6-September-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 538
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus NDR this past week:
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets. [MITRE] (https://attack.mitre.org/groups/G0142/)
Confucius - malpedia |
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. Malwarebytes
Loaders, for the most part, have one job: grab malicious executables or payloads from an attacker-controlled server. But that doesn’t mean there isn’t more happening under the hood of some, such as a user-friendly UI, self-healing capabilities, or the equivalent of a retail shop where a botmaster can sell his bots to potential clients.
Loaders are essentially basic remote access Trojans that give an attacker the ability to remotely interact with and control a compromised computer, or bot. While traditionally lightweight (smaller than 50 KB in size) in order to bypass detection by antivirus and other security monitoring technology, loaders evolve, and their viability to cybercriminals remains. Flashpoint
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card. Malwarebytes
Atomsilo - MITRE - Phishing | Atomsilo - MITRE - Data Encrypted for Impact | Atomsilo - MITRE - System Information Discovery | Atomsilo - MITRE - File and Directory Discovery | Atomsilo - MITRE - Malicious File | Atomsilo - MITRE - User Execution | Atomsilo - MITRE - Ingress Tool Transfer | Atomsilo - MITRE - Multi-Stage Channels |
SmsSend is a malicious mobile application that reaps profit by silently sending SMS messages to premium-rate numbers. fsecure
SmsSend - microsoft | SmsSend - MITRE - SMS Messages | SmsSend - MITRE - SMS Control | SmsSend - MITRE - Collection |
These programs have various functions, such as concealing files in the system, hiding the windows of running applications, or terminating active processes. The group includes cryptocurrency miners that generate coins using the target device’s resources. Cybercriminals usually use them in stealth mode. They are not malicious in themselves. Unlike NetTool, such programs are designed to operate locally. Kaspersky
Programs of this type are used to send text messages from infected mobile devices to premium rate numbers that are hard code into the Trojan’s body. Kaspersky
TrojanSMS - MITRE - SMS Messages | TrojanSMS - MITRE - SMS Control | TrojanSMS - MITRE - Collection |
An SMS Flooder is a trojan that sends a massive amount of SMS messages to a single or multiple targets. A big amount of SMS messages can cause a lot of inconvenience and annoyance and in some cases crash specific hardware or perform a denial of service attack on a service. Fsecure
SMSFlooder - MITRE - SMS Messages | SMSFlooder - MITRE - SMS Control | SMSFlooder - MITRE - Collection | SMSFlooder - github |
Malware of this family steals user names and passwords used for online banking services, and also attempts to obtain data about the user’s bank card (cardholder name, card number, CVV, and expiration date). Kaspersky
Bray - microsoft | Bray - bleepingcomputer | Bray - MITRE - SMS Messages | Bray - MITRE - SMS Control | Bray - MITRE - Collection |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Malware of this family uses advertising as its main monetization method. The malware uses different methods to display as many ads as possible to the user, including by installing new adware.
These Trojans can get root privileges in order to hide in the system folder, which makes the Trojans very difficult to remove. Kaspersky
This family consists of malware that runs on the Android operating system. The malware is used to steal user payment information. This malware is distributed by means of phishing SMS messages that prompt the user to download photos. Kasperski
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them. Kaspersky
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
In the world of cybersecurity, a backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Once they're in, cybercriminals can use a backdoor to steal personal and financial data, install additional malware, and hijack devices. [Malwarebytes] (https://www.malwarebytes.com/backdoor/)
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. MITRE
Erbium is a piece of malicious software classified as a stealer. Malware within this category is designed to extract vulnerable data from infected devices. Our researchers discovered Erbium while inspecting malware-selling hotspots. Pcrisk
Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data. Kaspersky
Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related targets, expanding recently to the United States, Russia, and Europe. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise. MITRE
Malware of this family consists of Trojans that use anti-emulation, anti-debugging, and code obfuscation to prevent their analysis. Kaspersky
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. Malwarebytes
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more. Malwarebytes
The Sabsik virus is a type of malware that is used as advanced espionage tool capable of learning your passwords, credit and debit card numbers, and other sensitive info about you. The methods used by the Sabsik Scam are keylogging, presenting the user with phishing forms, and screen-monitoring. Howtoremove
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Malware in this family obtains administrator rights on an infected device in a hidden way. The malware then shows a fake web page that is designed to fool the user. Using administrator rights, the malware intercepts requests when the user tries to access paid online services and online banks, such as Sberbank, Privat24, and Play Market. Trojan-Banker.AndroidOS.Svpeng intercepts a request and asks the user to enter his or her banking information.
This malware uses special methods to resist removal. For example, the program can:
Prevent the user from opening the settings window (by closing the window as soon as the user opens it). Deceive the user by stating that device settings will be lost (factory reset). Display a message that the user is entering an incorrect password, even though the password is the correct one. Kaspersky
DPRK APT actor tracked by Proofpoint as TA444 Malpedia
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia
This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage” (blocked or encrypted), the user will receive a ransom demand.
