<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

The Week in Review from Stamus Labs

Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.

 

Current Stamus Threat Intelligence (STI) release version: 445

 

This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):

  • New threat detection(s) added [1]: 6 (SCVReady, CyberGate, SysChecker, Eternity, SilentBreak, Leviathan)
  • Major changes to detections(s) [2]: 16
  • Updated threat detection(s) [3]: 75

 

Note: a "method" as referenced below, is a discrete detection vector for a given threat.

 

New Threat(s) Detected

The following detections were added to your Stamus NDR this past week:

 

SCVReady (Trojan)

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky

SCVReady - MITRE - Ingress Tool Transfer | SCVReady - MITRE - Malicious File | SCVReady - MITRE - System Information Discovery | SCVReady - MITRE - Exfiltration Over C2 Channel |
  • Total number of detection methods: 8
  • Kill chain phase(s): command and control, delivery
  • MITRE ATT&CK: T1071

 

CyberGate (RAT)

CyberGate is one of many remote access tools (RATs) that allow users to control other connected computers remotely. Cyber criminals often use these programs for malicious purposes such as to steal personal, sensitive information and misuse it to generate revenue. People who have computers infected with programs such as CyberGate should uninstall them immediately.

Pcrisk

CyberGate - microsoft | CyberGate - malpedia | CyberGate - MITRE - Ingress Tool Transfer | CyberGate - MITRE - Multi-Stage Channels | CyberGate - MITRE - Data from Local System | CyberGate - MITRE - Process Discovery | CyberGate - MITRE - System Information Discovery | CyberGate - MITRE - Malicious File | CyberGate - MITRE - File and Directory Discovery |
  • Total number of detection methods: 24
  • Kill chain phase(s): command and control, installation

 

SysChecker (Trojan)

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky

SysChecker - MITRE - Process Discovery | SysChecker - MITRE - System Service Discovery | SysChecker - MITRE - Data from Local System | SysChecker - MITRE - Malicious File | SysChecker - MITRE - Ingress Tool Transfer | SysChecker - MITRE - Multi-Stage Channels |
  • Total number of detection methods: 4
  • Kill chain phase(s): command and control
  • MITRE ATT&CK: T1041

 

Eternity (Trojan)

Discovered by Cyble Research Labs, Eternity is the name of a malware family. Actively sold on the Web, Eternity's developers use the Telegram IM (Instant Messaging) service to sell their malicious wares, as well as provide support and customization to buyers. Telegram can also be employed by the attackers using Eternity programs as their C&C (Command and Control) server and proliferation tool.

Currently, this malware family consists of a stealer, worm, miner, clipper, ransomware, and DDoS bot. Pcrisk

Eternity - microsoft | Eternity - MITRE - Malicious File | Eternity - MITRE - Multi-Stage Channels | Eternity -MITRE - Ingress Tool Transfer | Eternity - MITRE - Resource Hijacking | Eternity - MITRE - Abuse Elevation Control Mechanism | Eternity - MITRE - Data Encrypted for Impact | Eternity - MITRE - Exfiltration Over C2 Channel | Eternity - MITRE - System Information Discovery | Eternity - MITRE - File and Directory Discovery | Eternity - malpedia clipper | Eternity - malpedia ransomware | Eternity - malpedia stealer | Eternity - malpedia worm |
  • Total number of detection methods: 8
  • Kill chain phase(s): command and control, actions on objectives

 

SilentBreak (Trojan)

In February 2022 we observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. Such attention to the event logs in the campaign isn’t limited to storing shellcodes. Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier. Kaspersky

SilentBreak - microsoft | SilentBreak - MITRE - Ingress Tool Transfer | SilentBreak - MITRE - Malicious File | SilentBreak - MITRE - Multi-Stage Channels | SilentBreak -MITRE - Exfiltration Over C2 Channel | SilentBreak -MITRE - Protocol Tunneling |
  • Total number of detection methods: 3
  • Kill chain phase(s): command and control

 

Leviathan (APT)

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia. MITRE

Leviathan - proofpoint | Leviathan - malpedia |
  • Total number of detection methods: 18
  • Kill chain phase(s): command and control, delivery

 

Major Detection Changes

The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):

 

Bitter (APT)

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 5

 

Cobalt Strike (Pentest Tools)

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, exploitation, delivery
  • MITRE ATT&CK added: T1001
  • Previously existing MITRE ATT&CK: T1041, T1587, T1001, T1573
  • Methods added: 1

 

DCRAT (RAT)

DarkCrystal, also known as dcRAT, is a Remote Access Trojan (RAT). Malware of this type is designed to enable remote access and control over an infected device. RATs can manipulate machines in various ways and can have likewise varied functionalities. DarkCrystal is a dangerous piece of software, which poses a significant threat to device and user safety. DcRat

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives
  • Methods added: 4

 

Molerats (APT)

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 2

 

Remcos (RAT)

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.

Remcos has been observed being used in malware campaigns.

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 3

 

TransparentTribe (APT)

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others. Malpedia

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): delivery, command and control
  • Methods added: 1

 

Other Threat Detection Update(s)

The following threat detection(s) were improved this past week with new or updated threat methods.

Name of threat New coverage Total coverage Last updated
  New Detection methods Kill chain phases Protocols involved Detection methods Kill chain phases Protocols involved  
Bitter 5 command and control dns, http 25 command and control, delivery dns, http, tcp, tcp-pkt 2022-05-21
Cobalt Strike 1 command and control http 351 actions on objectives, command and control, delivery, exploitation dns, http, smb, tcp, tls, udp 2022-05-20
CyberGate 24 command and control, installation http, tcp 24 command and control, installation http, tcp 2022-05-19
DCRAT 4 command and control dns, tls 34 actions on objectives, command and control dns, http, tls 2022-05-21
Eternity 3 command and control, actions on objectives http, dns 8 command and control, actions on objectives http, dns 2022-05-19
Leviathan 17 command and control dns, http 18 command and control dns, http 2022-05-19
Molerats 2 command and control http, dns 42 command and control, delivery dns, http, tls 2022-05-20
Remcos 3 command and control tcp 811 command and control, delivery dns, http, tcp 2022-05-18
SCVReady 8 command and control, delivery http 8 command and control, delivery http 2022-05-19
SilentBreak 3 command and control dns 3 command and control dns 2022-05-19
SysChecker 4 command and control http 4 command and control http 2022-05-19
TransparentTribe 1 command and control dns 11 command and control, delivery dns, http, tcp, tcp-pkt 2022-05-20

 

Additional Resources

Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website

Schedule a Demo of Stamus Security Platform

Request a Demo