<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

The Week in Review from Stamus Labs

The Week in Review from Stamus Labs

Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.

 

Current Stamus Threat Intelligence (STI) release version: 422

 

This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):

  • New threat detection(s) added [1]: 6 (FFDroider, Tepfer, SluttyPutty, Snatch, Fodcha, EvilNominatus)
  • Major changes to detections(s) [2]: 66
  • Updated threat detection(s) [3]: 79

Note: a "method" as referenced below, is a discrete detection vector for a given threat.

 

New Threat(s) Detected

The following detections were added to your Stamus NDR this past week:

 

FFDroider (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

FFDroider - malpedia | FFDroider - MITRE - Compromise Accounts: Social Media Accounts | FFDroider - MITRE - Phishing |
  • Total number of detection methods: 2
  • Kill chain phase(s): command and control

Tepfer (Data Theft)

Malware of this family steals data from the users of infected computers, such as:

Account data for FTP clients on the infected computer Account data for cloud storage services Browser cookies Account data for mail clients The malware then sends this information to the cybercriminal’s server.

Some malware of this family can download and run other malicious programs. Kaspersky

Tepfer - microsoft | Tepfer - MITRE - Phishing | Tepfer - MITRE - System Information Discovery | Tepfer - MITRE - Malicious File | Tepfer - MITRE - System Owner/User Discovery | Tepfer - MITRE - Data from Local System | Tepfer - MITRE - Credentials from Password Stores | Tepfer - MITRE - Email Collection |
  • Total number of detection methods: 5
  • Kill chain phase(s): actions on objectives, command and control, delivery
  • MITRE ATT&CK: T1041

 

SluttyPutty (Downloader)

A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton

SluttyPutty - MITRE - Multi-Stage Channels | SluttyPutty - MITRE - Abuse Elevation Control Mechanism | SluttyPutty - MITRE - System Information Discovery | SluttyPutty - MITRE - Malicious File | SluttyPutty - MITRE - Ingress Tool Transfer |
  • Total number of detection methods: 2
  • Kill chain phase(s): delivery

 

Snatch (Ransomware)

Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload. Malpedia

Snatch - microsoft | Snatch - pcrisk | Snatch - MITRE - Multi-Stage Channels | Snatch - MITRE - Malicious File | Snatch - MITRE - System Information Discovery | Snatch - MITRE - User Execution | Snatch - MITRE - Data Encrypted for Impact | Snatch - MITRE - Phishing |
  • Total number of detection methods: 4
  • Kill chain phase(s): actions on objectives, command and control
  • MITRE ATT&CK: T1486, T1041

 

EvilNominatus (Ransomware)

As part of our monitoring of malicious files in current use, we detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that we associated with the EvilNominatus ransomware, initially exposed at the end of 2021. It seems that the ransomware's developer is a young Iranian, who bragged about its development on Twitter. Clearskysec

EvilNominatus - MITRE - Ingress Tool Transfer | EvilNominatus - MITRE - Malicious File | EvilNominatus - MITRE - Data Encrypted for Impact | EvilNominatus - MITRE - Create or Modify System Process | EvilNominatus - MITRE - Phishing |
  • Total number of detection methods: 1
  • Kill chain phase(s): command and control

 

Major Detection Changes

The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):

 

APT35 (APT)

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 27

 

AutoIt (Backdoor)

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • MITRE ATT&CK added: T1071
  • Previously existing MITRE ATT&CK: T1041
  • Methods added: 1

 

Banker Stealer (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 2

 

BlackGuard (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): actions on objectives, command and control
  • Methods added: 2

 

BlackTech (APT)

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 1

 

Cobalt Strike (Pentest Tools)

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, exploitation, delivery
  • MITRE ATT&CK added: T1001
  • Previously existing MITRE ATT&CK: T1041, T1587, T1001, T1573
  • Methods added: 6

 

Crimson (RAT)

Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): actions on objectives, command and control
  • Methods added: 7

 

Delf (Data Theft)

Delf is a large family of malicious programs, many of which are associated with data theft. F-secure

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): installation, command and control, delivery, actions on objectives
  • MITRE ATT&CK added: T1071
  • Previously existing MITRE ATT&CK: T1041, T1587
  • Methods added: 1

 

MalDoc (Phishing)

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): delivery, command and control, actions on objectives
  • Methods added: 2

 

Marcher (Data Theft)

Malicious programs of this family request administrator rights and then make themselves invisible in the list of installed apps. This malware can intercept the user’s personal data, such as SMS messages, MMS messages, and USSD requests. The program can redirect incoming calls to the phone numbers of cybercriminals. Phone numbers, the texts of the messages to be intercepted, and cybercriminal phone numbers for redirecting calls are downloaded from the command-and-control server.

