<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

The Week in Review from Stamus Labs

Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.

 

Current Stamus Threat Intelligence (STI) release version: 477

 

This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):

  • New threat detection(s) added [1]: 9 (DOUBLEBACK, Kinsing, Symbiote, GALLIUM, MegalodonHTTP, Snip3, PingPull, LingyunNet, Loxes)
  • Major changes to detections(s) [2]: 47
  • Updated threat detection(s) [3]: 79

Note: a "method" as referenced below, is a discrete detection vector for a given threat.

 

New Threat(s) Detected

The following detections were added to your Stamus NDR this past week:

 

DOUBLEBACK (Backdoor)

In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they're in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices. [Malwarebytes] (https://www.malwarebytes.com/backdoor/)

DOUBLEBACK - triage |
  • Total number of detection methods: 2
  • Kill chain phase(s): command and control

 

Kinsing (Cryptocurrency)

Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. MITRE

Kinsing - lacework | Kinsing - microsoft | Kinsing - malpedia |
  • Total number of detection methods: 6
  • Kill chain phase(s): delivery, command and control

 

Symbiote (Rootkit)

A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions. Malpedia

Symbiote - malpedia |
  • Total number of detection methods: 5
  • Kill chain phase(s): command and control

 

GALLIUM (APT)

GALLIUM is a group that has been active since at least 2012, primarily targeting high-profile telecommunications networks. GALLIUM has been identified in some reporting as likely a Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors. MITRE

  • Total number of detection methods: 2
  • Kill chain phase(s): command and control

 

MegalodonHTTP (RAT)

MegalodonHTTP is a Remote Access Trojan (RAT) that could be used by attackers to take over victims’s machines and exfiltrate sensitive data. According to the experts, the MegalodonHTTP is not a sophisticated threat, among the major flaws the need for the presence of the .Net framework on the infected machine. Securityaffairs

  • Total number of detection methods: 5
  • Kill chain phase(s): command and control
  • MITRE ATT&CK: T1496

 

Snip3 (RAT)

Morphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto target machines.

The Crypter is most commonly delivered through phishing emails, which lead to the download of a visual basic file. In some cases, however, the attack chain starts with a large install file, such as an Adobe installer, which bundles the next stage.

This Crypter implements several advanced techniques to bypass detection, such as:

Executing PowerShell code with the ‘remotesigned’ parameter Validating the existence of Windows Sandbox and VMWare virtualization Using Pastebin and top4top for staging Compiling RunPE loaders on the endpoint in runtime We have named the Snip3 Crypter based on the common denominator username taken from the PDB indicator we found in an earlier variant. Morphisec

Snip3 - MITRE - Command and Scripting Interpreter: PowerShell | Snip3 - MITRE - Command and Scripting Interpreter: Visual Basic |
  • Total number of detection methods: 2
  • Kill chain phase(s): command and control

 

PingPull (RAT)

PingPull has the capability to leverage three protocols (ICMP, HTTP(S) and raw TCP) for command and control (C2). While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks. This blog provides a detailed breakdown of this new tool as well as the GALLIUM group's recent infrastructure. Unit42

  • Total number of detection methods: 4
  • Kill chain phase(s): command and control

 

LingyunNet (Trojan)

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky

  • Total number of detection methods: 3
  • Kill chain phase(s): command and control

 

Loxes (Trojan)

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky

Loxes - microsoft |
  • Total number of detection methods: 5
  • Kill chain phase(s): command and control
  • MITRE ATT&CK: T1041

 

Major Detection Changes

The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):

 

APT28 (APT)

APT28 (also known as - Fancy Bear/Sofacy/Strontum) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment.

This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. APT28 has been active since at least 2004.

  • Added kill chain phase(s): actions on objectives
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 1

 

Cobalt Strike (Pentest Tools)

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, exploitation, delivery
  • MITRE ATT&CK added: T1001
  • Previously existing MITRE ATT&CK: T1041, T1587, T1001, T1573
  • Methods added: 2

 

Delf (Data Theft)

Delf is a large family of malicious programs, many of which are associated with data theft. F-secure

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): installation, command and control, delivery, actions on objectives
  • Methods added: 12

 

GCleaner (Trojan)

G-Cleaner is promoted as an app that supposedly speeds up and optimizes Windows computers. It is promoted as a legitimate application (and its appearance may suggest this) and has a website from which it can be downloaded. In fact, its installation setup also contains a malicious program. G-Cleaner is installed together with AZORult, a trojan-type malicious program. Pcrisk

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): delivery
  • Methods added: 1

 

KONNI (RAT)

KONNI is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. KONNI has been linked to several campaigns involving North Korean themes.[1] KONNI has significant code overlap with the NOKKI malware family. There is some evidence potentially linking KONNI to APT37. MITRE

  • Added kill chain phase(s): delivery
  • Previously supported kill chain phase(s): actions on objectives, command and control, delivery
  • Methods added: 1

 

Remcos (RAT)

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.

