SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Opportunistic cyber criminals take advantage of Ukraine invasion
Description: Since the beginning of the war in Ukraine, Cisco Talos has observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising. This activity has been increasing since the end of February. These emails are primarily related to scam activity but have also delivered a variety of threats, including remote access trojans (RATs). This is in addition to the malicious activity we've recently seen related to the crowd-sourced attacks in the region. This pattern is consistent with what we typically see following global events or crises, such as the COVID-19 pandemic, when opportunistic cybercriminals attempt to exploit high public interest for their own gain. Some campaigns attempt to spread malware by pointing users to malicious documents or URLs, while others are scammers pretending to be legitimate organizations or individuals looking to raise money to help residents of Ukraine.
Domains to blocklist:
IPs to blocklist:
Title: MuddyWater APT likely made up of smaller sub-groups
Description: Cisco Talos has identified multiple campaigns and tools being perpetrated by the MuddyWater APT group, widely considered to be affiliated with Iranian interests. These threat actors are considered extremely motivated and persistent when it comes to targeting victims across the globe. In our latest findings, we discovered a new campaign targeting Turkey and the Arabian peninsula with maldocs to deliver a Windows script file (WSF)-based remote access trojan (RAT) we're calling "SloughRAT" an implant known by "canopy" in CISA's most recent alert from February 2022 about MuddyWater. MuddyWater's variety of lures and payloads — along with the targeting of several different geographic regions — strengthens Talos’ growing hypothesis that MuddyWater is a conglomerate of sub-groups rather than a single actor. While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target.
SNORT® SIDs: 59226 - 59230