Programs of this family interfere with bank apps, such as the Commerzbank app or Google Play. When the user tries to open one of these legitimate apps, the malware replaces the genuine app window with a phishing window that asks for banking information. The user’s stolen data is sent to the cybercriminals. Kaspersky

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • Methods added: 4

 

Molerats (APT)

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 3

 

Plead (RAT)

PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[1][2] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 2

 

Pterodo (Backdoor)

In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they're in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices. [Malwarebytes] (https://www.malwarebytes.com/backdoor/)

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 1

 

StealBit (Data Theft)

For initial access to a targeted corporate network, the LockBit gang recruits affiliates and helpers as mentioned, who perform the actual intrusion on targets, usually via valid remote desktop protocol (RDP) account credentials. To help the cause, LockBit’s creators provide their partners with a handy StealBit trojan variant, which is a tool for establishing access and automatically exfiltrating data. Threatpost

  • Added kill chain phase(s): actions on objectives
  • Previously supported kill chain phase(s): actions on objectives, command and control
  • Methods added: 1

 

Trojan Downloader (Downloader)

A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): delivery, command and control, actions on objectives
  • MITRE ATT&CK added: T1071
  • Previously existing MITRE ATT&CK: T1587, T1041
  • Methods added: 2

 

TrojanSpy-Android (Data Theft)

Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • Methods added: 4

 

Other Threat Detection Update(s)

The following threat detection(s) were improved this past week with new or updated threat methods.

 

Name of threat New coverage Total coverage Last updated
  New Detection methods Kill chain phases Protocols involved Detection methods Kill chain phases Protocols involved  
APT35 27 command and control dns, tls 158 command and control, delivery dns, ftp, http, tcp, tls 2022-04-21
AutoIt 1 command and control http 62 actions on objectives, command and control, delivery dns, http, tcp, tcp-pkt 2022-04-22
Banker Stealer 2 command and control tcp 173 actions on objectives, command and control, delivery dns, http, smtp, tcp, tls 2022-04-23
BlackGuard 2 command and control tls, dns 14 actions on objectives, command and control dns, http, tls 2022-04-24
BlackTech 1 command and control http 8 command and control, delivery dns, http 2022-04-23
Cobalt Strike 6 command and control dns, http 349 actions on objectives, command and control, delivery, exploitation dns, http, smb, tcp, tls, udp 2022-04-21
Crimson 7 command and control tcp-pkt, tcp, http 34 actions on objectives, command and control http, tcp, tcp-pkt 2022-04-22
Delf 1 command and control http 91 actions on objectives, command and control, delivery, installation http, smtp, tcp, tls 2022-04-22
EvilNominatus 1 command and control dns 1 command and control dns 2022-04-24
FFDroider 2 command and control http 2 command and control http 2022-04-24
MalDoc 2 delivery http 461 actions on objectives, command and control, delivery dns, http, tcp, tls 2022-04-21
Marcher 4 command and control tls 91 actions on objectives, command and control, delivery dns, http, tls 2022-04-24
Molerats 3 command and control dns, tls, http 36 command and control, delivery dns, http, tls 2022-04-21
Plead 2 command and control http 14 command and control, delivery dns, http 2022-04-23
Pterodo 1 command and control tcp 26 command and control http, tcp 2022-04-22
SluttyPutty 1 delivery http 2 delivery http 2022-04-24
Snatch 4 actions on objectives, command and control http 4 actions on objectives, command and control http 2022-04-24
StealBit 1 actions on objectives http 4 actions on objectives, command and control http, tcp 2022-04-21
Tepfer 5 actions on objectives, command and control, delivery http 5 actions on objectives, command and control, delivery http 2022-04-24
Trojan Downloader 2 command and control http 191 actions on objectives, command and control, delivery dns, http, tcp, tls, udp 2022-04-23
TrojanSpy-Android 4 command and control tls, tcp 339 actions on objectives, command and control, delivery dns, http, tcp, tls 2022-04-24

 

Additional Resources

Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website

Schedule a Demo of Stamus Security Platform

Request a Demo