8-November-2022
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 591
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform this past week:
Since late 2021 through the present, Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment entities with the malware known as EvilNum. The actor exclusively targeted entities in the Decentralized Finance (DeFi) industry in recently observed campaigns. The activity Proofpoint associates with TA4563 has some overlap with activity publicly associated with a group referred to as DeathStalker and EvilNum. The activity described in this report has some overlap with EvilNum activity publicly reported by Zscaler in June 2022.
Proofpoint
Nuages aims at being a C2 framework in which back end elements are open source, whilst implants and handlers must be developed ad hoc by users. As a result, it does not provide a way to generate implants, but an open source framework to develop and manage compatible implants that can leverage all the back end resources already developed. Nuages does abstraction of the different layers so that paylaoads implemented are indifferent to the handlers and implants that are used to carry them. Github
Current TA543 campaigns delivering JSSLoader are using similar lures to those observed by Proofpoint researchers in 2019 and the emails continue to contain links to a TDS landing page. Proofpoint
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. MITRE
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them. Kaspersky
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Delf is a large family of malicious programs, many of which are associated with data theft. F-secure
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Trendmicro
HiddenApp is a type of Trojan that will install additional apps or libraries without user’s knowledge and consent. Often the payloads will contain additional malware or adware. Malwarebytes
Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services. Zscaler
Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. MITRE
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
Unit 42 also discovered a custom remote access Trojan/backdoor containing a unique command and control (C2) protocol. Based on the strings within the binary as well as the functionality, we’ve opted to name it ROMCOM RAT. Unit42
Sliver is an open source, cross-platform adversary emulation/red team platform, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. Github
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
Its first known detection goes back to May 31, 2011, according to Microsoft Malware Protection Center. This Trojanware opens up an Internet Explorer browser to a predefined page (like to i.163vv.com/?96). Trojan Files with the LNK extension (expression) is a Windows shortcut to a malicious file, program, or folder. A LNK file of this family launches a malicious executable or may be dropped by other malware. These files are mostly used by worms to spread via USB drives (i.e.). Wikipedia
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft
A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors. MITRE
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| APT35 | 14 | command and control | dns | 192 | command and control, delivery | dns, ftp, http, tcp, tls | 2022-11-01 |
| Android Trojan Downloader | 1 | command and control | tls | 39 | actions on objectives, command and control, delivery | dns, http, tls | 2022-11-05 |
| Backdoor | 1 | command and control | dns | 370 | actions on objectives, command and control, delivery, installation | dns, ftp, http, icmp, smtp, tcp, tls, udp | 2022-11-05 |
| Banker Stealer | 7 | command and control | dns, http | 213 | actions on objectives, command and control, delivery | dns, http, smtp, tcp, tls | 2022-11-05 |
| Delf | 1 | command and control | tcp-pkt | 108 | actions on objectives, command and control, delivery, installation | dns, http, smtp, tcp, tcp-pkt, tls | 2022-11-05 |
| FlyStudio | 1 | command and control | tcp | 30 | actions on objectives, command and control, delivery | http, smtp, tcp | 2022-11-04 |
| Hiddapp | 1 | command and control | dns | 32 | actions on objectives, command and control | dns, http, tcp | 2022-11-05 |
| Joker | 1 | command and control | dns | 33 | actions on objectives, command and control | dns, ftp, http, tls | 2022-11-05 |
| Molerats | 9 | command and control | dns | 62 | command and control, delivery | dns, http, tls | 2022-11-02 |
| Nuages | 2 | command and control | http | 2 | command and control | http | 2022-11-01 |
| Piom | 2 | command and control | dns | 30 | command and control | dns, http, tls | 2022-11-05 |
| ROMCOM | 3 | command and control | dns | 11 | command and control | dns | 2022-11-05 |
| Sliver Framework | 14 | command and control | http | 451 | command and control | dns, http, tls | 2022-11-01 |
| SocGholish | 3 | command and control | dns | 179 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tls | 2022-11-03 |
| Startpage | 1 | command and control | http | 27 | command and control, delivery | http, tls | 2022-11-03 |
| Stealer and Exfiltration | 1 | command and control | http | 230 | actions on objectives, command and control, exploitation, installation | dns, ftp, http, smtp, tcp, tcp-pkt, tls | 2022-11-05 |
| TA4563 | 3 | command and control | dns | 3 | command and control | dns | 2022-11-01 |
| TA543 | 1 | command and control | dns | 2 | command and control | dns | 2022-11-01 |
| Trojan Agent | 2 | command and control | tcp, http | 367 | actions on objectives, command and control, delivery, installation | dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, udp | 2022-11-02 |
| Trojan Dropper | 5 | delivery, command and control | dns, http | 290 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2022-11-05 |
| TrojanSpy-Android | 3 | command and control | http, dns | 430 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2022-11-05 |
| Ursnif | 82 | command and control | dns, tls, http | 465 | actions on objectives, command and control, delivery, weaponization | dns, http, tcp, tls, udp | 2022-11-05 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
