26-September-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 855
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform (SSP) this past week:
Since late June 2023, an Android banking trojan named MMRat has been focusing on mobile users in Southeast Asia. This trojan is capable of capturing both user input and screen activity while also allowing remote control of targeted devices through diverse methods. This enables the attackers to conduct bank fraud directly on the victim's device. Pcrisk
MMRAT - Bleeping Computer |
This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return. Fortiguard
Blue Bot - Malware Bazaar |
Analysis of the SprySOCKS backdoor reveals some interesting findings. The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware. Trendmicro
SprySOCKS - Malpedia |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
The Atomic macOS Stealer can steal various types of information from the victim’s machine, including keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password. The stealer is designed to target multiple browsers and can extract auto-fills, passwords, cookies, wallets, and credit card information. Specifically, AMOS can target cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi. Cyble
Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing Standard Application Layer Protocol. Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.
DarkCrystal, also known as dcRAT, is a Remote Access Trojan (RAT). Malware of this type is designed to enable remote access and control over an infected device. RATs can manipulate machines in various ways and can have likewise varied functionalities. DarkCrystal is a dangerous piece of software, which poses a significant threat to device and user safety. DcRat
Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.
Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.
Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".
gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.
Source: MITRE
Cyber criminals violated the law TDS (Traffic Direction System) platform Keitaro and used it to redirect them users in exploit kits RIG and Fallout in order to infect them with malicious software.
TDS platforms are designed for redirection of users in particular sites. Legitimate TDS platforms, such as Keitaro, are mainly used by individuals and companies that want to advertise services or their products. Platforms drive users to the pages that companies want, targeting specific customers and promoting an ad campaign. techbizweb
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
DPRK APT actor tracked by Proofpoint as TA444 Malpedia
Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others. Malpedia
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
Trojan.Clipper is Malwarebytes' generic detection name for a type of Trojan that tries to steal currencies from the affected system by stealing or manipulating the data on the Windows clipboard.Malwarebytes
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| AMOS | 4 | command and control, actions on objectives | dns, tls, http | 17 | actions on objectives, command and control, delivery | dns, http, tls | 2023-09-19 |
| Blue Bot | 4 | actions on objectives | http | 4 | actions on objectives | http | 2023-09-22 |
| Command and Control | 1 | command and control | http | 283 | actions on objectives, command and control, delivery, installation | dns, http, tls | 2023-09-22 |
| DCRAT | 1 | actions on objectives | http | 52 | actions on objectives, command and control | dns, http, tls | 2023-09-21 |
| Fake Browser | 6 | exploitation | dns, tls, http | 61 | delivery, exploitation | dns, http, tls | 2023-09-21 |
| Gh0st | 2 | command and control | tcp-pkt | 178 | actions on objectives, command and control, delivery | dns, http, tcp, tcp-pkt, tls | 2023-09-21 |
| Keitaro | 7 | exploitation | dns, tls, http | 218 | command and control, delivery, exploitation | dns, http, tls | 2023-09-23 |
| MMRAT | 3 | actions on objectives, command and control | http, tcp | 3 | actions on objectives, command and control | http, tcp | 2023-09-22 |
| SocGholish | 6 | command and control | dns, tls, http | 833 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2023-09-21 |
| SprySOCKS | 7 | command and control | dns, tcp, http, tls | 7 | command and control | dns, tcp, http, tls | 2023-09-22 |
| TA444 | 12 | command and control | dns, tls, http | 1262 | command and control | dns, http, tls | 2023-09-21 |
| TransparentTribe | 9 | command and control | dns, http, tls | 31 | command and control, delivery | dns, http, tcp, tcp-pkt, tls | 2023-09-19 |
| Trojan Downloader | 6 | command and control, delivery | http | 270 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2023-09-22 |
| Trojan clipper | 4 | exploitation, command and control | http, dns, tls | 10 | command and control, exploitation | dns, http, tls | 2023-09-22 |
ABOUT STAMUS NETWORKS ™
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
