SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: New detection for wiper disguising itself as ransomware
Description: An APT with potential connections to Iran is spreading a new wiper malware that disguises itself as ransomware. The actor, known as Agrius, has been conducting cyber espionage dating back to November, and recently started focusing on the more destructive malware. It uses a backdoor known as IPsec Helper to spread wiper malware. It deletes users’ files completely, but still informs the victims that their data was stolen and encrypted in the hopes of still receiving a ransom payment. The adversary exploits a few different vulnerabilities, but a favorite is a long-fixed path traversal vulnerability in Fortinet’s FortiOS operating system — CVE-2018-13379.
Snort SIDs: 57780 - 57782
Title: BazarLoader spreads via fake video streaming site
Description: The actors behind the BazarLoader trojan are using a new, fake video streaming site to lure victims into downloading their malware. The attackers are sending emails to users advertising a new service called "BravoMovies" from a company called UrbanCinema. The site uses legitimate movie posters to disguise itself as a streaming service, but the site only eventually points to BazarLoader. BazarLoader is commonly used to download and execute other malicious files.
Snort SIDs: 57773