Remcos has been observed being used in malware campaigns.

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery
  • Methods added: 2

 

SharpPanda (APT)

Check Point Research identified an ongoing surveillance operation targeting a Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office vulnerabilities together with the chain of in-memory loaders to attempt and install a previously unknown backdoor on victim’s machines. Checkpoint

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): delivery
  • Methods added: 1

 

SideWinder (APT)

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages. Malpedia

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 1

 

Smoke Loader (Downloader)

Smoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. MITRE

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives
  • Methods added: 1

 

Stealer and Exfiltration (Data Theft)

The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes

  • Added kill chain phase(s): actions on objectives, command and control
  • Previously supported kill chain phase(s): actions on objectives, command and control, installation, exploitation
  • Methods added: 4

 

Trojan Agent (Trojan)

Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft

  • Added kill chain phase(s): command and control, actions on objectives
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery, installation
  • Methods added: 3

 

TrojanSpy-Android (Data Theft)

Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): command and control, actions on objectives, delivery
  • Methods added: 17

 

Vidar (Data Theft)

 

Vidar (also known as Vidar Stealer) is a trojan (a malicious program) commonly used by cyber criminals. The program steals various personal information from users who have computers infected with the virus. Pcrsik

  • Added kill chain phase(s): command and control
  • Previously supported kill chain phase(s): actions on objectives, command and control, delivery
  • Methods added: 1

 

Other Threat Detection Update(s)

The following threat detection(s) were improved this past week with new or updated threat methods.

 

 

Name of threat New coverage Total coverage Last updated
  New Detection methods Kill chain phases Protocols involved Detection methods Kill chain phases Protocols involved  
APT28 1 actions on objectives tcp-pkt 305 actions on objectives, command and control, delivery dns, http, tcp, tcp-pkt, tls 2022-06-23
Cobalt Strike 2 command and control http, dns 363 actions on objectives, command and control, delivery, exploitation dns, http, smb, tcp, tls, udp 2022-06-25
DOUBLEBACK 2 command and control tls, http 2 command and control tls, http 2022-06-21
Delf 12 command and control http, dns 104 actions on objectives, command and control, delivery, installation dns, http, smtp, tcp, tcp-pkt, tls 2022-06-25
GALLIUM 2 command and control dns 2 command and control dns 2022-06-21
GCleaner 1 delivery http 9 delivery http 2022-06-22
KONNI 1 delivery http 18 actions on objectives, command and control, delivery dns, ftp, http 2022-06-23
Kinsing 4 command and control dns 6 command and control dns 2022-06-21
LingyunNet 3 command and control http, udp 3 command and control http, udp 2022-06-21
Loxes 5 command and control http 5 command and control http 2022-06-21
MegalodonHTTP 5 command and control http 5 command and control http 2022-06-21
PingPull 4 command and control icmp, http, tcp 4 command and control icmp, http, tcp 2022-06-21
Remcos 2 command and control tcp 820 command and control, delivery dns, http, tcp 2022-06-22
SharpPanda 1 command and control http 3 command and control, delivery http 2022-06-24
SideWinder 1 command and control dns 82 actions on objectives, command and control, delivery dns, http, tls 2022-06-24
Smoke Loader 1 command and control http 68 actions on objectives, command and control, delivery http, tcp, tls 2022-06-23
Snip3 2 command and control dns 2 command and control dns 2022-06-21
Stealer and Exfiltration 4 actions on objectives, command and control tcp, smtp, ftp 219 actions on objectives, command and control, exploitation, installation dns, ftp, http, smtp, tcp, tls 2022-06-23
Symbiote 5 command and control dns 5 command and control dns 2022-06-21
Trojan Agent 3 command and control, actions on objectives http 336 actions on objectives, command and control, delivery, installation dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, udp 2022-06-24
TrojanSpy-Android 17 command and control dns 372 actions on objectives, command and control, delivery dns, http, tcp, tls 2022-06-23
Vidar 1 command and control http 17 actions on objectives, command and control, delivery dns, http, tls 2022-06-25

 

Additional Resources

Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website

Schedule a Demo of Stamus Security Platform

Request a Demo