<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

The Week in Review from Stamus Labs

Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.

 

Current Stamus Threat Intelligence (STI) release version: 459

 

This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):

  • New threat detection(s) added [1]: 7 (Grandoreiro, Tandem, oRAT, SiMay, NetDooka, PennyWise, LoggerRust)
  • Major changes to detections(s) [2]: 111
  • Updated threat detection(s) [3]: 136

Note: a "method" as referenced below, is a discrete detection vector for a given threat.

 

New Threat(s) Detected

The following detections were added to your Stamus NDR this past week:

 

Grandoreiro (Trojan)

Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain. MITRE

Grandoreiro - malpedia |
  • Total number of detection methods: 5
  • Kill chain phase(s): delivery, command and control

 

Tandem (APT)

An interesting campaign distributing malicious documents. Which used the download chain as well as legitimate payload hosting services. Inquest

Tandem - MITRE - Malicious Link | Tandem - MITRE - User Execution | Tandem - MITRE - Multi-Stage Channels | Tandem - MITRE - Ingress Tool Transfer |

  • Total number of detection methods: 12
  • Kill chain phase(s): command and control

 

oRAT (RAT)

Researchers looking into a new APT group targeting gambling sites with a variety of cross-platform malware recently identified a version of oRAT malware targeting macOS users and written in Go. While neither RATs nor Go malware are uncommon on any platform, including the Mac, the development of such a tool by a previously unknown APT is an interesting turn, signifying the increasing need for threat actors to address the rising occurrence of Macs among their intended targets and victims. In this post, we dig deeper into the technical details of this novel RAT to understand better how it works and how security teams can detect it in their environments. Sentinelone

oRAT - malpedia |

  • Total number of detection methods: 1
  • Kill chain phase(s): command and control

 

SiMay (Data Theft)

SiMay is the name of malware designed to allow an attacker to remotely control/access an infected computer. This type of malware is called a Remote Administration Trojan (RAT). RATs are used to steal information or files, distribute malware, and for other purposes. Pcrisk

  • Total number of detection methods: 2
  • Kill chain phase(s): command and control

 

NetDooka (Offensive Tools)

Malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. During our analysis, we discovered that NetDooka was being spread via the PrivateLoader malware which, once installed, starts the whole infection chain. Trendmicro

NetDooka - malpedia |
  • Total number of detection methods: 2
  • Kill chain phase(s): command and control

PennyWise (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Total number of detection methods: 2
  • Kill chain phase(s): actions on objectives

 

LoggerRust (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Total number of detection methods: 2
  • Kill chain phase(s): actions on objectives, command and control

 

Major Detection Changes

The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):

 

APT-C-23 (APT)

The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017. In the same year, multiple analyses of APT-C-23’s mobile malware were published. ESET

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives
  • Methods added: 1

 

APT38 (APT)

APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.

North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group. MITRE

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 2

 

AZORult (Data Theft)

Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. MITRE.

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 1

 

AsyncRAT (RAT)

A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • MITRE ATT&CK added: T1587
  • Previously existing MITRE ATT&CK: T1587
  • Methods added: 1

 

AveMaria RAT (RAT)

Ave Maria is high-risk trojan designed to steal various information and to cause "chain infections" (spread other infections). It is typically proliferated using various spam email campaigns. Criminals send thousands of deceptive emails that contain infectious attachments, most of which are Microsoft Office (typically Excel) files. Emails are delivered with messages encouraging users to open the attached document, however, this results in infiltration of Ave Maria Pcrisk

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives
  • Methods added: 2

 

Banker Stealer (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 2

 

BitRAT (RAT)

Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. MalwareBytes

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 1

 

BlackTech (APT)

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 1

 

Cobalt Strike (Pentest Tools)

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, exploitation, delivery
  • MITRE ATT&CK added: T1001
  • Previously existing MITRE ATT&CK: T1041, T1587, T1001, T1573
  • Methods added: 2

 

ELF (Trojan)

Malware actors often try to infect/add specific code to legitimate binaries in an effort to trojanize (generate segment-padded trojans) those binaries and take advantage of allowed executable on the system.

In computing, the Executable and Linkable Format[citation needed] (ELF, formerly named Extensible Linking Format), is a common standard file format for executable files, object code, shared libraries, and core dumps. First published in the specification for the application binary interface (ABI) of the Unix operating system version named System V Release 4 (SVR4), and later in the Tool Interface Standard, it was quickly accepted among different vendors of Unix systems. In 1999, it was chosen as the standard binary file format for Unix and Unix-like systems on x86 processors by the 86open project. Wikipedia

  • Added kill chain phase(s): installation
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 1

Evilnum (APT)

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group. Malpedia

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • Methods added: 6

 

Keitaro (Phishing)

Cyber ​​criminals violated the law TDS (Traffic Direction System) platform Keitaro and used it to redirect them users in exploit kits RIG and Fallout in order to infect them with malicious software.

TDS platforms are designed for redirection of users in particular sites. Legitimate TDS platforms, such as Keitaro, are mainly used by individuals and companies that want to advertise services or their products. Platforms drive users to the pages that companies want, targeting specific customers and promoting an ad campaign. techbizweb

  • Added kill chain phase(s): exploitation
  • Previously supported kill chain phase(s): command and control, exploitation, delivery
  • Methods added: 16

 

MalDoc (Phishing)

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): delivery, command and control, actions on objectives
  • Methods added: 1

 

NanoCore (RAT)

NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013. Nanocore

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control
  • Methods added: 1

 

PlugX (RAT)

PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 2

 

Remcos (RAT)

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.

