05-April-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 404
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus NDR this past week:
Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Germany, Mongolia, Myanmar, Pakistan, and Vietnam, among others. MITRE
Total number of detection methods: 11
Kill chain phase(s): command and control, delivery
MITRE ATT&CK: T1587
AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control. Malpedia
AllaKore - MITRE - Multi-Stage Channels | AllaKore - MITRE - Ingress Tool Transfer | AllaKore - MITRE - System Information Discovery | AllaKore - MITRE - File and Directory Discovery |
Total number of detection methods: 4
Kill chain phase(s): command and control
Micropsia is a remote access tool written in Delphi. MITRE
Total number of detection methods: 21
Kill chain phase(s): command and control, actions on objectives
MITRE ATT&CK: T1587
Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified. Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups. Malpedia
Total number of detection methods: 2
Kill chain phase(s): command and control
MITRE ATT&CK: T1041
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks. MITRE
Darkhotel - microsoft | Darkhotel - malpedia |
Total number of detection methods: 30
Kill chain phase(s): command and control, actions on objectives, delivery
MITRE ATT&CK: T1041
Spora is a ransomware-type virus distributed via spam emails (malicious attachments). Each rogue email contains an HTA file which, once executed, extracts a Javascript file ("closed.js"), placing it in the system "%Temp%" folder. The Javascript file extracts an executable with a random name and runs it. Pcrisk
Spora - MITRE - Data Encrypted for Impact | Spora - MITRE - Phishing | Spora - MITRE - User Execution | Spora - malpedia | Spora - microsoft |
Total number of detection methods: 6
Kill chain phase(s): command and control
MITRE ATT&CK: T1486
Once infiltrated, Shifr encrypts various files and appends the ".shifr" extension to the name of each encrypted file (for example, "sample.jpg" is renamed to "sample.jpg.shifr"). After successfully encrypting data, Shifr creates an HTML file ("HOW_TO_DECRYPT_FILES.html"), placing it in each folder containing encrypted files. Pcrisk
Shifr - MITRE - User Execution | Shifr - MITRE - Phishing | Shifr - MITRE - Data Encrypted for Impact |
Total number of detection methods: 6
Kill chain phase(s): command and control
MITRE ATT&CK: T1486
Proofpoint researchers have identified a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456. Using the social media persona “Marcella Flores,” TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain. Designed to conduct reconnaissance on the target’s machine, the macro-laden document contained personalized content and demonstrated the importance TA456 placed on the target. Once the malware, which is an updated version of Liderc that Proofpoint has dubbed LEMPO, establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance details to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then cover its tracks by deleting that day’s host artifacts. PFPT
TA456 - malpedia | TA456 - MITRE - User Execution | TA456 - MITRE - Phishing | TA456 - MITRE - Multi-Stage Channels | TA456 - MITRE - Ingress Tool Transfer | TA456 - MITRE - System Information Discovery | TA456 - MITRE - File and Directory Discovery | TA456 - MITRE - Collection | TA456 - MITRE - Malicious File | TA456 - MITRE - Exfiltration Over Alternative Protocol |
Total number of detection methods: 2
Kill chain phase(s): delivery, command and control
The main goal of these malicious apps is to steal users’ funds and until now we have seen this scheme mainly targeting Chinese users. As cryptocurrencies are gaining popularity, we expect these techniques to spread into other markets. This is further supported by the public sharing, in November 2021, of the source code of the front-end and back-end distribution website, including the recompiled APK and IPA files. We found this code on at least five websites, where it was shared for free, and thus expect to see more copycat attackers. From the posts we found, it is difficult to determine whether it was shared intentionally or if it leaked. Welivesecurity
FakeWallet - MITRE - Exfiltration Over Alternative Protocol | FakeWallet - MITRE - User Execution | FakeWallet - MITRE - Malicious Link | FakeWallet - MITRE - Exploitation for Client Execution |
Total number of detection methods: 25
Kill chain phase(s): command and control
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'. MITRE
ZeroLogon - MITRE - Exploitation for Privilege Escalation | ZeroLogon - MITRE - Abuse Elevation Control Mechanism | ZeroLogon - malwarebytes |
Total number of detection methods: 7
Kill chain phase(s): exploitation
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Trendmicro
Ymacco - MITRE - Multi-Stage Channels | Ymacco - MITRE - Ingress Tool Transfer | Ymacco - MITRE - System Information Discovery | Ymacco - MITRE - File and Directory Discovery |
Total number of detection methods: 9
Kill chain phase(s): command and control, delivery
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery
Methods added: 4
Ave Maria is high-risk trojan designed to steal various information and to cause "chain infections" (spread other infections). It is typically proliferated using various spam email campaigns. Criminals send thousands of deceptive emails that contain infectious attachments, most of which are Microsoft Office (typically Excel) files. Emails are delivered with messages encouraging users to open the attached document, however, this results in infiltration of Ave Maria Pcrisk
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control
Methods added: 1
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, exploitation, delivery
MITRE ATT&CK added: T1001
Previously existing MITRE ATT&CK: T1041, T1587, T1001, T1573
Methods added: 2
Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): actions on objectives, command and control
Methods added: 3
ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group. Malpedia
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives
Methods added: 2
FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. MITRE
Added kill chain phase(s): command and control, delivery
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 5
gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.
