This release contains 20 new rules, 30 modified rules and 11 new shared object rules.
Tuesday's release provides protection against the Moonshine attack, a recent campaign aimed at install spyware onto Tibetan leaders' mobile devices.
Talos has added and modified multiple rules in the file-multimedia, file-other, malware-cnc, malware-other, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
We would like to higlight the rule below:
- 51672: This rule protects against the Moonshine attack, which researchers recently discovered being used in the wild. An APT known as "Poison Karp" used Moonshine to load spyware onto mobile devices belonging to members of the Tibetan government. The attack consists of a mixture of eight different vulnerabilities in the Android mobile operating system, but no zero-days. Researchers say the attackers targeted staffers of the Dalai Lama once in 2018, and then again in April and May of this year. Lilia Gonzalez Medina wrote this rule.