SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: PoetRAT malware evolves to be slimmer, faster and harder to detect
Description: Cisco Talos is tracking the behavior of the attackers behind the PoetRAT threat, who continue to target public and private entities in Azerbaijan. They observed multiple new campaigns indicating a change in the actor's capabilities and showing their maturity toward better operational security. This actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers. The malware comes from malicious URLs included in the email, resulting in the user clicking and downloading a malicious document. Previous versions of PoetRAT deployed a Python interpreter to execute the included source code which resulted in a much larger file size compared to the latest version's switch to Lua script.
Snort SIDs: 53689 - 53691
Title: Emotet now using poltiically charged emails
Description: The infamous Emotet botnet is now using lure documents that disguise themselves as being from the Democratic National Committee. Attackers sent emails to numerous American organizations last week with the title "Team Blue Take Action." If the user opens the attachment, it asks them to enable macros. Once enabled, the file then downloads Emotet and a few other malicious tools. Emotet went quiet in early 2020, but has since reemerged and changed up its tactics since the summer.
Snort SIDs: 55870 - 55874