14-March-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 692
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform this past week:
A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot defenses, making it a potent threat in the cyber landscape.
BlackLotus, in a nutshell, exploits a security flaw tracked as CVE-2022-21894 (aka Baton Drop) to get around UEFI Secure Boot protections and set up persistence. The vulnerability was addressed by Microsoft as part of its January 2022 Patch Tuesday update. Thehackernews
Once a targeted system is infected, HiatusRAT allows the threat actor to remotely interact with the system, and it utilizes prebuilt functionality – some of which is highly unusual – to convert the compromised machine into a covert proxy for the threat actor. The packet-capture binary enables the actor to monitor router traffic on ports associated with email and file-transfer communications. BlackLotusLabs
HiatusRAT - Thehackernews |
Starting in November 2022, Morphisec has been tracking an advanced info stealer we have named “SYS01 stealer.” SYS01 stealer uses similar lures and loading techniques to another information stealer recently dubbed S1deload by the Bitdefender group, but the actual payload (stealer) is different.
The attack begins by luring a victim to click on a URL from a fake Facebook profile or advertisement to download a ZIP file that pretends to have an application, game, movie, etc.
The infection chain is divided into two parts: the loader, and the Inno-Setup installer that drops the final payload. The loader is usually a legitimate C# application susceptible to a side-loading vulnerability that comes with a hidden malicious dynamic link library (DLL) file that’s eventually side-loaded to the application. This legitimate application drops the Inno-Setup installer that decompresses to a whole PHP application containing malicious scripts. The PHP scripts are responsible for stealing and exfiltrating information. The scripts are encoded using different techniques, which makes their analysis and detection harder. Morphsec
Harly is a piece of malicious software targeting Android operating systems. It is a type of toll fraud malware designed to stealthily subscribe victims to various premium-rate services. Harly is proliferated under the guise of various useful and innocuous-looking applications. Pcrisk
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Malware of this family uses advertising as its main monetization method. The malware uses different methods to display as many ads as possible to the user, including by installing new adware.
These Trojans can get root privileges in order to hide in the system folder, which makes the Trojans very difficult to remove. Kaspersky
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them. Kaspersky
First analyzed in early 2014 [1] [2], the Blackmoon banking Trojan targets a user’s online banking credentials using a type of pharming that involves modifying or replacing the local Hosts file with one that redirects online banking domain lookups to an IP address controlled by the attacker. Blackmoon has been observed targeting primarily customers of South Korean online banking sites and services, and is usually distributed via drive-by download. Proofpoint
Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East. MITRE
Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing Standard Application Layer Protocol. Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.
Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. MITRE
Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card. Malwarebytes
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE
NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013. Nanocore
Parallax is a Remote Access Trojan used by attackers to gain access to a victim's machine. It was involved in one of the many infamous "coronamalware" campaigns. Basically, the attackers abused the COVID-19 pandemic news to lure victims into opening themed emails spreading parallax. Malpedia
PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. MITRE
Check Point Research identified an ongoing surveillance operation targeting a Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office vulnerabilities together with the chain of in-memory loaders to attempt and install a previously unknown backdoor on victim’s machines. Checkpoint
The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities. Malwarebytes
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
Its first known detection goes back to May 31, 2011, according to Microsoft Malware Protection Center. This Trojanware opens up an Internet Explorer browser to a predefined page (like to i.163vv.com/?96). Trojan Files with the LNK extension (expression) is a Windows shortcut to a malicious file, program, or folder. A LNK file of this family launches a malicious executable or may be dropped by other malware. These files are mostly used by worms to spread via USB drives (i.e.). Wikipedia
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
DPRK APT actor tracked by Proofpoint as TA444 Malpedia
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
Stealer: The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
VectorStealer is a malicious program designed to steal sensitive data. It is classified as an information stealer. Typically, stealers run silently in the background to avoid suspicion. Threat actors use various ways to trick users into infecting computers with information-stealing malware. Pcrisk
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| Android Harly | 2 | command and control | dns | 7 | command and control | dns | 2023-03-08 |
| Android Trojan Agent | 1 | command and control | dns | 180 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2023-03-08 |
| Backdoor | 4 | command and control | http, dns | 386 | actions on objectives, command and control, delivery, installation | dns, ftp, http, icmp, smtp, tcp, tls, udp | 2023-03-08 |
| BlackLotus | 2 | command and control | tls, http | 2 | command and control | tls, http | 2023-03-08 |
| Blackmoon | 1 | command and control | tcp | 53 | actions on objectives, command and control, delivery, installation | dns, http, smtp, tcp, tcp-pkt, tls | 2023-03-10 |
| Cloud Atlas | 1 | command and control | dns | 33 | command and control, delivery | dns, http, tls | 2023-03-09 |
| Command and Control | 1 | command and control | http | 302 | actions on objectives, command and control, delivery, installation | dns, http, tls | 2023-03-08 |
| Emotet | 4 | delivery | http | 64 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tls | 2023-03-10 |
| Gamaredon | 10 | command and control | dns, http | 156 | actions on objectives, command and control, delivery | dns, http, tcp-pkt, tls | 2023-03-11 |
| HiatusRAT | 1 | command and control | http | 1 | command and control | http | 2023-03-08 |
| Lockbit | 1 | command and control | dns | 2 | command and control | dns | 2023-03-07 |
| MalDoc | 1 | delivery | dns | 486 | actions on objectives, command and control, delivery | dns, http, tcp, tcp-pkt, tls | 2023-03-07 |
| NanoCore | 1 | command and control | dns | 51 | command and control | dns, tcp, tls | 2023-03-09 |
| Parallax | 2 | command and control | tcp | 37 | command and control | dns, tcp | 2023-03-07 |
| PlugX | 2 | command and control | dns | 62 | command and control, delivery | dns, http, tcp, tcp-pkt, tls, udp | 2023-03-09 |
| SYS01 | 11 | command and control | http, dns | 11 | command and control | http, dns | 2023-03-08 |
| SharpPanda | 1 | command and control | http | 6 | command and control, delivery | http | 2023-03-11 |
| Sidecopy | 1 | command and control | http | 12 | command and control | dns, http, tcp | 2023-03-10 |
| SocGholish | 5 | command and control | dns | 253 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2023-03-10 |
| Startpage | 1 | command and control | http | 28 | command and control, delivery | http, tls | 2023-03-11 |
| Stealer and Exfiltration | 6 | actions on objectives, command and control, delivery | http, tcp-pkt, tcp | 310 | actions on objectives, command and control, delivery, exploitation, installation | dns, ftp, http, smtp, tcp, tcp-pkt, tls | 2023-03-10 |
| TA444 | 1 | command and control | dns | 135 | command and control | dns, http, tls | 2023-03-09 |
| TrojanSpy-Android | 4 | command and control | dns, http | 469 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls | 2023-03-08 |
| TrojanSpy-Generic | 1 | command and control | tcp-pkt | 59 | actions on objectives, command and control, delivery | http, tcp, tcp-pkt, tls | 2023-03-08 |
| Vector Stealer | 1 | actions on objectives | http | 2 | actions on objectives | http | 2023-03-09 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
