22-August-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 825
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform (SSP) this past week:
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Poverty Stealer - emergingthreats |
On July 11, 2023, Unit 42 cloud researchers discovered a new peer-to-peer (P2P) worm we call P2PInfect. Written in Rust, a highly scalable and cloud-friendly programming language, this worm is capable of cross-platform infections and targets Redis, a popular open-source database application that is heavily used within cloud environments. Redis instances can be run on both Linux and Windows operating systems. Unit 42 researchers have identified over 307,000 unique Redis systems communicating publicly over the last two weeks, of which 934 may be vulnerable to this P2P worm variant. While not all of the 307,000 Redis instances will be vulnerable, the worm will still target these systems and attempt the compromise.
P2PInfect - bleepingcomputer | P2PInfect - thehackernews |
The best open source stealer.
Phemedrone Stealer is written in C# without any dependencies. Logs gate is a standalone PHP script, which you might customize whenever you want.
Features: * Stealer gathers all data in memory * No external libraries are used for Phemedrone Stealer * Stub size is ~100 kB * Works on both x32 and x64 systems * All logs get sent to an Telegram or HTTP Host * Configurable Anti CIS, Anti VM, Anti Debbuger and Mutex * Configurable File grabber file extensions and search depth * Grabbing Cookies, Passwords, Autofills and Credit cards from Chromium based browsers (using dynamic path searching) * Grabbing Cookies, Passwords and Autofills from Gecko-based browsers (using dynamic path searching) * Grabbing Telegram, Steam and Discord sessions using dynamically path searching * Grabbing sensitive Extensions from Chromium-based browsers (includes crypto-extensions and authenticators) * Grabbing most known Crypto wallets * Detailed System information which includes hardware, geolocation and OS information with a Screenshot
The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.
8Base - vmware |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. MITRE
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. MITRE
G-Cleaner is promoted as an app that supposedly speeds up and optimizes Windows computers. It is promoted as a legitimate application (and its appearance may suggest this) and has a website from which it can be downloaded. In fact, its installation setup also contains a malicious program. G-Cleaner is installed together with AZORult, a trojan-type malicious program. Pcrisk
Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related targets, expanding recently to the United States, Russia, and Europe. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise. MITRE
Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. MITRE
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Trojan.Clipper is Malwarebytes' generic detection name for a type of Trojan that tries to steal currencies from the affected system by stealing or manipulating the data on the Windows clipboard.Malwarebytes
A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. MITRE
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| 8Base | 6 | command and control | dns, http, tls | 6 | command and control | dns, http, tls | 2023-08-16 |
| APT 29 | 11 | command and control | dns, tls, http | 206 | actions on objectives, command and control | dns, ftp, http, tls | 2023-08-15 |
| APT35 | 3 | command and control | dns, tls, http | 478 | command and control, delivery | dns, ftp, http, tcp, tls, udp | 2023-08-18 |
| GCleaner | 4 | command and control, delivery | http | 19 | command and control, delivery | http | 2023-08-19 |
| Kimsuky | 76 | command and control | dns, tls, http | 317 | actions on objectives, command and control, delivery | dns, ftp, ftp-data, http, tls | 2023-08-16 |
| Molerats | 3 | command and control | http | 126 | command and control, delivery | dns, http, tls | 2023-08-17 |
| P2PInfect | 1 | command and control | tls | 1 | command and control | tls | 2023-08-16 |
| Phemedrone | 1 | actions on objectives | http | 1 | actions on objectives | http | 2023-08-16 |
| Poverty Stealer | 2 | command and control, actions on objectives | tcp | 2 | command and control, actions on objectives | tcp | 2023-08-16 |
| SocGholish | 6 | command and control | dns, tls, http | 815 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2023-08-17 |
| Stealer and Exfiltration | 2 | actions on objectives | http | 371 | actions on objectives, command and control, delivery, exploitation, installation | dns, ftp, http, smtp, tcp, tcp-pkt, tls | 2023-08-19 |
| Trojan clipper | 5 | command and control | http | 6 | command and control | http | 2023-08-16 |
| XRat | 1 | command and control | http | 20 | command and control | dns, http, icmp, tcp, tcp-pkt, tls | 2023-08-15 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
