12-April-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 410
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus NDR this past week:
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. Malwarebytes
SteamStealer - micrososft | SteamStealer - bartblaze | SteamStealer | SteamStealer - MITRE - User Execution | SteamStealer - MITRE - Malicious Link | SteamStealer - MITRE - Exfiltration Over C2 Channel | SteamStealer - MITRE - Exfiltration Over Alternative Protocol | SteamStealer - MITRE - Ingress Tool Transfer | SteamStealer - MITRE - System Information Discovery | SteamStealer - MITRE - File and Directory Discovery | SteamStealer - MITRE - Multi-Stage Channels |
Total number of detection methods: 9
Kill chain phase(s): command and control, actions on objectives
MITRE ATT&CK: T1587
SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020. MITRE
SodaMaster - malpedia | SodaMaster - microsoft |
Total number of detection methods: 4
Kill chain phase(s): command and control
ConPtyShell is a Fully Interactive Reverse Shell for Windows systems.
The introduction of the Pseudo Console (ConPty) in Windows has improved so much the way Windows handles terminals. ConPtyShell uses this feature to literally transform your bash in a remote powershell.
Briefly, it creates a Pseudo Console and attaches 2 pipes. Then it creates the shell process (default powershell.exe) attaching the Pseudo Console with redirected input/output. Then starts 2 Threads for Async I/O: - one thread for reading from the socket and writing to Pseudo Console input pipe; - the second thread for reading from the Pseudo Console output pipe and writing to the socket. Github
ConPtyShell - microsoft | ConPtyShell - MITRE - Command and Scripting Interpreter: PowerShell |
Total number of detection methods: 3
Kill chain phase(s): actions on objectives
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself. MITRE
Shamoon - malpedia | Shamoon - microsoft |
Total number of detection methods: 6
Kill chain phase(s): command and control, exploitation
MITRE ATT&CK: T1041
Discovered by GrujaRS, MZ434376 is a malicious program belonging to the KesLan ransomware family. It is designed to encrypt data and then demand ransom payments for decryption. During the encryption process, all compromised files are renamed with the ".MZ434376" extension. Pcrisk
Sifrelendi - MITRE - Data Encrypted for Impact |
Total number of detection methods: 1
Kill chain phase(s): command and control
MITRE ATT&CK: T1486
SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers. MITRE
SYSCON - malpedia | SYSCON - microsoft |
Total number of detection methods: 6
Kill chain phase(s): actions on objectives, command and control
XpertRAT is a Remote Administration Trojan, a malicious program that allows cyber criminals to remotely access and control infected computers. Typically, users download and install this software inadvertently because they are tricked. Pcrisk
XpertRAT - malpedia | XpertRAT - microsoft | XpertRAT - MITRE - Phishing | XpertRAT - MITRE - User Execution | XpertRAT - MITRE - System Information Discovery | XpertRAT - MITRE - File and Directory Discovery | XpertRAT - MITRE - User Execution | XpertRAT - MITRE - Ingress Tool Transfer | XpertRAT - MITRE - Multi-Stage Channels |
Total number of detection methods: 9
Kill chain phase(s): command and control
MITRE ATT&CK: T1041
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. Malwarebytes
Backconnet - microsfot | Backconnet - MITRE - Command and Scripting Interpreter: PowerShell | Backconnet - MITRE - Ingress Tool Transfer |
Total number of detection methods: 5
Kill chain phase(s): command and control
The malware, Trojan.Verblecon, is being used in attacks that appear to have installing cryptocurrency miners on infected machines as their end goal. There are some indications the attacker may also be interested in stealing access tokens for chat app Discord. However, the capabilities of this malware indicate that it could be highly dangerous if leveraged in ransomware or espionage campaigns.
Verblecon was first spotted by analysts from Symantec, a division of Broadcom Software, in January 2022. Symantec
Verblecon - MITRE - Steal Application Access Token | Verblecon - MITRE - System Information Discovery | Verblecon - MITRE - File and Directory Discovery | Verblecon - MITRE - User Execution | Verblecon - MITRE - Resource Hijacking | Verblecon - malpedia |
Total number of detection methods: 9
Kill chain phase(s): command and control
ToxicEye, a new remote access trojan
...Check Point Research (CPR) has seen over 130 attacks using a new multi-functional remote access trojan (RAT) dubbed ‘ToxicEye.’ ToxicEye is spread via phishing emails containing a malicious .exe file. If the user opens the attachment, ToxicEye installs itself on the victim’s PC and performs a range of exploits without the victim’s knowledge, including:
stealing data deleting or transferring files killing processes on the PC hijacking the PC’s microphone and camera to record audio and video encrypting files for ransom purposes
ToxicEye is managed by attackers over Telegram, communicating with the attacker’s C&C server and exfiltrating data to it. Checkpoint
ToxicEye - malpedia | ToxicEye - MITRE - Ingress Tool Transfer | ToxicEye - MITRE - Multi-Stage Channels | ToxicEye - MITRE - User Execution | ToxicEye - MITRE - Phishing |
Total number of detection methods: 6
Kill chain phase(s): command and control, actions on objectives
The ransomware uses AES encryption and appends ".lucky" to infected files. The malware is capable of spreading without user interaction and takes advantage of flaws in a range of software applications including Windows, JBoss, WebLogic, Tomcat, Apache Struts, and Spring Data Commons. Mcafee
Lucky - microsoft | Lucky - cyware | Lucky - malpedia | Lucky - MITRE - Data Encrypted for Impact | Lucky - MITRE - Multi-Stage Channels | Lucky - MITRE - Abuse Elevation Control Mechanism | Lucky - MITRE - Ingress Tool Transfer | Lucky - MITRE - System Information Discovery |
Total number of detection methods: 28
Kill chain phase(s): command and control, installation, actions on objectives, delivery
MITRE ATT&CK: T1486
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1][2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. Wikipedia
Total number of detection methods: 19
Kill chain phase(s): actions on objectives, command and control
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017. In the same year, multiple analyses of APT-C-23’s mobile malware were published. ESET
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives
Methods added: 12
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery
Methods added: 3
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Added kill chain phase(s): command and control, actions on objectives
Previously supported kill chain phase(s): actions on objectives, command and control
Methods added: 9
FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery, actions on objectives
Methods added: 3
gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.
