24-May-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 445
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus NDR this past week:
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
SCVReady - MITRE - Ingress Tool Transfer | SCVReady - MITRE - Malicious File | SCVReady - MITRE - System Information Discovery | SCVReady - MITRE - Exfiltration Over C2 Channel |
CyberGate is one of many remote access tools (RATs) that allow users to control other connected computers remotely. Cyber criminals often use these programs for malicious purposes such as to steal personal, sensitive information and misuse it to generate revenue. People who have computers infected with programs such as CyberGate should uninstall them immediately.
CyberGate - microsoft | CyberGate - malpedia | CyberGate - MITRE - Ingress Tool Transfer | CyberGate - MITRE - Multi-Stage Channels | CyberGate - MITRE - Data from Local System | CyberGate - MITRE - Process Discovery | CyberGate - MITRE - System Information Discovery | CyberGate - MITRE - Malicious File | CyberGate - MITRE - File and Directory Discovery |
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
SysChecker - MITRE - Process Discovery | SysChecker - MITRE - System Service Discovery | SysChecker - MITRE - Data from Local System | SysChecker - MITRE - Malicious File | SysChecker - MITRE - Ingress Tool Transfer | SysChecker - MITRE - Multi-Stage Channels |
Discovered by Cyble Research Labs, Eternity is the name of a malware family. Actively sold on the Web, Eternity's developers use the Telegram IM (Instant Messaging) service to sell their malicious wares, as well as provide support and customization to buyers. Telegram can also be employed by the attackers using Eternity programs as their C&C (Command and Control) server and proliferation tool.
Currently, this malware family consists of a stealer, worm, miner, clipper, ransomware, and DDoS bot. Pcrisk
Eternity - microsoft | Eternity - MITRE - Malicious File | Eternity - MITRE - Multi-Stage Channels | Eternity -MITRE - Ingress Tool Transfer | Eternity - MITRE - Resource Hijacking | Eternity - MITRE - Abuse Elevation Control Mechanism | Eternity - MITRE - Data Encrypted for Impact | Eternity - MITRE - Exfiltration Over C2 Channel | Eternity - MITRE - System Information Discovery | Eternity - MITRE - File and Directory Discovery | Eternity - malpedia clipper | Eternity - malpedia ransomware | Eternity - malpedia stealer | Eternity - malpedia worm |
In February 2022 we observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. Such attention to the event logs in the campaign isn’t limited to storing shellcodes. Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier. Kaspersky
SilentBreak - microsoft | SilentBreak - MITRE - Ingress Tool Transfer | SilentBreak - MITRE - Malicious File | SilentBreak - MITRE - Multi-Stage Channels | SilentBreak -MITRE - Exfiltration Over C2 Channel | SilentBreak -MITRE - Protocol Tunneling |
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia. MITRE
Leviathan - proofpoint | Leviathan - malpedia |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. MITRE
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
DarkCrystal, also known as dcRAT, is a Remote Access Trojan (RAT). Malware of this type is designed to enable remote access and control over an infected device. RATs can manipulate machines in various ways and can have likewise varied functionalities. DarkCrystal is a dangerous piece of software, which poses a significant threat to device and user safety. DcRat
Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. MITRE
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.
Remcos has been observed being used in malware campaigns.
Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others. Malpedia
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| Bitter | 5 | command and control | dns, http | 25 | command and control, delivery | dns, http, tcp, tcp-pkt | 2022-05-21 |
| Cobalt Strike | 1 | command and control | http | 351 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2022-05-20 |
| CyberGate | 24 | command and control, installation | http, tcp | 24 | command and control, installation | http, tcp | 2022-05-19 |
| DCRAT | 4 | command and control | dns, tls | 34 | actions on objectives, command and control | dns, http, tls | 2022-05-21 |
| Eternity | 3 | command and control, actions on objectives | http, dns | 8 | command and control, actions on objectives | http, dns | 2022-05-19 |
| Leviathan | 17 | command and control | dns, http | 18 | command and control | dns, http | 2022-05-19 |
| Molerats | 2 | command and control | http, dns | 42 | command and control, delivery | dns, http, tls | 2022-05-20 |
| Remcos | 3 | command and control | tcp | 811 | command and control, delivery | dns, http, tcp | 2022-05-18 |
| SCVReady | 8 | command and control, delivery | http | 8 | command and control, delivery | http | 2022-05-19 |
| SilentBreak | 3 | command and control | dns | 3 | command and control | dns | 2022-05-19 |
| SysChecker | 4 | command and control | http | 4 | command and control | http | 2022-05-19 |
| TransparentTribe | 1 | command and control | dns | 11 | command and control, delivery | dns, http, tcp, tcp-pkt | 2022-05-20 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
