attacker to carry out remote code execution attacks. Security researchers discovered the bug being exploited earlier this month by attackers in the wild. Oracle assigned the bug CVE-2019-2725 and gave it a CVSS score of 9.8/10, highlighting how serious the issue is. WebLogix server owners are urged to update as soon as possible.
Snort SIDs: 49942, 49943
Title: JasperLoader targets Europe with Gootkit banking trojan **Description: **A loader known as “JasperLoader” has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries, with a particular focus on Germany and Italy. JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process. Snort SIDs: 49914, 49915
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3 **MD5:**47b97de62ae8b2b927542aa5d7f3c858 **Typical Filename:**qmreportupload.exe **Claimed Product:**qmreportupload Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 **MD5:**4a50780ddb3db16ebab57b0ca42da0fb **Typical Filename: **xme64-2141.exe **Claimed Product:**N/A **Detection Name: **W32.7ACF71AFA8-95.SBX.TG
SHA 256:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a **Typical Filename: **Tempmf582901854.exe **Claimed Product:**N/A **Detection Name: **W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b **MD5:**799b30f47060ca05d80ece53866e01cc **Typical Filename:**799b30f47060ca05d80ece53866e01cc.vir **Claimed Product:**N/A **Detection Name: **W32.Generic:Gen.21ij.1201
SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed **MD5:**6372f770cddb40efefc57136930f4eb7 **Typical Filename:**maftask.zip **Claimed Product: **N/A **Detection Name: **PUA.Osx.Adware.Gt32supportgeeks::tpd