07-June-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 459
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus NDR this past week:
Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain. MITRE
Grandoreiro - malpedia |
An interesting campaign distributing malicious documents. Which used the download chain as well as legitimate payload hosting services. Inquest
Tandem - MITRE - Malicious Link | Tandem - MITRE - User Execution | Tandem - MITRE - Multi-Stage Channels | Tandem - MITRE - Ingress Tool Transfer |
Researchers looking into a new APT group targeting gambling sites with a variety of cross-platform malware recently identified a version of oRAT malware targeting macOS users and written in Go. While neither RATs nor Go malware are uncommon on any platform, including the Mac, the development of such a tool by a previously unknown APT is an interesting turn, signifying the increasing need for threat actors to address the rising occurrence of Macs among their intended targets and victims. In this post, we dig deeper into the technical details of this novel RAT to understand better how it works and how security teams can detect it in their environments. Sentinelone
SiMay is the name of malware designed to allow an attacker to remotely control/access an infected computer. This type of malware is called a Remote Administration Trojan (RAT). RATs are used to steal information or files, distribute malware, and for other purposes. Pcrisk
Malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. During our analysis, we discovered that NetDooka was being spread via the PrivateLoader malware which, once installed, starts the whole infection chain. Trendmicro
NetDooka - malpedia |The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017. In the same year, multiple analyses of APT-C-23’s mobile malware were published. ESET
APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group. MITRE
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. MITRE.
A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. MITRE
Ave Maria is high-risk trojan designed to steal various information and to cause "chain infections" (spread other infections). It is typically proliferated using various spam email campaigns. Criminals send thousands of deceptive emails that contain infectious attachments, most of which are Microsoft Office (typically Excel) files. Emails are delivered with messages encouraging users to open the attached document, however, this results in infiltration of Ave Maria Pcrisk
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. MalwareBytes
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. MITRE
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
Malware actors often try to infect/add specific code to legitimate binaries in an effort to trojanize (generate segment-padded trojans) those binaries and take advantage of allowed executable on the system.
In computing, the Executable and Linkable Format[citation needed] (ELF, formerly named Extensible Linking Format), is a common standard file format for executable files, object code, shared libraries, and core dumps. First published in the specification for the application binary interface (ABI) of the Unix operating system version named System V Release 4 (SVR4), and later in the Tool Interface Standard, it was quickly accepted among different vendors of Unix systems. In 1999, it was chosen as the standard binary file format for Unix and Unix-like systems on x86 processors by the 86open project. Wikipedia
ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group. Malpedia
Cyber criminals violated the law TDS (Traffic Direction System) platform Keitaro and used it to redirect them users in exploit kits RIG and Fallout in order to infect them with malicious software.
TDS platforms are designed for redirection of users in particular sites. Legitimate TDS platforms, such as Keitaro, are mainly used by individuals and companies that want to advertise services or their products. Platforms drive users to the pages that companies want, targeting specific customers and promoting an ad campaign. techbizweb
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE
NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013. Nanocore
PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. MITRE
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.
Remcos has been observed being used in malware campaigns.
An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages. Malpedia
Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device. MITRE
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1][2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. Wikipedia
A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
This threat can give a malicious hacker unauthorized access and control of your PC. Microsoft
It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure. Cofense
njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East. MITRE
The following threat detection(s) were improved this past week with new or updated threat methods.
Name of threat | New coverage | Total coverage | Last updated | ||||
---|---|---|---|---|---|---|---|
New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
APT-C-23 | 1 | command and control | dns | 435 | actions on objectives, command and control | dns, http, tls | 2022-06-04 |
APT38 | 2 | delivery | tls | 91 | command and control, delivery | dns, http, tcp, tls | 2022-05-31 |
AZORult | 1 | command and control | http | 153 | command and control, delivery | dns, http, tls | 2022-06-03 |
AsyncRAT | 1 | command and control | tcp | 420 | command and control, delivery | http, tcp, tls | 2022-05-31 |
AveMaria RAT | 2 | command and control | tcp | 16 | actions on objectives, command and control | dns, http, tcp | 2022-06-02 |
Banker Stealer | 2 | command and control | http | 177 | actions on objectives, command and control, delivery | dns, http, smtp, tcp, tls | 2022-06-03 |
BitRAT | 1 | command and control | tls | 6 | command and control | http, tls | 2022-06-01 |
BlackTech | 1 | command and control | http | 9 | command and control, delivery | dns, http | 2022-06-02 |
Cobalt Strike | 2 | command and control | http | 357 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2022-06-04 |
ELF | 1 | installation | http | 68 | command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-05-31 |
Evilnum | 6 | command and control | dns, tls | 46 | actions on objectives, command and control, delivery | dns, http, tls | 2022-06-04 |
Grandoreiro | 5 | delivery, command and control | http, dns | 5 | delivery, command and control | http, dns | 2022-06-02 |
Keitaro | 16 | exploitation | http | 47 | command and control, delivery, exploitation | dns, http, tls | 2022-05-31 |
LoggerRust | 2 | actions on objectives, command and control | http, ftp | 2 | actions on objectives, command and control | http, ftp | 2022-06-02 |
MalDoc | 1 | delivery | http | 461 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-06-03 |
NanoCore | 1 | command and control | tls | 50 | command and control | dns, tcp, tls | 2022-05-31 |
NetDooka | 2 | command and control | http, tcp | 2 | command and control | http, tcp | 2022-06-02 |
PennyWise | 1 | actions on objectives | http | 2 | actions on objectives | http | 2022-06-02 |
PlugX | 2 | command and control | dns | 55 | command and control, delivery | dns, http, tcp, tcp-pkt, tls, udp | 2022-06-03 |
Remcos | 5 | command and control | tcp | 816 | command and control, delivery | dns, http, tcp | 2022-06-02 |
SiMay | 2 | command and control | http | 2 | command and control | http | 2022-06-02 |
SideWinder | 51 | command and control | dns | 79 | actions on objectives, command and control, delivery | dns, http, tls | 2022-06-03 |
SmsThief | 1 | command and control | dns | 134 | actions on objectives, command and control, delivery | dns, http, tcp, tls, udp | 2022-06-01 |
Stealer and Exfiltration | 1 | actions on objectives | tcp | 194 | actions on objectives, command and control, exploitation, installation | dns, ftp, http, smtp, tcp, tls | 2022-06-02 |
TA457 | 4 | command and control | http | 23 | actions on objectives, command and control | dns, http, tcp, tcp-pkt | 2022-06-03 |
Tandem | 12 | command and control | dns | 12 | command and control | dns | 2022-06-02 |
Trojan Dropper | 1 | delivery | dns | 235 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-06-01 |
TrojanSpy-Android | 5 | command and control | dns | 354 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-06-02 |
Unk | 1 | command and control | tcp | 186 | actions on objectives, command and control, delivery, installation | dns, ftp, http, smtp, tcp, tls | 2022-05-31 |
VJworm | 1 | actions on objectives | http | 4 | actions on objectives, command and control | http | 2022-06-02 |
njRAT | 1 | delivery | http | 127 | actions on objectives, command and control, delivery | http, tcp, tcp-pkt | 2022-06-02 |
oRAT | 1 | command and control | dns | 1 | command and control | dns | 2022-06-02 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.