23-May-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 751
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform this past week:
JLORAT copies itself under %AppData% and sets up persistence via a registry RUN key. It also creates a mutex to ensure atomic execution (“whatever”, as in the default usage example for the “single-instance” Rust library that is embedded). The backdoor starts by gathering information on the victim machine, such as the system information, current user and public IP address. The information is sent via an HTTP POST request to the C2 on a non-standard port (i.e., 9942). Sample data sent by the C2 could be: Securelist
A Powerful Ransomware Tool for Security Testing Used by ReadTeams. Github
Jasmin - Microsoft |
The Atomic macOS Stealer can steal various types of information from the victim’s machine, including keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password. The stealer is designed to target multiple browsers and can extract auto-fills, passwords, cookies, wallets, and credit card information. Specifically, AMOS can target cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi. Cyble
AMOS - Malpedia |
IIS Raid is a native IIS module that abuses the extendibility of IIS to backdoor the web server and carry out custom actions defined by an attacker. Github
Since late 2021, samples associated with the DUCKTAIL operation were exclusively written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, including the main assembly2. The usage of .NET Core and its single-file feature is not commonly seen in malware. WithSecure
Ducktail Stealer - Malpedia |
Gamut was found to be downloaded by a Trojan Downloader that arrives as an attachment from a spam email message. The bot installation is quite simple. After the malware binary has been downloaded, it launches itself from its current directory, usually the Windows %Temp% folder and installs itself as a Windows service. Trustwave
BlackSun encrypts files and keeps them inaccessible until a ransom is paid. It renames encrypted files by appending the ".BlackSun" extension (for example, it renames "1.jpg" to "1.jpg.BlackSun", "2.jpg" to "1.jpg.BlackSun"). Also, BlackSun changes the desktop wallpaper and creates the "BlackSun_README.txt" file. Pcrisk
BlackSun - Malpedia | BlackSun - VMware |
A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.
Alpha is a ransomware created by the developers of Cerber (an identical virus). Alpha is distributed via email spam messages that contain infected .WSF and .DOC files attachments. When these files are opened, users are asked to enable macro commands, which will then run the ransomware. Pcrisk
Alpha Ransomware - Bleepingcomputer |
In computing, a Trojan horse (or simply trojan) is any malware which misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Trojans may allow an attacker to access users' personal information such as banking information, passwords, or personal identity. It can also delete a user's files or infect other devices connected to the network. Ransomware attacks are often carried out using a trojan.
Recently, Cyble Research and Intelligence Labs (CRIL) uncovered multiple malicious Python .whl (Wheel) files that were found to be distributing a new malware named ‘KEKW’. KEKW malware can steal sensitive information from infected systems, as well as perform clipper activities which can lead to the hijacking of cryptocurrency transactions. Cyble
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization. Malpedia
Amadey is malicious software categorized as a trojan. Cyber criminals can purchase Amadey on a Russian dark web forum and then use it to perform various malicious tasks: download and install (execute) other malware, steal personal information, log keystrokes, send spam from a victim's computer, and add an infected computer to a botnet. Pcrisk
Trojan.BeamWinHTTP is a Trojan that comes in the form of a dll, which is loaded to inject malicious code into http traffic on the affected system. Trojan.BeamWinHTTP has been found to add affected systems to a botnet that performed DDoS attacks. Malwarebytes
First analyzed in early 2014 [1] [2], the Blackmoon banking Trojan targets a user’s online banking credentials using a type of pharming that involves modifying or replacing the local Hosts file with one that redirects online banking domain lookups to an IP address controlled by the attacker. Blackmoon has been observed targeting primarily customers of South Korean online banking sites and services, and is usually distributed via drive-by download. Proofpoint
Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE
Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals distribute Glupteba through malicious advertisements that can be injected into legitimate websites or advertising networks. Research shows that Glubteba can be used to distribute a browser stealer or router exploiter. In any case, this malware should be uninstalled immediately. Pcrisk
The IcedID banking Trojan was discovered by IBM X-Force researchers in 2017. At that time, it targeted banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, mainly in the U.S. IcedID has since continued to evolve, and while one of its more recent versions became active in late-2019, X-Force researchers have identified a new major version release that emerged in 2020 with some substantial changes. securityintelligence.com
Cyber criminals violated the law TDS (Traffic Direction System) platform Keitaro and used it to redirect them users in exploit kits RIG and Fallout in order to infect them with malicious software.
