27-June-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 779
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform (SSP) this past week:
This file infector arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes registry entries related to antivirus programs. Doing this allows this malware to execute its routines without being detected by installed antivirus programs. It creates certain registry entries to disable applications related to security. Trendmicro
The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions. Malpedia
On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that they engaged Mandiant to assist in the investigation. Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors. Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China. Mandiant
Spark is a free, safe, open-source, web-based, cross-platform and full-featured RAT (Remote Administration Tool) that allow you to control all your devices via browser anywhere. Github
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East. MITRE
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. Malpedia
Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals distribute Glupteba through malicious advertisements that can be injected into legitimate websites or advertising networks. Research shows that Glubteba can be used to distribute a browser stealer or router exploiter. In any case, this malware should be uninstalled immediately. Pcrisk
The IcedID banking Trojan was discovered by IBM X-Force researchers in 2017. At that time, it targeted banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, mainly in the U.S. IcedID has since continued to evolve, and while one of its more recent versions became active in late-2019, X-Force researchers have identified a new major version release that emerged in 2020 with some substantial changes. securityintelligence.com
Lumma is an information stealer written in C, sold as a Malware-as-a-Service by LummaC on Russian-speaking underground forums and Telegram since at least August 2022. Lumma's capabilities are those of a classic stealer, with a focus on cryptocurrency wallets, and file grabber capabilities. Malpedia
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE
A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Kaspersky
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors. MITRE
During a routine threat-hunting exercise, Cyble research labs discovered a dark web post where a malware developer was advertising a powerful Windows RAT. Cyble
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| Bahamut | 1 | command and control | dns | 28 | command and control, delivery | dns, http, tls | 2023-06-20 |
| Banker Stealer | 1 | command and control | dns | 240 | actions on objectives, command and control, delivery | dns, http, smtp, tcp, tls | 2023-06-20 |
| Calisto | 17 | command and control | dns | 22 | command and control | dns | 2023-06-20 |
| DanaBot | 1 | command and control | http | 58 | actions on objectives, command and control, delivery, installation | http, tcp, tcp-pkt, tls | 2023-06-21 |
| Glupteba | 2 | command and control | tls | 67 | command and control | dns, http, tcp, tls | 2023-06-23 |
| IcedID | 2 | command and control | dns | 463 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2023-06-23 |
| Lumma | 1 | installation | http | 6 | actions on objectives, command and control, installation | dns, http | 2023-06-24 |
| MalDoc | 2 | delivery | http | 493 | actions on objectives, command and control, delivery | dns, http, tcp, tcp-pkt, tls | 2023-06-22 |
| Pift | 4 | command and control | http, dns | 4 | command and control | http, dns | 2023-06-20 |
| Piom | 1 | command and control | http | 44 | command and control | dns, http, tls | 2023-06-20 |
| SocGholish | 8 | command and control | dns, http | 344 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2023-06-24 |
| SparkRAT | 1 | command and control | dns | 1 | command and control | dns | 2023-06-20 |
| TrojanSpy-Android | 294 | command and control | dns, http | 794 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls | 2023-06-23 |
| UNC4841 | 15 | command and control | tcp-pkt, dns | 15 | command and control | tcp-pkt, dns | 2023-06-20 |
| Ursnif | 2 | command and control | tls | 515 | actions on objectives, command and control, delivery, installation, weaponization | dns, http, tcp, tls, udp | 2023-06-23 |
| XWorm | 14 | command and control | tcp-pkt | 690 | command and control, delivery | dns, http, tcp, tcp-pkt | 2023-06-23 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS
Stamus Networks is the global leader in Suricata-based network security and the creator of the innovative Clear NDR™ system. Designed to close visibility gaps and reduce alert fatigue, Clear NDR transforms raw network traffic into actionable security insights with unmatched transparency, customization, and effectiveness. Trusted by leading financial institutions, government agencies, and participants in NATO’s largest cybersecurity exercises, Stamus Networks delivers proven, high-performance network detection and response solutions. Stamus empowers security teams – delivering clarity amidst complexity – with greater control, fewer false positives, faster response times, and a more responsive, open approach than legacy vendors.
© 2014-2025 Stamus Networks, Inc. All rights Reserved.