Remcos has been observed being used in malware campaigns.

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 5

 

SideWinder (APT)

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages. Malpedia

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 51

 

SmsThief (Data Theft)

Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 1

 

Stealer and Exfiltration (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Added kill chain phase(s): actions on objectives
  • Previously supported kill chain phase(s): actions on objectives, command and control, installation, exploitation
  • Methods added: 1

 

TA457 (APT)

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1][2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. Wikipedia

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): actions on objectives, command and control
  • Methods added: 4

 

Trojan Dropper (Trojan)

A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): command and control, delivery, installation, actions on objectives
  • Methods added: 1

 

TrojanSpy-Android (Data Theft)

Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • Methods added: 5

 

Unk (RAT)

This threat can give a malicious hacker unauthorized access and control of your PC. Microsoft

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery, installation
  • Methods added: 1

 

VJworm (Trojan)

It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure. Cofense

  • Added kill chain phase(s): actions on objectives
  • Previously supported kill chain phase(s): command and control
  • Methods added: 1

 

njRAT (RAT)

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East. MITRE

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • Methods added: 1

 

Other Threat Detection Update(s)

The following threat detection(s) were improved this past week with new or updated threat methods.

Name of threat New coverage Total coverage Last updated
  New Detection methods Kill chain phases Protocols involved Detection methods Kill chain phases Protocols involved  
APT-C-23 1 command and control dns 435 actions on objectives, command and control dns, http, tls 2022-06-04
APT38 2 delivery tls 91 command and control, delivery dns, http, tcp, tls 2022-05-31
AZORult 1 command and control http 153 command and control, delivery dns, http, tls 2022-06-03
AsyncRAT 1 command and control tcp 420 command and control, delivery http, tcp, tls 2022-05-31
AveMaria RAT 2 command and control tcp 16 actions on objectives, command and control dns, http, tcp 2022-06-02
Banker Stealer 2 command and control http 177 actions on objectives, command and control, delivery dns, http, smtp, tcp, tls 2022-06-03
BitRAT 1 command and control tls 6 command and control http, tls 2022-06-01
BlackTech 1 command and control http 9 command and control, delivery dns, http 2022-06-02
Cobalt Strike 2 command and control http 357 actions on objectives, command and control, delivery, exploitation dns, http, smb, tcp, tls, udp 2022-06-04
ELF 1 installation http 68 command and control, delivery, installation dns, http, tcp, tls, udp 2022-05-31
Evilnum 6 command and control dns, tls 46 actions on objectives, command and control, delivery dns, http, tls 2022-06-04
Grandoreiro 5 delivery, command and control http, dns 5 delivery, command and control http, dns 2022-06-02
Keitaro 16 exploitation http 47 command and control, delivery, exploitation dns, http, tls 2022-05-31
LoggerRust 2 actions on objectives, command and control http, ftp 2 actions on objectives, command and control http, ftp 2022-06-02
MalDoc 1 delivery http 461 actions on objectives, command and control, delivery dns, http, tcp, tls 2022-06-03
NanoCore 1 command and control tls 50 command and control dns, tcp, tls 2022-05-31
NetDooka 2 command and control http, tcp 2 command and control http, tcp 2022-06-02
PennyWise 1 actions on objectives http 2 actions on objectives http 2022-06-02
PlugX 2 command and control dns 55 command and control, delivery dns, http, tcp, tcp-pkt, tls, udp 2022-06-03
Remcos 5 command and control tcp 816 command and control, delivery dns, http, tcp 2022-06-02
SiMay 2 command and control http 2 command and control http 2022-06-02
SideWinder 51 command and control dns 79 actions on objectives, command and control, delivery dns, http, tls 2022-06-03
SmsThief 1 command and control dns 134 actions on objectives, command and control, delivery dns, http, tcp, tls, udp 2022-06-01
Stealer and Exfiltration 1 actions on objectives tcp 194 actions on objectives, command and control, exploitation, installation dns, ftp, http, smtp, tcp, tls 2022-06-02
TA457 4 command and control http 23 actions on objectives, command and control dns, http, tcp, tcp-pkt 2022-06-03
Tandem 12 command and control dns 12 command and control dns 2022-06-02
Trojan Dropper 1 delivery dns 235 actions on objectives, command and control, delivery, installation dns, http, tcp, tls, udp 2022-06-01
TrojanSpy-Android 5 command and control dns 354 actions on objectives, command and control, delivery dns, http, tcp, tls 2022-06-02
Unk 1 command and control tcp 186 actions on objectives, command and control, delivery, installation dns, ftp, http, smtp, tcp, tls 2022-05-31
VJworm 1 actions on objectives http 4 actions on objectives, command and control http 2022-06-02
njRAT 1 delivery http 127 actions on objectives, command and control, delivery http, tcp, tcp-pkt 2022-06-02
oRAT 1 command and control dns 1 command and control dns 2022-06-02

 

Additional Resources

Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website

Schedule a Demo of Stamus Security Platform

Request a Demo