TDS platforms are designed for redirection of users in particular sites. Legitimate TDS platforms, such as Keitaro, are mainly used by individuals and companies that want to advertise services or their products. Platforms drive users to the pages that companies want, targeting specific customers and promoting an ad campaign. techbizweb
Micropsia is a remote access tool written in Delphi. MITRE
Smoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. MITRE
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns. MITRE
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
During a routine threat-hunting exercise, Cyble research labs discovered a dark web post where a malware developer was advertising a powerful Windows RAT. Cyble
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| AMOS | 2 | command and control, actions on objectives | dns, http | 2 | command and control, actions on objectives | dns, http | 2023-05-18 |
| APT-C-35 | 3 | delivery, command and control | http, dns | 199 | command and control, delivery | dns, http, tcp, tls | 2023-05-20 |
| Alpha Ransomware | 1 | command and control | http | 1 | command and control | http | 2023-05-18 |
| Amadey | 2 | command and control, delivery | http | 14 | actions on objectives, command and control, delivery | http | 2023-05-18 |
| BeamWinHTTP | 1 | command and control | http | 4 | command and control | http | 2023-05-20 |
| BlackSun | 1 | delivery | http | 1 | delivery | http | 2023-05-18 |
| Blackmoon | 1 | command and control | http | 53 | actions on objectives, command and control, delivery, installation | dns, http, smtp, tcp, tcp-pkt, tls | 2023-05-18 |
| Ducktail Stealer | 1 | command and control | dns | 3 | command and control | dns | 2023-05-18 |
| Gamaredon | 12 | command and control | dns, http | 299 | actions on objectives, command and control, delivery | dns, http, tcp-pkt, tls | 2023-05-20 |
| Gamut | 3 | command and control | http | 3 | command and control | http | 2023-05-18 |
| Glupteba | 4 | command and control | dns | 65 | command and control | dns, http, tcp, tls | 2023-05-16 |
| IIS-Raid | 2 | delivery | http | 2 | delivery | http | 2023-05-18 |
| IcedID | 1 | command and control | http | 455 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2023-05-20 |
| JLORAT | 1 | command and control | http | 1 | command and control | http | 2023-05-18 |
| Jasmin | 2 | command and control | http | 2 | command and control | http | 2023-05-18 |
| KEKW | 2 | command and control | dns | 2 | command and control | dns | 2023-05-18 |
| Keitaro | 4 | exploitation | dns, http | 91 | command and control, delivery, exploitation | dns, http, tls | 2023-05-17 |
| Micropsia | 1 | actions on objectives | http | 38 | actions on objectives, command and control | dns, http, tls | 2023-05-16 |
| MythBot | 3 | command and control | http, tls | 3 | command and control | http, tls | 2023-05-18 |
| Smoke Loader | 1 | command and control | dns | 69 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2023-05-16 |
| SocGholish | 1 | command and control | dns | 285 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2023-05-19 |
| Trickbot | 1 | delivery | http | 57 | actions on objectives, command and control, delivery | http, icmp, tls | 2023-05-20 |
| Trojan Downloader | 4 | command and control | http, tcp-pkt | 252 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tcp-pkt, tls, udp | 2023-05-19 |
| Valyri | 2 | command and control | http | 2 | command and control | http | 2023-05-18 |
| XWorm | 26 | command and control | tcp-pkt | 636 | command and control | dns, http, tcp, tcp-pkt | 2023-05-16 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