Source: MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
MITRE ATT&CK added: T1041
Previously existing MITRE ATT&CK: T1041
Methods added: 2
Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. The iOS version is tracked separately under Pegasus for iOS. MITRE
Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. The Android version is tracked separately under Pegasus for Android. MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives
Methods added: 20
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.
Remcos has been observed being used in malware campaigns.
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery
Methods added: 2
Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
- redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, delivery, installation
Methods added: 1
A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia
Added kill chain phase(s): command and control, delivery
Previously supported kill chain phase(s): command and control, delivery, installation, actions on objectives
Methods added: 6
This threat can give a malicious hacker unauthorized access and control of your PC. Microsoft
Added kill chain phase(s): delivery
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 1
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links. Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): delivery, command and control, actions on objectives, weaponization
Methods added: 1
Vidar (also known as Vidar Stealer) is a trojan (a malicious program) commonly used by cyber criminals. The program steals various personal information from users who have computers infected with the virus. Pcrsik
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): actions on objectives, command and control, delivery
Methods added: 2
Winnti for Windows is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware. [1] [2] [3] The Linux variant is tracked separately under Winnti for Linux. MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control
Methods added: 2
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| APT-C-23 | 12 | command and control | dns, tls | 434 | actions on objectives, command and control | dns, http, tls | 2022-04-08 |
| APT35 | 3 | command and control | dns | 131 | command and control, delivery | dns, ftp, http, tcp, tls | 2022-04-07 |
| Backconnet | 5 | command and control | tcp | 5 | command and control | tcp | 2022-04-07 |
| BlackGuard | 9 | command and control, actions on objectives | dns, tls, http | 12 | actions on objectives, command and control | dns, http, tls | 2022-04-07 |
| ConPtyShell | 3 | actions on objectives | tcp | 3 | actions on objectives | tcp | 2022-04-07 |
| FIN7 | 3 | command and control | tls | 86 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-04-06 |
| Gh0st | 2 | command and control | tcp | 163 | actions on objectives, command and control, delivery | dns, http, tcp | 2022-04-09 |
| Lucky | 26 | actions on objectives, command and control, delivery, installation | http, dns | 28 | actions on objectives, command and control, delivery, installation | http, dns | 2022-04-07 |
| Pegasus | 20 | command and control | dns | 42 | actions on objectives, command and control | dns, http, tls | 2022-04-08 |
| Remcos | 2 | command and control | tcp | 805 | command and control, delivery | dns, http, tcp | 2022-04-05 |
| SYSCON | 6 | actions on objectives, command and control | tcp | 6 | actions on objectives, command and control | tcp | 2022-04-07 |
| Shamoon | 6 | command and control, exploitation | tcp, http, smb | 6 | command and control, exploitation | tcp, http, smb | 2022-04-07 |
| Sifrelendi | 1 | command and control | tcp | 1 | command and control | tcp | 2022-04-07 |
| SodaMaster | 4 | command and control | dns, tls, http | 4 | command and control | dns, tls, http | 2022-04-07 |
| SteamStealer | 8 | command and control, actions on objectives | dns, tls, http, tcp | 9 | command and control, actions on objectives | dns, tls, http, tcp | 2022-04-07 |
| TA457 | 19 | actions on objectives, command and control | dns, tcp, http, tcp-pkt | 19 | actions on objectives, command and control | dns, tcp, http, tcp-pkt | 2022-04-07 |
| ToxicEye | 6 | command and control, actions on objectives | http | 6 | command and control, actions on objectives | http | 2022-04-07 |
| Trojan Agent | 1 | command and control | tcp-pkt | 323 | actions on objectives, command and control, delivery, installation | dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, udp | 2022-04-06 |
| Trojan Dropper | 6 | command and control, delivery | dns, tls | 232 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-04-08 |
| Unk | 1 | delivery | http | 185 | actions on objectives, command and control, delivery | dns, ftp, http, smtp, tcp, tls | 2022-04-06 |
| Ursnif | 1 | command and control | tls | 384 | actions on objectives, command and control, delivery, weaponization | dns, http, tcp, tls, udp | 2022-04-08 |
| Verblecon | 9 | command and control | http, dns, tls | 9 | command and control | http, dns, tls | 2022-04-07 |
| Vidar | 2 | command and control | dns, tls | 13 | actions on objectives, command and control, delivery | dns, http, tls | 2022-04-08 |
| Winnti | 2 | command and control | dns | 11 | command and control | dns, http, tcp, tls | 2022-04-09 |
| XpertRAT | 9 | command and control | tcp | 9 | command and control | tcp | 2022-04-07 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
