18-October-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 574
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform this past week:
Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider Github
Malware is delivered via a signed Comm100 installer that was downloadable from the company’s website. Crowdstrike
Allcome clipbanker was first discovered by researcher @3xp0rtblog including underground forum screenshots, pricing information and a listing of contact numbers for Telegram where the malware can be purchased and downloaded. This malware-as-a-service starts from 25$ for a month of usage up until 220$ for a life-time license. The advertisment specifically highlights that Allcome supports stealing lots of different cryptocurrency wallets and payment forms with new payment forms added weekly. Criminal customers can also add their own currency stealing capabilities by purchasing a private query builder. Gdatasoftware
AllcomeClipper - malpedia |
Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa. The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions. Sentinelone
During a routine threat-hunting exercise, Cyble research labs discovered a dark web post where a malware developer was advertising a powerful Windows RAT. Cyble
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. MITRE
Silence - malpedia |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017. In the same year, multiple analyses of APT-C-23’s mobile malware were published. ESET
APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group. MITRE
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
FIN6(Magecart) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. MITRE
Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM. The associated indicators and tactics were used by the OneDrive team to improve detection of attack activity and disable offending actor accounts. To further address this abuse, Microsoft has suspended more than 20 malicious OneDrive applications created by POLONIUM actors, notified affected organizations, and deployed a series of security intelligence updates that will quarantine tools developed by POLONIUM operators. Microsoft
QAKBOT or QBOT is a malware that is capable of monitoring the browsing activities of the infected computer and logs all information related to finance-related websites.
Trendmicro
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.
Remcos has been observed being used in malware campaigns.
The Sabsik virus is a type of malware that is used as advanced espionage tool capable of learning your passwords, credit and debit card numbers, and other sensitive info about you. The methods used by the Sabsik Scam are keylogging, presenting the user with phishing forms, and screen-monitoring. Howtoremove
Sliver is an open source, cross-platform adversary emulation/red team platform, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. Github
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| APT-C-23 | 3 | command and control | dns, tls, http | 439 | actions on objectives, command and control | dns, http, tls | 2022-10-13 |
| APT38 | 6 | command and control, delivery | http | 112 | command and control, delivery | dns, http, tcp, tls | 2022-10-11 |
| AllcomeClipper | 2 | command and control | dns, http | 2 | command and control | dns, http | 2022-10-11 |
| Cobalt Strike | 1 | command and control | dns | 380 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2022-10-12 |
| Comm100 | 5 | command and control, installation, delivery | dns, http | 5 | command and control, installation, delivery | dns, http | 2022-10-11 |
| Havoc | 2 | command and control | http | 2 | command and control | http | 2022-10-11 |
| MageCart | 1 | command and control | dns | 177 | actions on objectives, command and control, delivery | dns, http, tls | 2022-10-13 |
| Metador | 1 | command and control | dns | 1 | command and control | dns | 2022-10-11 |
| Polonium | 2 | command and control | http, tcp | 6 | command and control, delivery | http, tcp | 2022-10-12 |
| QakBot | 4 | delivery, actions on objectives | http, tls | 31 | actions on objectives, command and control, delivery | ftp, http, tcp, tls | 2022-10-12 |
| Remcos | 3 | command and control | tcp | 863 | command and control, delivery | dns, http, tcp, tcp-pkt | 2022-10-12 |
| Sabsik | 2 | command and control | tls, dns | 16 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tcp-pkt, tls | 2022-10-13 |
| Silence | 10 | command and control, delivery | http | 10 | command and control, delivery | http | 2022-10-11 |
| Sliver Framework | 5 | command and control | dns, tls, http | 437 | command and control | dns, http, tls | 2022-10-11 |
| SocGholish | 7 | command and control | dns | 164 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tls | 2022-10-14 |
| Trojan Downloader | 1 | command and control | http | 204 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-10-13 |
| Trojan Dropper | 2 | actions on objectives, command and control | http | 278 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-10-15 |
| TrojanSpy-Android | 4 | command and control | tcp, http, dns | 401 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-10-11 |
| XWorm | 19 | command and control | dns, tcp | 19 | command and control | dns, tcp | 2022-10-11 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
