<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

The Week in Review from Stamus Labs

Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.

 

Current Stamus Threat Intelligence (STI) release version: 808

 

This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):

  • New threat detection(s) added [1]: 4 (DDoSia, SupremeBot, Rebate Informer, CHAOS RAT)
  • Major changes to detections(s) [2]: 119
  • Updated threat detection(s) [3]: 128

 

Note: a "method" as referenced below, is a discrete detection vector for a given threat.

 

New Threat(s) Detected

The following detections were added to your Stamus Security Platform (SSP) this past week:

 

DDoSia (Botnet)

DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist group NoName057(16) against countries critical of the Russian invasion of Ukraine.

The DDoSia project was launched on Telegram in early 2022. The NoName057(16) main group main Telegram channel reached more than 45,000 subscribers as of June 2023, while the DDoSia project channels reached over 10,000 users. Administrators posted instructions for potential volunteers who want to participate in projects, and they added the possibility to pay in cryptocurrency for users who declare a valid TON wallet based on their contribution to the DDoS attacks.

Sekoia

DDosia - malpedia |
  • Total number of detection methods: 2
  • Kill chain phase(s): command and control, delivery

 

SupremeBot (Trojan)

Threat Actors (TAs) use game installers to spread various malware because games have a wide user base, and users generally trust game installers as legitimate software. The social engineering tactics that TAs use exploit users’ trust and entice them to download and run malicious game installers. The large file size and games’ complexity provide TAs opportunities to hide malware within them.

Malware distributed through game installers can be monetized through activities like stealing sensitive information, conducting ransomware attacks, and more. Previously, Cyble Research and Intelligence Labs (CRIL) has discovered several malware campaigns that specifically target gamers and their game-related applications, including Enlisted, MSI Afterburner, FiveM Spoofer, and others.

Recently, CRIL identified a trojanized Super Mario Bros game installer that delivers multiple malicious components, including an XMR miner, SupremeBot mining client, and the Open-source Umbral stealer. The malware files were found bundled with a legitimate installer file of super-mario-forever-v702e. This incident highlights another reason TAs utilize game installers as a delivery mechanism: the powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies.

Cyble

SupremeBot - malpedia | SupremeBot - darkreading |
  • Total number of detection methods: 4
  • Kill chain phase(s): command and control

 

Rebate Informer (Adware)

Rebate Informer is a potentially unwanted application created by Xacti LLC, which installs on Internet browsers (Internet Explorer, Google Chrome, and Mozilla Firefox) when users download or install free software.

Developers of this adware use a deceptive software marketing method called 'bundling', and thus, most users install the Rebate Informer plugin inadvertently without their consent. After successful infiltration, this add-on generates intrusive 'cash back' rebates, discount coupons, special promotions, and free shipping offers when users visit online shopping websites.

Furthermore, this plugin tracks users' Internet browsing activity by recording IP addresses, browser types, search terms, web pages visited, and other information.

pcrisk

  • Total number of detection methods: 1
  • Kill chain phase(s): command and control

 

CHAOS RAT (RAT)

CHAOS is a free and open-source Remote Administration Tool that allow generate binaries to control remote operating systems. Github

  • Total number of detection methods: 2
  • Kill chain phase(s): command and control

 

Major Detection Changes

The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):

 

Backdoor (Trojan)

Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.

These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.

The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.

There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them. Kaspersky

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, installation, delivery
  • Methods added: 2

 

Banker Stealer (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 8

 

Blackmoon (Data Theft)

First analyzed in early 2014 [1] [2], the Blackmoon banking Trojan targets a user’s online banking credentials using a type of pharming that involves modifying or replacing the local Hosts file with one that redirects online banking domain lookups to an IP address controlled by the attacker. Blackmoon has been observed targeting primarily customers of South Korean online banking sites and services, and is usually distributed via drive-by download. Proofpoint

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): actions on objectives, command and control, installation, delivery
  • Methods added: 2

 

CryptBot (Data Theft)

A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. Malpedia

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • Methods added: 1

 

Fake Browser (Trojan)

Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.

Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.

Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".

bleepingcomputer

  • Added kill chain phase(s): delivery, command and control
  • Previously supported kill chain phase(s): delivery
  • Methods added: 6

 

FakeCalls (Phishing)

Voice phishing attacks have a long history in the South Korean market. According to the report published on the South Korean government website, financial losses due to voice phishing constituted approximately 600 million USD in 2020, with the number of victims reaching as many as 170,000 people in the period from 2016 to 2020.

Check Point Research discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis (also called evasions) techniques. The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild. Check Point Research

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 1

 

Gamaredon (APT)

Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): actions on objectives, command and control, delivery
  • Methods added: 1

 

Glupteba (Downloader)

Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals distribute Glupteba through malicious advertisements that can be injected into legitimate websites or advertising networks. Research shows that Glubteba can be used to distribute a browser stealer or router exploiter. In any case, this malware should be uninstalled immediately. Pcrisk

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • MITRE ATT&CK added: T1573
  • Previously existing MITRE ATT&CK: T1071
  • Methods added: 1

 

Hydrochasma APT (APT)

Shipping companies and medical laboratories in Asia are being targeted in a likely intelligence-gathering campaign that relies exclusively on publicly available and living-off-the-land tools.

Hydrochasma, the threat actor behind this campaign, has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines.

