<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

The Week in Review from Stamus Labs

The Week in Review from Stamus Labs

Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.

 

Current Stamus Threat Intelligence (STI) release version: 404

 

This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):

  • New threat detection(s) added [1]: 11 (Mustang Panda, AllaKore, Micropsia, Buhtrap, Darkhotel, Spora, Shifr, TA456, FakeWallet, ZeroLogon, Ymacco)
  • Major changes to detections(s) [2]: 43
  • Updated threat detection(s) [3]: 165

Note: a "method" as referenced below, is a discrete detection vector for a given threat.

 

New Threat(s) Detected

The following detections were added to your Stamus NDR this past week:

 

Mustang Panda (APT)

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Germany, Mongolia, Myanmar, Pakistan, and Vietnam, among others. MITRE

 

Mustang Panda - malpedia |

 

Total number of detection methods: 11
Kill chain phase(s): command and control, delivery
MITRE ATT&CK: T1587

 

AllaKore (RAT)

AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control. Malpedia

 

AllaKore - MITRE - Multi-Stage Channels | AllaKore - MITRE - Ingress Tool Transfer | AllaKore - MITRE - System Information Discovery | AllaKore - MITRE - File and Directory Discovery |

 

Total number of detection methods: 4
Kill chain phase(s): command and control

 

Micropsia (RAT)

Micropsia is a remote access tool written in Delphi. MITRE

 

Micropsia - deepinstinct |

 

Total number of detection methods: 21
Kill chain phase(s): command and control, actions on objectives
MITRE ATT&CK: T1587

 

Buhtrap (APT)

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified. Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups. Malpedia

 

Buhtrap - microsoft |

 

Total number of detection methods: 2
Kill chain phase(s): command and control
MITRE ATT&CK: T1041

 

Darkhotel (APT)

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks. MITRE

 

Darkhotel - microsoft | Darkhotel - malpedia |

 

Total number of detection methods: 30
Kill chain phase(s): command and control, actions on objectives, delivery
MITRE ATT&CK: T1041

 

Spora (Ransomware)

Spora is a ransomware-type virus distributed via spam emails (malicious attachments). Each rogue email contains an HTA file which, once executed, extracts a Javascript file ("closed.js"), placing it in the system "%Temp%" folder. The Javascript file extracts an executable with a random name and runs it. Pcrisk

 

Spora - MITRE - Data Encrypted for Impact | Spora - MITRE - Phishing | Spora - MITRE - User Execution | Spora - malpedia | Spora - microsoft |

 

Total number of detection methods: 6
Kill chain phase(s): command and control
MITRE ATT&CK: T1486

 

Shifr (Ransomware)

Once infiltrated, Shifr encrypts various files and appends the ".shifr" extension to the name of each encrypted file (for example, "sample.jpg" is renamed to "sample.jpg.shifr"). After successfully encrypting data, Shifr creates an HTML file ("HOW_TO_DECRYPT_FILES.html"), placing it in each folder containing encrypted files. Pcrisk

 

Shifr - MITRE - User Execution | Shifr - MITRE - Phishing | Shifr - MITRE - Data Encrypted for Impact |

 

Total number of detection methods: 6
Kill chain phase(s): command and control
MITRE ATT&CK: T1486

 

TA456 (APT)

Proofpoint researchers have identified a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456. Using the social media persona “Marcella Flores,” TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain. Designed to conduct reconnaissance on the target’s machine, the macro-laden document contained personalized content and demonstrated the importance TA456 placed on the target. Once the malware, which is an updated version of Liderc that Proofpoint has dubbed LEMPO, establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance details to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then cover its tracks by deleting that day’s host artifacts. PFPT

 

TA456 - malpedia | TA456 - MITRE - User Execution | TA456 - MITRE - Phishing | TA456 - MITRE - Multi-Stage Channels | TA456 - MITRE - Ingress Tool Transfer | TA456 - MITRE - System Information Discovery | TA456 - MITRE - File and Directory Discovery | TA456 - MITRE - Collection | TA456 - MITRE - Malicious File | TA456 - MITRE - Exfiltration Over Alternative Protocol |

 

Total number of detection methods: 2
Kill chain phase(s): delivery, command and control

 