Source: MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
MITRE ATT&CK added: T1041
Previously existing MITRE ATT&CK: T1041
Methods added: 1
Trojan.KillAV is Malwarebytes’ generic detection name for Trojans that are capable of disabling antivirus (AV) programs. Malwarebytes
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): delivery, command and control
Methods added: 2
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE
Added kill chain phase(s): delivery
Previously supported kill chain phase(s): delivery, command and control, actions on objectives
Methods added: 1
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Metepreter was originally written by skape for Metasploit 2.x, common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. The server portion is implemented in plain C and is now compiled with MSVC, making it somewhat portable. The client can be written in any language but Metasploit has a full-featured Ruby client API. OffensiveSecurity
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): actions on objectives, command and control, delivery
Methods added: 1
PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. MITRE
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery
Methods added: 3
The Purple Fox exploit kit (EK) has added two new exploits targeting critical- and high-severity Microsoft vulnerabilities to its bag of tricks – and researchers say they expect more attacks to be added in the future ThreatPost
Added kill chain phase(s): delivery
Previously supported kill chain phase(s): exploitation, delivery, command and control
Methods added: 2
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.
Remcos has been observed being used in malware campaigns.
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, delivery
Methods added: 1
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Added kill chain phase(s): actions on objectives, command and control
Previously supported kill chain phase(s): actions on objectives, command and control, exploitation, delivery
Methods added: 9
Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others. Malpedia
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): delivery, command and control
Methods added: 2
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
Added kill chain phase(s): command and control
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 3
This threat can give a malicious hacker unauthorized access and control of your PC. Microsoft
Added kill chain phase(s): delivery
Previously supported kill chain phase(s): command and control, actions on objectives, delivery
Methods added: 1
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| APT35 | 4 | command and control | dns, http | 128 | command and control, delivery | dns, ftp, http, tcp, tls | 2022-03-31 |
| AllaKore | 4 | command and control | tcp-pkt, tcp | 4 | command and control | tcp-pkt, tcp | 2022-03-30 |
| AveMaria RAT | 1 | command and control | dns | 11 | command and control | dns, tcp | 2022-03-30 |
| Buhtrap | 2 | command and control | http, dns | 2 | command and control | http, dns | 2022-03-30 |
| Cobalt Strike | 2 | command and control | dns, http | 340 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2022-03-31 |
| Crimson | 3 | command and control | tcp-pkt | 25 | actions on objectives, command and control | tcp, tcp-pkt | 2022-03-30 |
| Darkhotel | 30 | command and control, actions on objectives, delivery | http, dns, smtp, tcp | 30 | command and control, actions on objectives, delivery | http, dns, smtp, tcp | 2022-03-30 |
| Evilnum | 2 | command and control | dns | 20 | actions on objectives, command and control | dns, http | 2022-03-31 |
| FIN7 | 5 | command and control, delivery | http, dns, tls | 83 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-03-30 |
| FakeWallet | 25 | command and control | tls, http | 25 | command and control | tls, http | 2022-03-31 |
| Gh0st | 1 | command and control | tcp | 161 | actions on objectives, command and control, delivery | dns, http, tcp | 2022-03-30 |
| KillAV | 2 | command and control | tcp-pkt | 6 | command and control, delivery | http, tcp-pkt | 2022-04-02 |
| MalDoc | 1 | delivery | http | 460 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-03-30 |
| Meterpreter | 1 | command and control | tls | 86 | actions on objectives, command and control, delivery | http, tcp, tls | 2022-03-31 |
| Micropsia | 20 | command and control, actions on objectives | tls, http, dns | 21 | command and control, actions on objectives | tls, http, dns | 2022-03-30 |
| Mustang Panda | 11 | command and control, delivery | http, tls, dns | 11 | command and control, delivery | http, tls, dns | 2022-04-01 |
| PlugX | 3 | command and control | dns, http | 53 | command and control, delivery | dns, http, tcp, tcp-pkt, tls, udp | 2022-04-01 |
| PurpleFox | 2 | delivery | http | 17 | command and control, delivery, exploitation | dns, http, tcp, tls | 2022-03-29 |
| Remcos | 1 | command and control | tcp | 803 | command and control, delivery | dns, http, tcp | 2022-03-30 |
| Shifr | 6 | command and control | tls, dns | 6 | command and control | tls, dns | 2022-03-31 |
| Spora | 6 | command and control | dns, http, tls | 6 | command and control | dns, http, tls | 2022-03-31 |
| Stealer and Exfiltration | 9 | actions on objectives, command and control | http, tls, dns | 203 | actions on objectives, command and control, delivery, exploitation | dns, ftp, http, smtp, tcp, tls | 2022-04-02 |
| TA456 | 2 | delivery, command and control | http | 2 | delivery, command and control | http | 2022-03-31 |
| TransparentTribe | 2 | command and control | http, tcp-pkt | 9 | command and control, delivery | dns, http, tcp, tcp-pkt | 2022-03-29 |
| TrojanSpy-Android | 3 | command and control | http | 334 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-03-29 |
| Unk | 1 | delivery | http | 185 | actions on objectives, command and control, delivery | dns, ftp, http, smtp, tcp, tls | 2022-04-02 |
| Ymacco | 9 | command and control, delivery | http | 9 | command and control, delivery | http | 2022-03-31 |
| ZeroLogon | 7 | exploitation | tcp-pkt, smb | 7 | exploitation | tcp-pkt, smb | 2022-03-31 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
