19-September-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 849
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform (SSP) this past week:
Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family.1
This means briefly that; On Windows operating systems, svchost.exe manages the services and services are actually running under svchost.exe’s as threads. Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service. Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent. MITRE
Bumblebee - Malpedia | Bumblebee - Microsoft |
BI.ZONE Cyber Threat Intelligence team has detected a new campaign by Red Wolf, a hacker group that specializes in corporate espionage. Similar to its previous campaigns, the group continues to leverage phishing emails to gain access to the target organizations. To deliver malware on a compromised system, Red Wolf uses IMG files containing LNK files. By opening such a file an unsuspecting victim runs an obfuscated DLL file, which in its turn downloads and executes RedCurl.FSABIN on the victim’s device. This enables the attackers to run commands in the compromised environment and transfer additional tools for post‑exploitation. Bizone
On August 28, 2023, the CERT-UA team issued an alert covering UAC-0173 attacks targeting Ukrainian judicial bodies and notaries since Q1 2023. The malicious campaign in the limelight involves targeted email distribution, delivering BZIP, GZIP, and RAR archives with BAT files inside. The BAT files are created with the help of ScrubCrypt crypter and upon execution, they install AsyncRAT malware onto the affected systems. The campaign utilized specific subject lures and file names referring to official letters from local notary departments and Ministry of Justice notifications.
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014. MITRE
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name. MITRE
DarkCrystal, also known as dcRAT, is a Remote Access Trojan (RAT). Malware of this type is designed to enable remote access and control over an infected device. RATs can manipulate machines in various ways and can have likewise varied functionalities. DarkCrystal is a dangerous piece of software, which poses a significant threat to device and user safety. DcRat
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card. Malwarebytes
Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.
Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.
Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".
Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy. Malpedia
Cyber criminals violated the law TDS (Traffic Direction System) platform Keitaro and used it to redirect them users in exploit kits RIG and Fallout in order to infect them with malicious software.
TDS platforms are designed for redirection of users in particular sites. Legitimate TDS platforms, such as Keitaro, are mainly used by individuals and companies that want to advertise services or their products. Platforms drive users to the pages that companies want, targeting specific customers and promoting an ad campaign. techbizweb
Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related targets, expanding recently to the United States, Russia, and Europe. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise. MITRE
Lumma is an information stealer written in C, sold as a Malware-as-a-Service by LummaC on Russian-speaking underground forums and Telegram since at least August 2022. Lumma's capabilities are those of a classic stealer, with a focus on cryptocurrency wallets, and file grabber capabilities. Malpedia
In November 2020, CERT-In, the Indian Computer Emergency Response Team, detected ShadowPad and alerted the national grid operator's regional units, the Times of India reports. Bankinfosecurity
DPRK APT actor tracked by Proofpoint as TA444 Malpedia
This threat can give a malicious hacker unauthorized access and control of your PC. Microsoft
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| AgentTesla | 1 | actions on objectives | tcp | 50 | actions on objectives, command and control, delivery | dns, ftp, http, smtp, tcp, tcp-pkt, tls | 2023-09-12 |
| AutoIt | 1 | delivery | http | 65 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tcp-pkt | 2023-09-16 |
| Bumblebee | 3 | command and control | http, tcp-pkt | 3 | command and control | http, tcp-pkt | 2023-09-15 |
| DCRAT | 4 | command and control | http, dns, tls | 51 | actions on objectives, command and control | dns, http, tls | 2023-09-16 |
| DarkGate | 4 | command and control | http, dns, tls | 18 | actions on objectives, command and control | dns, http, tls | 2023-09-16 |
| Fake Browser | 6 | exploitation | dns, tls, http | 55 | delivery, exploitation | dns, http, tls | 2023-09-15 |
| Generic Coinminer | 13 | command and control | dns, tls, http | 15 | actions on objectives, command and control | dns, http, tcp, tls | 2023-09-15 |
| Keitaro | 6 | exploitation | dns, tls, http | 211 | command and control, delivery, exploitation | dns, http, tls | 2023-09-13 |
| Kimsuky | 4 | command and control | dns, tls, http | 321 | actions on objectives, command and control, delivery | dns, ftp, ftp-data, http, tls | 2023-09-13 |
| Lumma | 2 | command and control, actions on objectives | http | 14 | actions on objectives, command and control, installation | dns, http, tls | 2023-09-16 |
| Phant0m | 1 | delivery | http | 1 | delivery | http | 2023-09-15 |
| Red Wolf | 28 | delivery, command and control | http, dns, tls | 28 | delivery, command and control | http, dns, tls | 2023-09-15 |
| ShadowPad | 3 | command and control | dns, http, tls | 55 | command and control | dns, http, tls | 2023-09-14 |
| TA444 | 57 | command and control | dns, tls, http | 1250 | command and control | dns, http, tls | 2023-09-12 |
| UAC-0173 | 6 | command and control | dns, tls, http | 6 | command and control | dns, tls, http | 2023-09-15 |
| Unk | 2 | delivery, actions on objectives | http | 210 | actions on objectives, command and control, delivery, installation | dns, ftp, http, smtp, tcp, tls | 2023-09-15 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
