20-December-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 622
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform this past week:
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card. Malwarebytes
Blackmagic - microsoft | Blackmagic - MITRE - Phishing | Blackmagic - MITRE - Data Encrypted for Impact | Blackmagic - MITRE - System Information Discovery | Blackmagic - MITRE - File and Directory Discovery | Blackmagic - MITRE - User Execution: Malicious File | Blackmagic - MITRE - User Execution | Blackmagic - MITRE - Ingress Tool Transfer | Blackmagic - MITRE - Multi-Stage Channels |
Recently, Cyble Research & Intelligence Labs (CRIL) discovered leaked data of over 26500 Android users from India through the backend server of an Android application called LoanBee. Based on our research, we identified that the LoanBee is a digital lending application that steals users’ sensitive data. This application was primarily hosted on Google Play Store with more than 100,000 installs, and now it has been removed from Google Play Store due to its unusual behavior. Cyble
DuckLogs is malware that includes information-stealing, remote control, keylogging, and other features. It allows cybercriminals to steal sensitive information, inject additional malware, and perform other malicious activities. DuckLogs is Malware-as-a-Service (MaaS). Cybercriminals behind DuckLogs sell it to other crooks for $19.99 per month, $39.99 per three months, or a $69.99 one-time fee. PCrisk
DuckLogs - cyble |
Electron Bot is the name of the malware that has been discovered by Check Point Research. We have learned that Electron Bot is used to gain remote access to computers and execute various commands. It is distributed via various applications on the Microsoft Store (Electron Bot targets Windows devices). PCrisk
ElectronBot - microsoft | ElectronBot - checkpoint |
In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they're in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices. [Malwarebytes] (https://www.malwarebytes.com/backdoor/)
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts. Info stealers may use many methods of data acquisition. The most common are: hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
XFILES - microsoft | XFILES - malpedia |
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts. Info stealers may use many methods of data acquisition. The most common are: hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Pirate Stealer - malpedia |
In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they're in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices. [Malwarebytes] (https://www.malwarebytes.com/backdoor/)
Irafau - bitdefender |
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
Impersoni - bitdefender |
Loaders, for the most part, have one job: grab malicious executables or payloads from an attacker-controlled server. But that doesn’t mean there isn’t more happening under the hood of some, such as a user-friendly UI, self-healing capabilities, or the equivalent of a retail shop where a botmaster can sell his bots to potential clients.
Loaders are essentially basic remote access Trojans that give an attacker the ability to remotely interact with and control a compromised computer, or bot. While traditionally lightweight (smaller than 50 KB in size) in order to bypass detection by antivirus and other security monitoring technology, loaders evolve, and their viability to cybercriminals remains. Flashpoint
BatLoader - malpedia | BatLoader - microsoft | BatLoader - vmware |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group. MITRE
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.
Remcos has been observed being used in malware campaigns.
Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date. Wikipedia
Sliver is an open source, cross-platform adversary emulation/red team platform, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. Github
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
DPRK APT actor tracked by Proofpoint as TA444 Malpedia
Proofpoint researchers have identified a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456. Using the social media persona “Marcella Flores,” TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain. Designed to conduct reconnaissance on the target’s machine, the macro-laden document contained personalized content and demonstrated the importance TA456 placed on the target. Once the malware, which is an updated version of Liderc that Proofpoint has dubbed LEMPO, establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance details to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then cover its tracks by deleting that day’s host artifacts. PFPT
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
POWERSTATS(Valyria) is a backdoor written in powershell. It has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands. Malpedia
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| APT38 | 4 | command and control | tls, dns | 117 | command and control, delivery | dns, http, tcp, tls | 2022-12-13 |
| BatLoader | 15 | delivery, command and control | http, tls, dns | 15 | delivery, command and control | http, tls, dns | 2022-12-13 |
| Blackmagic | 2 | command and control, delivery | http | 2 | command and control, delivery | http | 2022-12-13 |
| Cobalt Strike | 2 | command and control | http | 395 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2022-12-15 |
| DuckLogs | 3 | command and control | dns, http, tls | 3 | command and control | dns, http, tls | 2022-12-13 |
| ElectronBot | 4 | command and control, delivery | dns, http | 4 | command and control, delivery | dns, http | 2022-12-13 |
| Gamaredon | 2 | command and control | dns, tls | 125 | actions on objectives, command and control, delivery | dns, http, tls | 2022-12-13 |
| Impersoni | 22 | command and control | dns, tcp | 22 | command and control | dns, tcp | 2022-12-13 |
| Irafau | 1 | command and control | http | 1 | command and control | http | 2022-12-13 |
| LoanBee | 1 | actions on objectives | dns | 1 | actions on objectives | dns | 2022-12-13 |
| Pirate Stealer | 3 | command and control | dns | 4 | command and control | dns | 2022-12-13 |
| Remcos | 1 | command and control | tcp | 874 | command and control, delivery | dns, http, tcp, tcp-pkt | 2022-12-15 |
| Sality | 1 | actions on objectives | tcp-pkt | 28 | actions on objectives, command and control, delivery, weaponization | http, smtp, tcp, tcp-pkt, udp | 2022-12-15 |
| Screenshotter | 1 | actions on objectives | http | 1 | actions on objectives | http | 2022-12-13 |
| Sliver Framework | 2 | command and control | tls, dns | 461 | command and control | dns, http, tls | 2022-12-16 |
| SocGholish | 5 | command and control | dns | 212 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2022-12-16 |
| TA444 | 8 | command and control | dns | 119 | command and control | dns, http, tls | 2022-12-13 |
| TA456 | 3 | command and control | dns | 8 | command and control, delivery | dns, http | 2022-12-14 |
| Trojan Downloader | 1 | delivery | http | 239 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-12-14 |
| Valyria | 2 | delivery | http | 33 | command and control, delivery | dns, http, tls | 2022-12-13 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