The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance. Kaspersky
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
ESET researchers recently discovered a previously undocumented botnet that we have named VictoryGate. It has been active since at least May 2019 and, since then, three different variants of the initial module have been identified, in addition to approximately 10 secondary payloads that are downloaded from file hosting websites. The initial module is detected by ESET security products as MSIL/VictoryGate. ESET
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| ActionLoader | 3 | command and control | http, dns | 3 | command and control | http, dns | 2022-08-30 |
| Android Trojan Agent | 1 | command and control | dns | 178 | actions on objectives, command and control, delivery | dns, http, tcp | 2022-08-30 |
| Asacub | 1 | command and control | dns | 507 | command and control | dns, http | 2022-08-31 |
| Atomsilo | 1 | command and control | http | 1 | command and control | http | 2022-08-30 |
| Backdoor | 3 | command and control | tls, dns, http | 366 | actions on objectives, command and control, delivery, installation | dns, ftp, http, icmp, smtp, tcp, tls, udp | 2022-08-31 |
| Banker Stealer | 6 | command and control | http, dns | 193 | actions on objectives, command and control, delivery | dns, http, smtp, tcp, tls | 2022-09-01 |
| Basdoor | 2 | command and control | dns | 10 | command and control | dns, tcp, tls | 2022-08-31 |
| Bray | 2 | command and control | http | 7 | command and control | http | 2022-08-30 |
| CargoBay | 4 | command and control, actions on objectives | http | 4 | command and control, actions on objectives | http | 2022-08-30 |
| Cobalt Strike | 3 | command and control | dns | 379 | actions on objectives, command and control, delivery, exploitation | dns, http, smb, tcp, tls, udp | 2022-09-03 |
| Confucius | 5 | command and control | dns, http | 5 | command and control | dns, http | 2022-08-30 |
| Erbium | 2 | command and control | http, tls | 5 | command and control | dns, http, tls | 2022-09-02 |
| Hqwar | 1 | command and control | http | 41 | actions on objectives, command and control | dns, http, tls | 2022-08-30 |
| Kimsuky | 1 | actions on objectives | http | 98 | actions on objectives, command and control, delivery | dns, ftp, ftp-data, http, tls | 2022-08-31 |
| Kryptik | 2 | command and control | http | 88 | actions on objectives, command and control, delivery | http, smtp, tcp, tcp-pkt, tls | 2022-09-03 |
| NetSupport RAT | 2 | command and control, exploitation | http | 9 | actions on objectives, command and control, exploitation | dns, http, tls | 2022-08-30 |
| Piom | 1 | command and control | dns | 18 | command and control | dns, http | 2022-08-31 |
| Realrat | 1 | command and control | dns | 33 | command and control | dns, tls | 2022-08-31 |
| RiskTool | 58 | command and control, installation, delivery, actions on objectives | http | 58 | command and control, installation, delivery, actions on objectives | http | 2022-08-30 |
| SMSFlooder | 4 | command and control | http | 4 | command and control | http | 2022-08-30 |
| Sabsik | 2 | actions on objectives, command and control | http, tcp | 14 | actions on objectives, command and control, delivery, installation | http, tcp, tcp-pkt | 2022-09-03 |
| SmsSend | 31 | delivery, command and control, actions on objectives | http, dns, tcp | 31 | delivery, command and control, actions on objectives | http, dns, tcp | 2022-08-30 |
| SocGholish | 8 | command and control | dns, tls, http | 96 | command and control, delivery, reconnaissance | dns, http, tcp, tls | 2022-09-03 |
| Stealer and Exfiltration | 1 | actions on objectives | http | 224 | actions on objectives, command and control, exploitation, installation | dns, ftp, http, smtp, tcp, tcp-pkt, tls | 2022-09-03 |
| Svpeng | 3 | command and control | dns, http | 11 | command and control | dns, http | 2022-09-01 |
| TA444 | 13 | command and control | dns | 51 | command and control | dns, http | 2022-09-02 |
| Trojan Downloader | 2 | command and control | http | 203 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-09-02 |
| Trojan Dropper | 3 | delivery | dns | 271 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-08-31 |
| Trojan-Ransom-Android | 2 | command and control | dns | 15 | actions on objectives, command and control | dns, http, tcp, tls | 2022-08-31 |
| TrojanSMS | 100 | command and control, actions on objectives | http, dns | 100 | command and control, actions on objectives | http, dns | 2022-08-30 |
| TrojanSpy-Android | 12 | command and control | dns, http, tls | 383 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-09-01 |
| VictoryGate | 1 | command and control | tcp | 4 | command and control, delivery | tcp | 2022-09-03 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
