SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Infamous RAT returns in COVID-related scams
Description: The Agent Tesla remote access trojan (RAT) is back again, this time using COVID-19-related phishing documents as its initial infection vector. Attackers are sending emails claiming to have a COVID-19 vaccine schedule attached as an RTF document. The malicious attachment exploits a known Microsoft Office remote code execution vulnerability, CVE-2017-11882, to infect the victim with Agent Tesla. This version of the RAT appears to be the most recent, with updated anti-detection capabilities and data theft tools. Although many countries, including the U.S., are starting to loosen pandemic restrictions as vaccination rates increase, this campaign shows that attackers will continue using COVID-19 as a popular spam topic.
Reference: https://threatpost.com/agent-tesla-covid-vax-phish/167082/
Snort SIDs: 57787
Title: Attackers may be relying on one another to access corporate networks
Description: A new report indicates that APTs may be exchanging information and money as part of a vast network of cyber criminals distributing ransomware. Some of these groups buy access from other, independent adversaries who infiltrate major targets and eventually receive part of the proceeds from a successful ransomware infection. As part of this, security researchers at Proofpoint uncovered several new actors. One of these groups, which it named TA577, has been active since mid-2020. It’s used several ransomware payloads including SmokeLoader, IcedID, Ursnif and Cobalt Strike.
References:
-https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
Snort SIDs: 57786, 57791