15-November-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 596
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform this past week:
Simplocker is a mobile trojan, one of the first of its kind, that targets Android mobile devices. This malware scans the resident SD card for certain file types (.jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, .3gp, .mp4), encrypts these files using AES, and then demands a ransom from the user in exchange for the decryption of these ransomed files. The result is that, until this ransom is paid, users are unable to access their personal files (pictures, downloads, songs, etc.). Eset
In September 2021, the Indian Computer Emergency Response Team (CERT-In) issued a warning about a new malware strain targeting Indian taxpayers and mentioned that customers of around 27 banks were at risk of this attack. The Threat Actors (TA) behind this campaign were suspected of using Drinik malware. An early variant of Drinik malware was first spotted in 2016 as an SMS stealer. Around August 2021, the malware was observed to be active again, this time evolving into an Android banking trojan. Cyble
Drinik - malpedia | Drinik - microsoft |
In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Butler Lampson, is defined as channels "not intended for information transfer at all, such as the service program's effect on system load," to distinguish it from legitimate channels that are subjected to access controls by COMPUSEC. Wikipedia
Covert channels - MITRE - Application Layer Protocol: DNS | Covert channels - MITRE - Application Layer Protocol |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.
Source: MITRE
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014. MITRE
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them. Kaspersky
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group. Fortinet
Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. MITRE
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. MITRE
Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device. MITRE
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others. Malpedia
Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft
A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| APT41 | 3 | command and control | dns | 9 | command and control | dns, http, tcp, tls | 2022-11-12 |
| AgentTesla | 1 | actions on objectives | http | 35 | actions on objectives, command and control | dns, ftp, http, smtp, tcp, tls | 2022-11-12 |
| Backdoor | 1 | command and control | tcp | 371 | actions on objectives, command and control, delivery, installation | dns, ftp, http, icmp, smtp, tcp, tls, udp | 2022-11-11 |
| Banker Stealer | 2 | command and control | dns | 215 | actions on objectives, command and control, delivery | dns, http, smtp, tcp, tls | 2022-11-11 |
| Covert channels | 42 | delivery | dns | 42 | delivery | dns | 2022-11-08 |
| Drinik | 4 | command and control | http, dns | 4 | command and control | http, dns | 2022-11-08 |
| IceXLoader | 2 | command and control | dns | 5 | command and control | dns, http | 2022-11-12 |
| Molerats | 2 | command and control | dns, tls | 64 | command and control, delivery | dns, http, tls | 2022-11-09 |
| Silence | 1 | delivery | http | 11 | command and control, delivery | http | 2022-11-11 |
| Simplocker | 4 | command and control | http, dns | 4 | command and control | http, dns | 2022-11-08 |
| SmsThief | 3 | command and control | http | 139 | actions on objectives, command and control, delivery | dns, http, tcp, tls, udp | 2022-11-08 |
| SocGholish | 4 | command and control | dns | 183 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tls | 2022-11-11 |
| TransparentTribe | 1 | command and control | dns | 14 | command and control, delivery | dns, http, tcp, tcp-pkt | 2022-11-08 |
| Trojan Agent | 1 | command and control | http | 368 | actions on objectives, command and control, delivery, installation | dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, udp | 2022-11-10 |
| Trojan Dropper | 2 | delivery | dns | 292 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-11-11 |
| TrojanSpy-Android | 4 | command and control | dns | 434 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-11-11 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
