The Week in Review from Stamus Labs

Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.

Current Stamus Threat Intelligence (STI) release version: 452

This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):

New threat detection(s) added [1]: 4 (Restylink, CustomRAT, TwistedPanda, FileTour)
Major changes to detections(s) [2]: 49
Updated threat detection(s) [3]: 87

Note: a "method" as referenced below, is a discrete detection vector for a given threat.

New Threat(s) Detected

The following detections were added to your Stamus NDR this past week:

Restylink (APT)

Since mid- April 2022 , multiple organizations have been observing targeted attack campaigns targeting Japanese companies. This attack campaign is believed to have been active in March 2022 , and may have had a related attack in October 2021 . For this reason, it is possible that attacks will continue in the future, rather than short-term, one-off attack campaigns. NTT

Restylink - MITRE - Phishing | Restylink - MITRE - Exploitation for Client Execution | Restylink - MITRE - Malicious File | Restylink - MITRE - Create or Modify System Process |

Total number of detection methods: 7
Kill chain phase(s): command and control

CustomRAT (RAT)

Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. Malwarebytes

Total number of detection methods: 4
Kill chain phase(s): command and control

TwistedPanda (APT)

Check Point Research (CPR) details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months. CPR researchers estimate with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT. In the below blog, the researchers reveal the tactics and techniques used by the threat actors and provide a technical analysis of the observed malicious stages and payloads, including previously unknown loaders and backdoors with multiple advanced evasion and anti-analysis techniques. Checkpoint

TwistedPanda - MITRE - Create or Modify System Process | TwistedPanda - MITRE - System Service Discovery | TwistedPanda - MITRE - System Owner/User Discovery | TwistedPanda - MITRE - Phishing | TwistedPanda - MITRE - Ingress Tool Transfer | TwistedPanda - MITRE - Multi-Stage Channels |

Total number of detection methods: 8
Kill chain phase(s): command and control

FileTour (Trojan)

Adware.FileTour is Malwarebytes’ generic detection name for a family that consists mostly of adware bundlers of Russian origin that target Windows systems. Malwarebytes

FileTour - microsoft | FileTour - MITRE - Browser Session Hijacking | FileTour - MITRE - Browser Extensions |

Total number of detection methods: 19
Kill chain phase(s): command and control, delivery

Major Detection Changes

The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):

Bitter (APT)

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. MITRE

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery
Methods added: 1

Cobalt Strike (Pentest Tools)

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, exploitation, delivery
MITRE ATT&CK added: T1001
Previously existing MITRE ATT&CK: T1041, T1587, T1001, T1573
Methods added: 4

Delf (Data Theft)

Delf is a large family of malicious programs, many of which are associated with data theft. F-secure

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): installation, command and control, delivery, actions on objectives
MITRE ATT&CK added: T1041
Previously existing MITRE ATT&CK: T1041, T1587, T1071
Methods added: 1

Evilnum (APT)

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group. Malpedia

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 5

Gamaredon (APT)

Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE

Added kill chain phase(s): delivery
Previously supported kill chain phase(s): actions on objectives, command and control, delivery
Methods added: 1

GuLoader (Downloader)

GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT. MITRE

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): delivery
Methods added: 1

Hangover (APT)

It is believed that the actors behind Patchwork are the same actors behind Operation Hangover. MITRE

Added kill chain phase(s): command and control, actions on objectives, delivery
Previously supported kill chain phase(s): command and control, actions on objectives
MITRE ATT&CK added: T1041, T1587
Methods added: 18

Kryptik (Trojan)

Malware of this family consists of Trojans that use anti-emulation, anti-debugging, and code obfuscation to prevent their analysis. Kaspersky

Added kill chain phase(s): delivery
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 1

SideWinder (APT)

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages. Malpedia

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery, actions on objectives
Methods added: 2

SocGholish (Social Engineering)

It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery, reconnaissance
Methods added: 2

Stelega (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): actions on objectives
Methods added: 1

Trojan Dropper (Trojan)

A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery, installation, actions on objectives
MITRE ATT&CK added: T1041
Previously existing MITRE ATT&CK: T1041
Methods added: 1

TrojanSpy-Android (Data Theft)

Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky

Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 8

TrojanSpy-Generic (Data Theft)

Stealer: The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.