<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

The Week in Review from Stamus Labs

Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.

 

Current Stamus Threat Intelligence (STI) release version: 1026

 

This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):

 

  • New threat detection(s) added [1]: 2 (Mofang APT, Earth Hundun Group)
  • Major changes to detections(s) [2]: 227
  • Updated threat detection(s) [3]: 254

 

Note: a "method" as referenced below, is a discrete detection vector for a given threat.

 

New Threat(s) Detected

The following detections were added to your Stamus Security Platform (SSP) this past week:

 

Mofang APT (APT)

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries. MITRE

  • Total number of detection methods: 8
  • Kill chain phase(s): command and control

 

Earth Hundun Group (APT)

Earth Hundun is a cyberespionage-motivated threat actor that has been active for several years in the Asia-Pacific region, targeting the technology and government sectors. The group has been known for employing several tools and techniques, including Waterbear, a malware entity that has had over 10 versions since 2009. Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis. Succeeding versions have added enhancements that make it even more troublesome to deal with. In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us consider it a different malware entity from the original Waterbear. Trendmicro

Earth Hundun Group - Malpedia | Earth Hundun Group - MITRE - Waterbear |
  • Total number of detection methods: 19
  • Kill chain phase(s): command and control

 

Major Detection Changes

The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):

 

APT-C-35 (APT)

VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization. Malpedia

  • Added kill chain phase(s): command and control, delivery
  • Previously supported kill chain phase(s): delivery, command and control
  • Methods added: 7

 

APT35 (APT)

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. MITRE

  • Added kill chain phase(s): delivery, command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 96

 

Calisto (APT)

The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions. Malpedia

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 1

 

ClearFake (Exploit Kit)

There are several malicious fake updates campaigns being run across thousands of compromised websites. This campaign appears to have started around July 19th, 2023. Based on a search on PublicWWW of the injection base64 there are at least 434 infected sites. The name is a reference to the majority of the Javascript being used without obfuscation. One noticeable difference from SocGholish is that there appears to be no tracking of visits by IP or cookies. As an analyst you can you go back to the compromised site over and over coming from the same IP and not clearing your browser cache. This also means the site owner is more likely to see the infection as well. When a user visits a compromised website with ClearFake, the page initially loads as normal before the whole page is taken over by a call to action to update Chrome.

On the index page of the compromised site there is a Javascript injection. The Javascript is base64 encoded. Presumably this is a dynamic injection and will change over time to reflect the new host for the initial payload. On the index page of the compromised site there is a Javascript injection. The Javascript is base64 encoded. Presumably this is a dynamic injection and will change over time to reflect the new host for the initial payload. The second web call returns a Javascript that creates an iframe to house the fake update UI. The iframe src is set to a Keitaro endpoint. The response from the Keitaro endpoint is the foundation for the HTML to be rendered within the iframe.

ClearFake Malware Analysis

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, exploitation
  • Methods added: 3

 

DarkGate (Ransomware)

Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card. Malwarebytes

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • Methods added: 3

 

Fake Browser (Trojan)

Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.

Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.

Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".

bleepingcomputer

  • Added kill chain phase(s): exploitation
  • Previously supported kill chain phase(s): delivery, exploitation
  • Methods added: 45

 

Generic Loader (Loader)

Loaders, for the most part, have one job: grab malicious executables or payloads from an attacker-controlled server. But that doesn’t mean there isn’t more happening under the hood of some, such as a user-friendly UI, self-healing capabilities, or the equivalent of a retail shop where a botmaster can sell his bots to potential clients.

Loaders are essentially basic remote access Trojans that give an attacker the ability to remotely interact with and control a compromised computer, or bot. While traditionally lightweight (smaller than 50 KB in size) in order to bypass detection by antivirus and other security monitoring technology, loaders evolve, and their viability to cybercriminals remains.

Flashpoint

  • Added kill chain phase(s): command and control, delivery
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 6

 

Lumma (Data Theft)

Lumma is an information stealer written in C, sold as a Malware-as-a-Service by LummaC on Russian-speaking underground forums and Telegram since at least August 2022. Lumma's capabilities are those of a classic stealer, with a focus on cryptocurrency wallets, and file grabber capabilities. Malpedia

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): actions on objectives, command and control, installation
  • Methods added: 33

 

Sarwent (Trojan)

The Sarwent malware is a lesser-known backdoor trojan that has been around since 2018. In its previous versions, the malware contained a limited set of functionality, such as having the ability to download and install other malware on compromised computers. Zdnet

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 4

 

SocGholish (Social Engineering)

It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, exploitation, delivery, reconnaissance, actions on objectives
  • Methods added: 6

 

TA4903 (APT)

An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals.

Such threat actors' motivations are typically political or economic. To date, every major business sector has recorded instances of attacks by advanced actors with specific goals seeking to steal, spy or disrupt. These include government, defense, financial services, legal services, industrial, telecoms, consumer goods, and many more. Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to place custom malicious code on one or multiple computers for specific tasks.

Source: Wikipedia

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): delivery
  • Methods added: 9

 

TA577 (APT)

TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike. Malpedia

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): command and control
  • Methods added: 1

 

TA582 (APT)

An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals.

Such threat actors' motivations are typically political or economic. To date, every major business sector has recorded instances of attacks by advanced actors with specific goals seeking to steal, spy or disrupt. These include government, defense, financial services, legal services, industrial, telecoms, consumer goods, and many more. Some groups utilize traditional espionage vectors, including social engineering, human intelligence and infiltration to gain access to a physical location to enable network attacks. The purpose of these attacks is to place custom malicious code on one or multiple computers for specific tasks.

Source: Wikipedia

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 13

 

Other Threat Detection Update(s)

The following threat detection(s) were improved this past week with new or updated threat methods.

 

Name of threat New coverage Total coverage Last updated
  New Detection methods Kill chain phases Protocols involved Detection methods Kill chain phases Protocols involved  
APT-C-35 7 command and control, delivery dns, tls, http 422 command and control, delivery dns, http, tcp, tls 2024-04-17
APT35 96 delivery, command and control dns, tls, http 719 command and control, delivery dns, ftp, http, tcp, tls, udp 2024-04-19
Calisto 1 command and control http 327 command and control dns, http, tls 2024-04-16
ClearFake 3 command and control dns, tls, http 71 command and control, exploitation dns, http, tls 2024-04-16
DarkGate 3 command and control dns, tls, http 62 actions on objectives, command and control, delivery dns, http, tls 2024-04-16
Earth Hundun Group 19 command and control dns, tls, http 19 command and control dns, tls, http 2024-04-18
Fake Browser 45 exploitation dns, tls, http 485 delivery, exploitation dns, http, tls 2024-04-20
Generic Loader 6 command and control, delivery http 29 actions on objectives, command and control, delivery http, tcp 2024-04-19
Lumma 33 command and control dns, tls, http 668 actions on objectives, command and control, installation dns, http, tls 2024-04-16
Mofang APT 8 command and control http, dns, tls 8 command and control http, dns, tls 2024-04-18
Sarwent 4 command and control http 19 command and control http 2024-04-18
SocGholish 6 command and control dns, tls, http 945 actions on objectives, command and control, delivery, exploitation, reconnaissance dns, http, tcp, tcp-pkt, tls 2024-04-19
TA4903 9 delivery dns, tls, http 762 delivery dns, http, tls 2024-04-19
TA577 1 delivery http 10 command and control, delivery http, tls 2024-04-20
TA582 13 command and control dns, http, tls 88 command and control dns, http, tls 2024-04-17

 

Additional Resources

Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website

Schedule a Demo of Stamus Security Platform

Request a Demo