FakeWallet (Cryptocurrency)

The main goal of these malicious apps is to steal users’ funds and until now we have seen this scheme mainly targeting Chinese users. As cryptocurrencies are gaining popularity, we expect these techniques to spread into other markets. This is further supported by the public sharing, in November 2021, of the source code of the front-end and back-end distribution website, including the recompiled APK and IPA files. We found this code on at least five websites, where it was shared for free, and thus expect to see more copycat attackers. From the posts we found, it is difficult to determine whether it was shared intentionally or if it leaked. Welivesecurity

 

FakeWallet - MITRE - Exfiltration Over Alternative Protocol | FakeWallet - MITRE - User Execution | FakeWallet - MITRE - Malicious Link | FakeWallet - MITRE - Exploitation for Client Execution |

 

Total number of detection methods: 25
Kill chain phase(s): command and control

 

ZeroLogon (Lateral Movement)

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'. MITRE

 

ZeroLogon - MITRE - Exploitation for Privilege Escalation | ZeroLogon - MITRE - Abuse Elevation Control Mechanism | ZeroLogon - malwarebytes |

 

Total number of detection methods: 7
Kill chain phase(s): exploitation

 

Ymacco (Trojan)

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Trendmicro

 

Ymacco - MITRE - Multi-Stage Channels | Ymacco - MITRE - Ingress Tool Transfer | Ymacco - MITRE - System Information Discovery | Ymacco - MITRE - File and Directory Discovery |

 

Total number of detection methods: 9
Kill chain phase(s): command and control, delivery

 

Major Detection Changes

The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):

 

APT35 (APT)

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. MITRE

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery
Methods added: 4

 

AveMaria RAT (RAT)

Ave Maria is high-risk trojan designed to steal various information and to cause "chain infections" (spread other infections). It is typically proliferated using various spam email campaigns. Criminals send thousands of deceptive emails that contain infectious attachments, most of which are Microsoft Office (typically Excel) files. Emails are delivered with messages encouraging users to open the attached document, however, this results in infiltration of Ave Maria Pcrisk

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control
Methods added: 1

 

Cobalt Strike (Pentest Tools)

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.

 

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, exploitation, delivery
MITRE ATT&CK added: T1001
Previously existing MITRE ATT&CK: T1041, T1587, T1001, T1573
Methods added: 2

 

Crimson (RAT)

Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. MITRE

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): actions on objectives, command and control
Methods added: 3

 

Evilnum (APT)

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group. Malpedia

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives
Methods added: 2

 

FIN7 (APT)

FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. MITRE

 

Added kill chain phase(s): command and control, delivery
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 5

 

Gh0st (RAT)

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.

Source: MITRE

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
MITRE ATT&CK added: T1041
Previously existing MITRE ATT&CK: T1041
Methods added: 1

 

KillAV (Trojan)

Trojan.KillAV is Malwarebytes’ generic detection name for Trojans that are capable of disabling antivirus (AV) programs. Malwarebytes

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): delivery, command and control
Methods added: 2

 

MalDoc (Phishing)

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

 

Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.

 

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE

 

Added kill chain phase(s): delivery
Previously supported kill chain phase(s): delivery, command and control, actions on objectives
Methods added: 1

 

Meterpreter (Offensive Tools)

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

 

Metepreter was originally written by skape for Metasploit 2.x, common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. The server portion is implemented in plain C and is now compiled with MSVC, making it somewhat portable. The client can be written in any language but Metasploit has a full-featured Ruby client API. OffensiveSecurity

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): actions on objectives, command and control, delivery
Methods added: 1

 

PlugX (RAT)

PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. MITRE

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery
Methods added: 3

 

PurpleFox (Exploit Kit)

The Purple Fox exploit kit (EK) has added two new exploits targeting critical- and high-severity Microsoft vulnerabilities to its bag of tricks – and researchers say they expect more attacks to be added in the future ThreatPost

 

Added kill chain phase(s): delivery
Previously supported kill chain phase(s): exploitation, delivery, command and control
Methods added: 2

 

Remcos (RAT)

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.

Remcos has been observed being used in malware campaigns.

