17-January-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 643
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform this past week:
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. Malwarebytes
RedditC2 - github |
In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they're in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices. [Malwarebytes] (https://www.malwarebytes.com/backdoor/)
Sylavriu - anyrun | Sylavriu - twitter |
BlackNix is a Remote Access Trojan (RAT) that allows cyber criminals to gain access and control over infected devices. BlackNix is high-risk malware with malicious capabilities, which can cause serious issues. Pcrisk
Blacknix - malpedia |
“RisePro” is a newly identified stealer written in C++ that appears to possess similar functionality to the stealer malware “Vidar.” RisePro targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs. Flashpoint
RisePro - malpedia |
Trojan.BeamWinHTTP is a Trojan that comes in the form of a dll, which is loaded to inject malicious code into http traffic on the affected system. Trojan.BeamWinHTTP has been found to add affected systems to a botnet that performed DDoS attacks. Malwarebytes
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
Fsysna - microsoft | Fsysna - anyrun |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey (AHK) scripting language to deliver multiple remote access trojans (RAT) such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems. Thehackernews
APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group. MITRE
Loaders, for the most part, have one job: grab malicious executables or payloads from an attacker-controlled server. But that doesn’t mean there isn’t more happening under the hood of some, such as a user-friendly UI, self-healing capabilities, or the equivalent of a retail shop where a botmaster can sell his bots to potential clients.
Loaders are essentially basic remote access Trojans that give an attacker the ability to remotely interact with and control a compromised computer, or bot. While traditionally lightweight (smaller than 50 KB in size) in order to bypass detection by antivirus and other security monitoring technology, loaders evolve, and their viability to cybercriminals remains. Flashpoint
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. MalwareBytes
A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. MITRE
In July 2022, SEKOIA.IO discovered a new Golang botnet advertised by its alleged developer as Aurora botnet since April 2022. Since we published an analysis of the malware and the profile of the threat actor advertising Aurora on underground forums for our clients, the botnet’s activity slowed down. Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset. Furthermore, SEKOIA.IO observed an increase in the number of Aurora samples distributed in the wild, as well as C2 servers. As the Aurora malware is widespread, not well detected, or publicly documented either, SEKOIA.IO analysed Aurora in depth and share the results of our investigation in this article. Sekois
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
DarkCrystal, also known as dcRAT, is a Remote Access Trojan (RAT). Malware of this type is designed to enable remote access and control over an infected device. RATs can manipulate machines in various ways and can have likewise varied functionalities. DarkCrystal is a dangerous piece of software, which poses a significant threat to device and user safety. DcRat
Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. MITRE
Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE
The IcedID banking Trojan was discovered by IBM X-Force researchers in 2017. At that time, it targeted banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, mainly in the U.S. IcedID has since continued to evolve, and while one of its more recent versions became active in late-2019, X-Force researchers have identified a new major version release that emerged in 2020 with some substantial changes. securityintelligence.com
FIN6(Magecart) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. MITRE
Neshta is malicious software that infects executable (.exe) system files and uses them to collect system information. It might also target removable storage devices and network shares. Neshta sends the information to a web server controlled by cyber criminals. Research shows that this malware is mainly used to attack companies that specialize in finance, consumer goods, and energy. It is also used to attack the manufacturing industry. In any case, Neshta should be removed from operating systems immediately. pcrisk
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. Malwarebytes
DDoS:Win32/Nitol are a family of trojans that perform DDoS (distributed denial of service) attacks, allow backdoor access and control, download and run files and perform a number of other malicious activities on your computer. Microsoft
In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they're in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices. [Malwarebytes] (https://www.malwarebytes.com/backdoor/)
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
DPRK APT actor tracked by Proofpoint as TA444 Malpedia
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1][2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. Wikipedia
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines. MITRE
Vidar (also known as Vidar Stealer) is a trojan (a malicious program) commonly used by cyber criminals. The program steals various personal information from users who have computers infected with the virus. Pcrsik
During a routine threat-hunting exercise, Cyble research labs discovered a dark web post where a malware developer was advertising a powerful Windows RAT. Cyble
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| AHKBOT | 8 | command and control, delivery, actions on objectives | http | 10 | actions on objectives, command and control, delivery | http | 2023-01-10 |
| APT38 | 1 | command and control | dns | 120 | command and control, delivery | dns, http, tcp, tls | 2023-01-12 |
| ActionLoader | 2 | actions on objectives, delivery | http | 12 | actions on objectives, command and control, delivery | dns, http | 2023-01-10 |
| Adwind RAT | 3 | command and control | tcp-pkt | 16 | command and control | dns, tcp, tcp-pkt, tls | 2023-01-14 |
| AsyncRAT | 3 | command and control | http, dns | 423 | command and control, delivery | dns, http, tcp, tls | 2023-01-12 |
| Aurora | 4 | actions on objectives | http, tcp-pkt | 6 | actions on objectives | http, tcp-pkt | 2023-01-10 |
| BeamWinHTTP | 3 | command and control | http | 3 | command and control | http | 2023-01-10 |
| Blacknix | 4 | command and control | tcp, tcp-stream, tcp-pkt | 4 | command and control | tcp, tcp-stream, tcp-pkt | 2023-01-10 |
| Cobalt Strike | 2 | command and control | dns, tls | 397 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2023-01-14 |
| DCRAT | 1 | command and control | http | 39 | actions on objectives, command and control | dns, http, tls | 2023-01-13 |
| Emotet | 2 | command and control | dns | 59 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tls | 2023-01-12 |
| Fsysna | 13 | command and control | http, tcp, smtp | 13 | command and control | http, tcp, smtp | 2023-01-10 |
| Gamaredon | 1 | command and control | tcp-pkt | 133 | actions on objectives, command and control, delivery | dns, http, tcp-pkt, tls | 2023-01-14 |
| IcedID | 14 | command and control | dns | 353 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2023-01-14 |
| MageCart | 3 | command and control | dns | 181 | actions on objectives, command and control, delivery | dns, http, tls | 2023-01-13 |
| Neshta | 1 | command and control | http | 25 | actions on objectives, command and control, delivery | dns, http, tcp | 2023-01-10 |
| NetSupport RAT | 1 | command and control | dns | 9 | actions on objectives, command and control, exploitation | dns, http, tls | 2023-01-10 |
| Nitol | 1 | command and control | tcp-pkt | 25 | command and control, installation | http, tcp, tcp-pkt | 2023-01-12 |
| RedditC2 | 2 | command and control | http | 2 | command and control | http | 2023-01-10 |
| RisePro | 52 | command and control | http, dns | 52 | command and control | http, dns | 2023-01-10 |
| Screenshotter | 2 | delivery, command and control | http | 3 | actions on objectives, command and control, delivery | http | 2023-01-10 |
| SocGholish | 1 | command and control | dns | 229 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2023-01-10 |
| Sylavriu | 2 | command and control | http | 2 | command and control | http | 2023-01-10 |
| TA444 | 7 | command and control | dns | 132 | command and control | dns, http, tls | 2023-01-12 |
| TA457 | 1 | command and control | dns | 27 | actions on objectives, command and control | dns, http, tcp, tcp-pkt | 2023-01-11 |
| Trojan Downloader | 2 | command and control | dns | 241 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2023-01-10 |
| Turla | 1 | command and control | http | 27 | command and control, delivery | dns, http, tcp, tls | 2023-01-10 |
| Vidar | 2 | command and control | http | 28 | actions on objectives, command and control, delivery, installation | dns, http, tls | 2023-01-13 |
| XWorm | 1 | command and control | dns | 38 | command and control | dns, tcp, tcp-pkt | 2023-01-14 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
