16-May-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 745
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform this past week:
The Project Nemesis infostealer has been active in the wild since December 2021, when it was offered for sale on several Dark Web forums. It can collect data from a range of web browsers, as well as applications including Steam, Telegram, Discord, cryptowallets, and VPN providers.IBM Security X-Force
Project Nemesis - Malpedia | Project Nemesis - Microsoft |
Proofpoint researchers began tracking an actor (referred to as TA544) in February of 2017 when reports first emerged about malicious email campaigns targeting Italian customers using the Panda Banker malware.
To date, this highly financially-motivated actor has delivered more than six unique malware payloads (in several variations of each) in high-volume campaigns (hundreds of thousands of messages per day) to victims across western Europe and Japan, where it now focuses on the distribution of the Ursnif banking Trojan and URLZone banker. Proofpoint
TA544 - Malpedia |
In computing, a Trojan horse (or simply trojan) is any malware which misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Trojans may allow an attacker to access users' personal information such as banking information, passwords, or personal identity. It can also delete a user's files or infect other devices connected to the network. Ransomware attacks are often carried out using a trojan.
Written in Pascal, this file stealer crawls the victim’s filesystem at regular intervals and uploads all files of interest to its C2 server. At startup, it wastes CPU cycles on dead code and useless loops, which we assume are for evasion purposes. Roopy then creates its working directory (%AppData%/Microsoft/OneDrive) where it stores the list of already uploaded files (as upload.dat) and a copy of documents waiting to be uploaded (in the backup subfolder).
Roopy - MalwareBazaar |
Information Stealer used by Void Balaur.Malpedia
ZStealer - Trend Micro |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
GALLIUM is a group that has been active since at least 2012, primarily targeting high-profile telecommunications networks. GALLIUM has been identified in some reporting as likely a Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors. MITRE
Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE
Cyber criminals violated the law TDS (Traffic Direction System) platform Keitaro and used it to redirect them users in exploit kits RIG and Fallout in order to infect them with malicious software.
TDS platforms are designed for redirection of users in particular sites. Legitimate TDS platforms, such as Keitaro, are mainly used by individuals and companies that want to advertise services or their products. Platforms drive users to the pages that companies want, targeting specific customers and promoting an ad campaign. techbizweb
Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related targets, expanding recently to the United States, Russia, and Europe. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise. MITRE
FIN6(Magecart) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. MITRE
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
DPRK APT actor tracked by Proofpoint as TA444 Malpedia
Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors. MITRE
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
During a routine threat-hunting exercise, Cyble research labs discovered a dark web post where a malware developer was advertising a powerful Windows RAT. Cyble
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| Fake LogMeInRescue | 1 | actions on objectives | http | 1 | actions on objectives | http | 2023-05-11 |
| GALLIUM | 3 | command and control | dns | 5 | command and control | dns | 2023-05-11 |
| Gamaredon | 1 | command and control | dns | 287 | actions on objectives, command and control, delivery | dns, http, tcp-pkt, tls | 2023-05-10 |
| Keitaro | 1 | exploitation | dns | 87 | command and control, delivery, exploitation | dns, http, tls | 2023-05-09 |
| Kimsuky | 1 | delivery | http | 106 | actions on objectives, command and control, delivery | dns, ftp, ftp-data, http, tls | 2023-05-12 |
| MageCart | 1 | command and control | http | 200 | actions on objectives, command and control, delivery | dns, http, tls | 2023-05-11 |
| Project Nemesis | 5 | command and control, installation | dns, http | 6 | command and control, installation | dns, http | 2023-05-11 |
| Roopy | 1 | actions on objectives | http | 1 | actions on objectives | http | 2023-05-11 |
| SocGholish | 8 | command and control | dns | 284 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2023-05-12 |
| TA444 | 42 | command and control | dns | 271 | command and control | dns, http, tls | 2023-05-12 |
| TA544 | 5 | command and control | http | 5 | command and control | http | 2023-05-11 |
| Trojan Agent | 1 | delivery | http | 385 | actions on objectives, command and control, delivery, installation | dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, tls, udp | 2023-05-11 |
| Ursnif | 16 | command and control, actions on objectives | http, tls, dns | 513 | actions on objectives, command and control, delivery, installation, weaponization | dns, http, tcp, tls, udp | 2023-05-11 |
| WarHawk | 2 | actions on objectives | http | 18 | actions on objectives, command and control | http | 2023-05-11 |
| XWorm | 2 | actions on objectives | http | 612 | actions on objectives, command and control | dns, http, tcp, tcp-pkt | 2023-05-09 |
| ZStealer | 1 | installation | http | 1 | installation | http | 2023-05-11 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
