21-June-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 471
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus NDR this past week:
Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation. MITRE
Imminent Monitor - microsoft |
Through in-depth analysis, Fuying Lab determined that this series of activities is a continuation of the recent attack activities of the APT organization Evilnum (http://blog.nsfocus.net/agentvxapt-evilnum/). Compared with previous activities, the Evilnum attackers inherited their representative attack methods in this operation, but used more diverse attack processes and complex attack components, and enabled two new Trojan programs, DarkMe and PikoloRAT, Demonstrated its high tool development ability, process design ability and rich experience in offensive and defensive confrontation. At the same time, due to the obvious differences in the design ideas and specific implementations of different attack processes, Fuying Lab believes that multiple attackers participated in the operation at the same time. Nsfocus
Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM. The associated indicators and tactics were used by the OneDrive team to improve detection of attack activity and disable offending actor accounts. To further address this abuse, Microsoft has suspended more than 20 malicious OneDrive applications created by POLONIUM actors, notified affected organizations, and deployed a series of security intelligence updates that will quarantine tools developed by POLONIUM operators. Microsoft
Polonium - microsoft |
In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they're in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices. [Malwarebytes] (https://www.malwarebytes.com/backdoor/)
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. MITRE
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
CTU researchers discovered the COBALT LYCEUM threat group in mid-2019 and determined that it has been active since at least 2018. The group is assessed with moderate confidence to operate on behalf of Iran, with a relatively small scope of operations in comparison to other Iranian groups. Known targets include critical infrastructure organizations, such as telecommunications and oil and gas companies. The threat actors use malicious Excel files with the DanDrop macro to deliver the unsophisticated DanBot first-stage malware, which deploys post-intrusion tools taken from public code repositories. A mid-2018 COBALT LYCEUM campaign focused on South African targets. In February 2019, the threat actors shifted their focus to Kuwait following a period of testing and development. COBALT LYCEUM’s targeting, tactics, and development style are similar to those of COBALT GYPSY along with the use of RGDoor, an IIS backdoor previously only associated with COBALT GYPSY. Document metadata anomalies suggest that the malware developer may work natively in an Arabic or Persian script. Secureworks
MassLogger is a .NET credential stealer. It starts with a launcher that uses simple anti-debugging techniques which can be easily bypassed when identified. This first stage loader eventually XOR-decrypts the second stage assembly which then decrypts, loads and executes the final MassLogger payload. Malpedia
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE
The NukeSped RAT implements the following features:
Iterate files in a folder Create a process as another user Iterate processes and modules Terminate a process Create a process Write a file Read a file Connect to a remote host Move a file Retrieve and launch additional payloads from the internet Get information about installed disks, including the disk type and the amount of free space on the disk Get the current directory Change to a different directory Remove itself and artifacts associated with it from the infected system Securityaffairs
QAKBOT or QBOT is a malware that is capable of monitoring the browsing activities of the infected computer and logs all information related to finance-related websites.
Trendmicro
An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages. Malpedia
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1][2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. Wikipedia
Trojan Win32/Tiggre!rfn is high-risk malware designed to perform a number of malicious tasks on victims' computers. It is also known as "Trojan.GenericKD.12694003" (by BitDefender) and "W32/Autoit.CGO!tr" (by Fortinet). Pcrisk
Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| Android InfoStealer | 3 | command and control | http | 37 | actions on objectives, command and control | dns, http, tcp, tls | 2022-06-17 |
| Bitter | 1 | actions on objectives | tcp | 27 | actions on objectives, command and control, delivery | dns, http, tcp, tcp-pkt | 2022-06-16 |
| Cobalt Strike | 1 | command and control | dns | 361 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2022-06-18 |
| Copper Stealer | 5 | actions on objectives, command and control, delivery | http | 15 | actions on objectives, command and control, delivery, installation | http, tls | 2022-06-18 |
| DarkMe | 13 | command and control | tls, tcp-pkt, dns | 13 | command and control | tls, tcp-pkt, dns | 2022-06-17 |
| Imminent Monitor | 3 | command and control | tcp | 3 | command and control | tcp | 2022-06-17 |
| Lyceum | 1 | command and control | tcp | 44 | command and control, delivery | dns, http, tcp | 2022-06-17 |
| MASSLOGGER | 1 | actions on objectives | tcp | 11 | actions on objectives, command and control | ftp, http, smtp, tcp, tls | 2022-06-17 |
| MalDoc | 10 | delivery | dns, http | 471 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-06-16 |
| NukeSped | 2 | command and control | tls, http | 12 | command and control | dns, http, tcp, tls | 2022-06-17 |
| Polonium | 4 | delivery, command and control | http | 4 | delivery, command and control | http | 2022-06-17 |
| Python CTX | 2 | command and control | dns, tls | 2 | command and control | dns, tls | 2022-06-17 |
| QakBot | 1 | delivery | http | 26 | actions on objectives, command and control, delivery | ftp, http, tcp, tls | 2022-06-15 |
| SideWinder | 2 | command and control | dns | 81 | actions on objectives, command and control, delivery | dns, http, tls | 2022-06-15 |
| Stealer and Exfiltration | 15 | command and control, actions on objectives | dns, http, tcp | 215 | actions on objectives, command and control, exploitation, installation | dns, ftp, http, smtp, tcp, tls | 2022-06-17 |
| TA457 | 1 | command and control | dns | 24 | actions on objectives, command and control | dns, http, tcp, tcp-pkt | 2022-06-18 |
| Tiggre | 1 | actions on objectives | http | 7 | actions on objectives, command and control | http, tcp | 2022-06-16 |
| Trojan Agent | 1 | command and control | http | 333 | actions on objectives, command and control, delivery, installation | dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, udp | 2022-06-18 |
| Trojan Downloader | 1 | command and control | http | 194 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-06-18 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
