SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: High-profile Russian APT develops new backdoor tool
Description: Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware. The adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service "Windows Time Service", like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. In our review of this malware, the backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator.
ClamAV signature: Win.Trojan.Turla-9891506-1
Cisco Secure OSQuery: https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_tinyturla_registry_persistence.yaml
Title: Microsoft releases updated protection for OMIGOD vulnerabilities
Description: Microsoft updated its patches for the so-called “OMIGOD” vulnerabilities in Open Management Infrastructure. The most severe vulnerability, CVE-2021-38647, could allow an attacker to remotely execute code. The three others (CVE-2021-38648, CVE-2021-38645 and CVE-2021-38649) could allow an adversary to obtain higher-level privileges on the targeted machine. Microsoft first disclosed these vulnerabilities last week as part of its monthly Patch Tuesday. However, security researchers found that some Linux machines could still be attacked using these exploits, prompting Microsoft to release updated guidance.
Snort SID: 58169