This activity has been ongoing since at least October 2022. While Symantec, by Broadcom Software, did not see any data being exfiltrated in this campaign, the targets, as well as some of the tools used, indicate that the most likely motivation in this campaign is intelligence gathering. Symantec

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 1

 

IcedID (Data Theft)

The IcedID banking Trojan was discovered by IBM X-Force researchers in 2017. At that time, it targeted banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, mainly in the U.S. IcedID has since continued to evolve, and while one of its more recent versions became active in late-2019, X-Force researchers have identified a new major version release that emerged in 2020 with some substantial changes. securityintelligence.com

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 14

 

Kimsuky (APT)

Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related targets, expanding recently to the United States, Russia, and Europe. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise. MITRE

  • Added kill chain phase(s): actions on objectives, command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • Methods added: 27

 

NanoCore (RAT)

NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013. Nanocore

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • MITRE ATT&CK added: T1041
  • Previously existing MITRE ATT&CK: T1041
  • Methods added: 14

 

PennyWise (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Added kill chain phase(s): actions on objectives
  • Previously supported kill chain phase(s): actions on objectives
  • Methods added: 1

 

Raspberry Robin (Trojan)

We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools. TrendMicro

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 1

 

SocGholish (Social Engineering)

It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, exploitation, delivery, reconnaissance, actions on objectives
  • Methods added: 2

 

Stealer and Exfiltration (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Added kill chain phase(s): actions on objectives
  • Previously supported kill chain phase(s): actions on objectives, command and control, installation, delivery, exploitation
  • Methods added: 1

 

TA456 (APT)

Proofpoint researchers have identified a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456. Using the social media persona “Marcella Flores,” TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain. Designed to conduct reconnaissance on the target’s machine, the macro-laden document contained personalized content and demonstrated the importance TA456 placed on the target. Once the malware, which is an updated version of Liderc that Proofpoint has dubbed LEMPO, establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance details to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then cover its tracks by deleting that day’s host artifacts. PFPT

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): delivery, command and control
  • Methods added: 2

 

TraderTraitor (Trojan)

Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as "TraderTraitor."

The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. CISA

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 24

 

Trojan Agent (Trojan)

Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery, installation
  • Methods added: 1

 

Trojan Dropper (Trojan)

A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): command and control, delivery, installation, actions on objectives
  • Methods added: 2

 

TrojanSpy-Android (Data Theft)

Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery, installation
  • Methods added: 7

 

Other Threat Detection Update(s)

The following threat detection(s) were improved this past week with new or updated threat methods.

 

Name of threat New coverage Total coverage Last updated
  New Detection methods Kill chain phases Protocols involved Detection methods Kill chain phases Protocols involved  
Backdoor 2 command and control dns, tls 389 actions on objectives, command and control, delivery, installation dns, ftp, http, icmp, smtp, tcp, tls, udp 2023-07-29
Banker Stealer 8 command and control http, dns, tls 248 actions on objectives, command and control, delivery dns, http, smtp, tcp, tls 2023-07-29
Blackmoon 2 command and control tls, dns 55 actions on objectives, command and control, delivery, installation dns, http, smtp, tcp, tcp-pkt, tls 2023-07-29
CHAOS RAT 2 command and control http 2 command and control http 2023-07-26
CryptBot 1 command and control http 25 actions on objectives, command and control, delivery dns, http 2023-07-25
DDoSia 2 command and control, delivery http 2 command and control, delivery http 2023-07-26
Fake Browser 6 delivery, command and control dns, tls 10 command and control, delivery dns, http, tls 2023-07-25
FakeCalls 1 command and control http 19 command and control dns, http 2023-07-29
Gamaredon 1 delivery http 403 actions on objectives, command and control, delivery dns, http, tcp-pkt, tls 2023-07-28
Glupteba 1 command and control tls 69 command and control dns, http, tcp, tls 2023-07-26
Hydrochasma APT 1 command and control tcp 2 command and control tcp 2023-07-28
IcedID 14 command and control dns, tls 486 actions on objectives, command and control, delivery dns, http, tcp, tls 2023-07-29
Kimsuky 27 actions on objectives, command and control http, dns, tls 149 actions on objectives, command and control, delivery dns, ftp, ftp-data, http, tls 2023-07-27
NanoCore 14 command and control tcp 65 command and control dns, tcp, tls 2023-07-27
PennyWise 1 actions on objectives http 4 actions on objectives http 2023-07-29
Raspberry Robin 1 command and control http 277 command and control dns, http 2023-07-28
Rebate Informer 1 command and control http 1 command and control http 2023-07-26
SocGholish 2 command and control tls 356 actions on objectives, command and control, delivery, exploitation, reconnaissance dns, http, tcp, tcp-pkt, tls 2023-07-27
Stealer and Exfiltration 1 actions on objectives http 340 actions on objectives, command and control, delivery, exploitation, installation dns, ftp, http, smtp, tcp, tcp-pkt, tls 2023-07-26
SupremeBot 4 command and control dns, http 4 command and control dns, http 2023-07-26
TA456 2 command and control tls 25 command and control, delivery dns, http, tls 2023-07-28
TraderTraitor 24 command and control dns, tls 41 command and control dns, http, tls 2023-07-27
Trojan Agent 1 command and control http 388 actions on objectives, command and control, delivery, installation dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, tls, udp 2023-07-26
Trojan Dropper 2 delivery dns 302 actions on objectives, command and control, delivery, installation dns, http, tcp, tls, udp 2023-07-29
TrojanSpy-Android 7 command and control http, dns, tls 801 actions on objectives, command and control, delivery, installation dns, http, tcp, tls 2023-07-29

 

Additional Resources

Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website

Schedule a Demo of Stamus Security Platform

Request a Demo