26-April-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 422
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
The following detections were added to your Stamus NDR this past week:
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
FFDroider - malpedia | FFDroider - MITRE - Compromise Accounts: Social Media Accounts | FFDroider - MITRE - Phishing |Malware of this family steals data from the users of infected computers, such as:
Account data for FTP clients on the infected computer Account data for cloud storage services Browser cookies Account data for mail clients The malware then sends this information to the cybercriminal’s server.
Some malware of this family can download and run other malicious programs. Kaspersky
Tepfer - microsoft | Tepfer - MITRE - Phishing | Tepfer - MITRE - System Information Discovery | Tepfer - MITRE - Malicious File | Tepfer - MITRE - System Owner/User Discovery | Tepfer - MITRE - Data from Local System | Tepfer - MITRE - Credentials from Password Stores | Tepfer - MITRE - Email Collection |
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
SluttyPutty - MITRE - Multi-Stage Channels | SluttyPutty - MITRE - Abuse Elevation Control Mechanism | SluttyPutty - MITRE - System Information Discovery | SluttyPutty - MITRE - Malicious File | SluttyPutty - MITRE - Ingress Tool Transfer |
Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload. Malpedia
Snatch - microsoft | Snatch - pcrisk | Snatch - MITRE - Multi-Stage Channels | Snatch - MITRE - Malicious File | Snatch - MITRE - System Information Discovery | Snatch - MITRE - User Execution | Snatch - MITRE - Data Encrypted for Impact | Snatch - MITRE - Phishing |
As part of our monitoring of malicious files in current use, we detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that we associated with the EvilNominatus ransomware, initially exposed at the end of 2021. It seems that the ransomware's developer is a young Iranian, who bragged about its development on Twitter. Clearskysec
EvilNominatus - MITRE - Ingress Tool Transfer | EvilNominatus - MITRE - Malicious File | EvilNominatus - MITRE - Data Encrypted for Impact | EvilNominatus - MITRE - Create or Modify System Process | EvilNominatus - MITRE - Phishing |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. MITRE
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name. MITRE
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. MITRE
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. MITRE
Delf is a large family of malicious programs, many of which are associated with data theft. F-secure
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE
Malicious programs of this family request administrator rights and then make themselves invisible in the list of installed apps. This malware can intercept the user’s personal data, such as SMS messages, MMS messages, and USSD requests. The program can redirect incoming calls to the phone numbers of cybercriminals. Phone numbers, the texts of the messages to be intercepted, and cybercriminal phone numbers for redirecting calls are downloaded from the command-and-control server.
Programs of this family interfere with bank apps, such as the Commerzbank app or Google Play. When the user tries to open one of these legitimate apps, the malware replaces the genuine app window with a phishing window that asks for banking information. The user’s stolen data is sent to the cybercriminals. Kaspersky
Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. MITRE
PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[1][2] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. MITRE
In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they're in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices. [Malwarebytes] (https://www.malwarebytes.com/backdoor/)
For initial access to a targeted corporate network, the LockBit gang recruits affiliates and helpers as mentioned, who perform the actual intrusion on targets, usually via valid remote desktop protocol (RDP) account credentials. To help the cause, LockBit’s creators provide their partners with a handy StealBit trojan variant, which is a tool for establishing access and automatically exfiltrating data. Threatpost
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| APT35 | 27 | command and control | dns, tls | 158 | command and control, delivery | dns, ftp, http, tcp, tls | 2022-04-21 |
| AutoIt | 1 | command and control | http | 62 | actions on objectives, command and control, delivery | dns, http, tcp, tcp-pkt | 2022-04-22 |
| Banker Stealer | 2 | command and control | tcp | 173 | actions on objectives, command and control, delivery | dns, http, smtp, tcp, tls | 2022-04-23 |
| BlackGuard | 2 | command and control | tls, dns | 14 | actions on objectives, command and control | dns, http, tls | 2022-04-24 |
| BlackTech | 1 | command and control | http | 8 | command and control, delivery | dns, http | 2022-04-23 |
| Cobalt Strike | 6 | command and control | dns, http | 349 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2022-04-21 |
| Crimson | 7 | command and control | tcp-pkt, tcp, http | 34 | actions on objectives, command and control | http, tcp, tcp-pkt | 2022-04-22 |
| Delf | 1 | command and control | http | 91 | actions on objectives, command and control, delivery, installation | http, smtp, tcp, tls | 2022-04-22 |
| EvilNominatus | 1 | command and control | dns | 1 | command and control | dns | 2022-04-24 |
| FFDroider | 2 | command and control | http | 2 | command and control | http | 2022-04-24 |
| MalDoc | 2 | delivery | http | 461 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-04-21 |
| Marcher | 4 | command and control | tls | 91 | actions on objectives, command and control, delivery | dns, http, tls | 2022-04-24 |
| Molerats | 3 | command and control | dns, tls, http | 36 | command and control, delivery | dns, http, tls | 2022-04-21 |
| Plead | 2 | command and control | http | 14 | command and control, delivery | dns, http | 2022-04-23 |
| Pterodo | 1 | command and control | tcp | 26 | command and control | http, tcp | 2022-04-22 |
| SluttyPutty | 1 | delivery | http | 2 | delivery | http | 2022-04-24 |
| Snatch | 4 | actions on objectives, command and control | http | 4 | actions on objectives, command and control | http | 2022-04-24 |
| StealBit | 1 | actions on objectives | http | 4 | actions on objectives, command and control | http, tcp | 2022-04-21 |
| Tepfer | 5 | actions on objectives, command and control, delivery | http | 5 | actions on objectives, command and control, delivery | http | 2022-04-24 |
| Trojan Downloader | 2 | command and control | http | 191 | actions on objectives, command and control, delivery | dns, http, tcp, tls, udp | 2022-04-23 |
| TrojanSpy-Android | 4 | command and control | tls, tcp | 339 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-04-24 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