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery
Methods added: 1

 

Stealer and Exfiltration (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

 

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

 

Added kill chain phase(s): actions on objectives, command and control
Previously supported kill chain phase(s): actions on objectives, command and control, exploitation, delivery
Methods added: 9

 

TransparentTribe (APT)

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others. Malpedia

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): delivery, command and control
Methods added: 2

 

TrojanSpy-Android (Data Theft)

Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky

 

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 3

 

Unk (RAT)

 This threat can give a malicious hacker unauthorized access and control of your PC. Microsoft

 

Added kill chain phase(s): delivery
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 1

 

 

Other Threat Detection Update(s)

The following threat detection(s) were improved this past week with new or updated threat methods.

 

Name of threat New coverage Total coverage Last updated
  New Detection methods Kill chain phases Protocols involved Detection methods Kill chain phases Protocols involved  
APT35 4 command and control dns, http 128 command and control, delivery dns, ftp, http, tcp, tls 2022-03-31
AllaKore 4 command and control tcp-pkt, tcp 4 command and control tcp-pkt, tcp 2022-03-30
AveMaria RAT 1 command and control dns 11 command and control dns, tcp 2022-03-30
Buhtrap 2 command and control http, dns 2 command and control http, dns 2022-03-30
Cobalt Strike 2 command and control dns, http 340 actions on objectives, command and control, delivery, exploitation dns, http, smb, tcp, tls, udp 2022-03-31
Crimson 3 command and control tcp-pkt 25 actions on objectives, command and control tcp, tcp-pkt 2022-03-30
Darkhotel 30 command and control, actions on objectives, delivery http, dns, smtp, tcp 30 command and control, actions on objectives, delivery http, dns, smtp, tcp 2022-03-30
Evilnum 2 command and control dns 20 actions on objectives, command and control dns, http 2022-03-31
FIN7 5 command and control, delivery http, dns, tls 83 actions on objectives, command and control, delivery dns, http, tcp, tls 2022-03-30
FakeWallet 25 command and control tls, http 25 command and control tls, http 2022-03-31
Gh0st 1 command and control tcp 161 actions on objectives, command and control, delivery dns, http, tcp 2022-03-30
KillAV 2 command and control tcp-pkt 6 command and control, delivery http, tcp-pkt 2022-04-02
MalDoc 1 delivery http 460 actions on objectives, command and control, delivery dns, http, tcp, tls 2022-03-30
Meterpreter 1 command and control tls 86 actions on objectives, command and control, delivery http, tcp, tls 2022-03-31
Micropsia 20 command and control, actions on objectives tls, http, dns 21 command and control, actions on objectives tls, http, dns 2022-03-30
Mustang Panda 11 command and control, delivery http, tls, dns 11 command and control, delivery http, tls, dns 2022-04-01
PlugX 3 command and control dns, http 53 command and control, delivery dns, http, tcp, tcp-pkt, tls, udp 2022-04-01
PurpleFox 2 delivery http 17 command and control, delivery, exploitation dns, http, tcp, tls 2022-03-29
Remcos 1 command and control tcp 803 command and control, delivery dns, http, tcp 2022-03-30
Shifr 6 command and control tls, dns 6 command and control tls, dns 2022-03-31
Spora 6 command and control dns, http, tls 6 command and control dns, http, tls 2022-03-31
Stealer and Exfiltration 9 actions on objectives, command and control http, tls, dns 203 actions on objectives, command and control, delivery, exploitation dns, ftp, http, smtp, tcp, tls 2022-04-02
TA456 2 delivery, command and control http 2 delivery, command and control http 2022-03-31
TransparentTribe 2 command and control http, tcp-pkt 9 command and control, delivery dns, http, tcp, tcp-pkt 2022-03-29
TrojanSpy-Android 3 command and control http 334 actions on objectives, command and control, delivery dns, http, tcp, tls 2022-03-29
Unk 1 delivery http 185 actions on objectives, command and control, delivery dns, ftp, http, smtp, tcp, tls 2022-04-02
Ymacco 9 command and control, delivery http 9 command and control, delivery http 2022-03-31
ZeroLogon 7 exploitation tcp-pkt, smb 7 exploitation tcp-pkt, smb 2022-03-31

 

Additional Resources

Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website

Schedule a Demo of Stamus Security Platform

Request a Demo