14-June-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 465
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus NDR this past week:
Borr is the name of a malicious program which can be purchased from hacker forums. The cost is equivalent to $100 for the first month, after which the monthly cost becomes $50. Cyber criminals use Borr to steal various sensitive information, which they can misuse to generate revenue in various ways. Pcrisk
Borr - malpedia |
Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors such as energy, aerospace, and military equipment. Virtually all of the technologies it appears to be interested in have military as well as civilian uses and some could have applications in the development of advanced weaponry. Symantec
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Backdoor HTTP/S Beaconing Implant Github
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017. In the same year, multiple analyses of APT-C-23’s mobile malware were published. ESET
In new phishing attacks discovered over the past two weeks, a new malware named 'BazarBackdoor', or internally by the malware developers as simply "backdoor", is being installed that deploys a network-compromising toolkit for the threat actors. The developers of the infamous TrickBot trojan are believed to be behind this new backdoor due to code similarities, executable crypters, and its infrastructure. Bleepingcomputer
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
Recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet). Based on our analysis, this group targets gambling websites. Our investigation has also uncovered that Earth Berberoka targets the Windows, Linux, and macOS platforms, and uses malware families that have been historically attributed to Chinese-speaking individuals. TrendMicro
ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group. Malpedia
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Trendmicro
Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE
gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.
Source: MITRE
Lokibot is a malware designed to collect credentials and security tokens from an infected machine. Lokibot has also been used to establish backdoors in enterprise environments. MITRE
Mirai (Japanese: 未来, lit. 'future') is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.
Source: Wikipedia
PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. MITRE
QuasarRAT is an open-source, remote access tool that is publicly available on GitHub. QuasarRAT is developed in the C# language. MITRE
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.
Remcos has been observed being used in malware campaigns.
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
We took action against a previously unreported hacking group from Iran that targeted or spoofed companies in multiple industries around the world. This included energy companies in Saudi Arabia, Canada, Italy, and Russia; the information technology industry in India and United Arab Emirates; the maritime logistics industry in UAE, Iceland, Norway, Saudi Arabia, US, Israel, and India; telecommunications companies in Saudi Arabia and UAE; and the semiconductor industry in Israel, US, and Germany. This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it. This group used similar TTPs to another threat actor dubbed Tortoiseshell that we reported on last year, but in this case we saw different targeting, technical infrastructure, and distinct malware. Meta
Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as account login information and banking codes. [Wikipedia][(https://en.wikipedia.org/wiki/Tiny_Banker_Trojan)
Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others. Malpedia
Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East. MITRE
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| APT-C-23 | 1 | command and control | http | 436 | actions on objectives, command and control | dns, http, tls | 2022-06-08 |
| BazaLoader | 1 | command and control | http | 72 | command and control, delivery | dns, http, tls | 2022-06-08 |
| Borr | 1 | command and control | http | 2 | command and control | http | 2022-06-08 |
| Cobalt Strike | 3 | command and control | dns, http | 360 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2022-06-07 |
| Earth Berberoka | 1 | command and control | dns | 23 | command and control | dns | 2022-06-07 |
| Evilnum | 1 | command and control | dns | 47 | actions on objectives, command and control, delivery | dns, http, tls | 2022-06-07 |
| FlyStudio | 1 | command and control | smtp | 28 | actions on objectives, command and control, delivery | http, smtp | 2022-06-10 |
| Gamaredon | 1 | delivery | http | 91 | actions on objectives, command and control, delivery | dns, http | 2022-06-10 |
| Gh0st | 1 | command and control | tcp | 166 | actions on objectives, command and control, delivery | dns, http, tcp | 2022-06-07 |
| Loki | 2 | command and control | http | 27 | actions on objectives, command and control, delivery | dns, http, tls | 2022-06-08 |
| Mirai | 1 | command and control | tcp | 200 | actions on objectives, command and control, delivery, reconnaissance | dns, http, tcp | 2022-06-10 |
| PlugX | 1 | command and control | http | 56 | command and control, delivery | dns, http, tcp, tcp-pkt, tls, udp | 2022-06-07 |
| Purelogger | 2 | actions on objectives, command and control | http | 2 | actions on objectives, command and control | http | 2022-06-08 |
| QuasarRAT | 1 | command and control | http | 76 | command and control, delivery | dns, http, tcp, tcp-pkt, tls | 2022-06-07 |
| Remcos | 2 | command and control | tcp | 818 | command and control, delivery | dns, http, tcp | 2022-06-08 |
| SCVReady | 8 | command and control, delivery | http | 16 | command and control, delivery | http | 2022-06-08 |
| Small | 1 | command and control | tcp-pkt | 49 | actions on objectives, command and control, delivery | ftp, http, tcp, tcp-pkt, tls | 2022-06-07 |
| Stealer and Exfiltration | 7 | installation, actions on objectives, command and control | http, ftp | 200 | actions on objectives, command and control, exploitation, installation | dns, ftp, http, smtp, tcp, tls | 2022-06-11 |
| Stonefly | 2 | command and control | dns | 2 | command and control | dns | 2022-06-08 |
| TA455 | 31 | command and control | dns | 94 | command and control | dns | 2022-06-08 |
| Throwback | 9 | command and control | http, tls, dns | 9 | command and control | http, tls, dns | 2022-06-08 |
| Tinba | 1 | command and control | http | 19 | command and control, delivery | http, tcp | 2022-06-08 |
| TransparentTribe | 2 | command and control | tcp | 13 | command and control, delivery | dns, http, tcp, tcp-pkt | 2022-06-08 |
| Trojan Agent | 1 | actions on objectives | http | 332 | actions on objectives, command and control, delivery, installation | dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, udp | 2022-06-11 |
| TrojanSpy-Android | 1 | command and control | tls | 355 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-06-09 |
| njRAT | 2 | command and control | tcp-pkt | 129 | actions on objectives, command and control, delivery | http, tcp, tcp-pkt | 2022-06-10 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
