11-July-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 789
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform (SSP) this past week:
The loader code is pretty straightforward its main logic consists of two steps. First, it does a check-in providing user-name, os version, and public IP information to the “/addnew.php” endpoint on the C2, then it parses the server response to extract the location where to download further payloads. After this, it downloads the payload and executes it through the “Process.Start” .NET API. [Medium]{https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1}
Crashedtech - guidedhacking |
A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions.
First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis.
"The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants," InQuest and Zscaler researchers said in an analysis published last week.
Mystic Stealer, like many other crimeware solutions that are offered for sale, focuses on pilfering data and is implemented in the C programming language. The control panel has been developed using Python.
Updates to the malware in May 2023 incorporate a loader component that allows it to retrieve and execute next-stage payloads fetched from a command-and-control (C2) server, making it a more formidable threat.
Mystic Stealer - zscaler |
Gh0stBins is the name of a sophisticated Remote Access Trojan (RAT) written in the C++ programming language. Malware classed as such is designed to enable remote access and control over compromised machines. RATs are highly versatile malicious tools capable of performing a variety of actions on infected systems.
There is some evidence linking Gh0stBins to an unspecified Chinese threat actor.
Gh0stBins - anyrun |
A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.
Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe."
The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.
ThirdEye Stealer - fortinet |
A new and strange macOS malware called "JokerSpy" has been identified, with its first known backdoor creation hitting a crypto exchange. While Mac threats are relatively rare compared to Windows, the number of instances where macOS is the target has continued to grow. In a new discovery, it seems there's one more backdoor-creating malware to add to the list of potential threats.
Initially reported by researchers by Bitdefender with independent research also carried out by Elastic Security Labs, the malware known as JokerSpy is still relatively unknown, in part due to a lack of samples. So far, BitDefender is working on four samples in total, while Eastic focused on the breach of a "prominent Japanese cryptocurrency exchange."
As part of the malware's construction, it uses a binary called "xcc" that contains Mach-O files for x86 Intel and ARM M1 architectures, theoretically allowing it to work on Intel and Apple Silicon Macs. The file checks for permissions managed by Apple's Transparency, Consent, and Control system.
JokerSpy - sentinelone | JokerSpy - bitdefender | JokerSpy - elastic |
DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions. Malpedia
DynamicRAT - gi7w0rm |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014. MITRE
Since late 2021, samples associated with the DUCKTAIL operation were exclusively written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, including the main assembly2. The usage of .NET Core and its single-file feature is not commonly seen in malware. WithSecure
Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. MITRE
Micropsia is a remote access tool written in Delphi. MITRE
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.
Remcos has been observed being used in malware campaigns.
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
DPRK APT actor tracked by Proofpoint as TA444 Malpedia
A Trojan downloader is a type of Trojan horse that downloads and installs files, often malicious programs. A Trojan horse is a type of software that looks legitimate but can be malicious in nature. Sometimes these programs can be downloaded onto a device without the user’s knowledge or consent. A Trojan’s purpose is to damage, disrupt, steal, or generally inflict some other harm on your computer and devices. Norton
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| AgentTesla | 1 | actions on objectives | http | 39 | actions on objectives, command and control | dns, ftp, http, smtp, tcp, tls | 2023-07-07 |
| Crashedtech | 2 | command and control | dns, http | 2 | command and control | dns, http | 2023-07-05 |
| Ducktail Stealer | 1 | command and control | tls | 4 | actions on objectives, command and control | dns, http, tls | 2023-07-04 |
| DynamicRAT | 1 | command and control | tcp | 1 | command and control | tcp | 2023-07-05 |
| Gamaredon | 2 | command and control | dns | 380 | actions on objectives, command and control, delivery | dns, http, tcp-pkt, tls | 2023-07-06 |
| Gh0stBins | 3 | command and control, installation | tcp | 3 | command and control, installation | tcp | 2023-07-05 |
| JokerSpy | 3 | command and control | dns, tls | 3 | command and control | dns, tls | 2023-07-05 |
| MalDoc | 1 | delivery | http | 494 | actions on objectives, command and control, delivery | dns, http, tcp, tcp-pkt, tls | 2023-07-07 |
| Micropsia | 20 | command and control | dns | 58 | actions on objectives, command and control | dns, http, tls | 2023-07-08 |
| Mystic Stealer | 1 | command and control | tcp | 1 | command and control | tcp | 2023-07-05 |
| Remcos | 2 | command and control | tcp | 881 | command and control, delivery | dns, http, tcp, tcp-pkt | 2023-07-06 |
| SocGholish | 1 | command and control | dns | 348 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2023-07-07 |
| TA444 | 26 | command and control | dns | 432 | command and control | dns, http, tls | 2023-07-08 |
| ThirdEye Stealer | 2 | actions on objectives, command and control | http | 2 | actions on objectives, command and control | http | 2023-07-05 |
| Trojan Downloader | 1 | delivery | http | 252 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2023-07-07 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
