01-August-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 808
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform (SSP) this past week:
DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist group NoName057(16) against countries critical of the Russian invasion of Ukraine.
The DDoSia project was launched on Telegram in early 2022. The NoName057(16) main group main Telegram channel reached more than 45,000 subscribers as of June 2023, while the DDoSia project channels reached over 10,000 users. Administrators posted instructions for potential volunteers who want to participate in projects, and they added the possibility to pay in cryptocurrency for users who declare a valid TON wallet based on their contribution to the DDoS attacks.
DDosia - malpedia |
Threat Actors (TAs) use game installers to spread various malware because games have a wide user base, and users generally trust game installers as legitimate software. The social engineering tactics that TAs use exploit users’ trust and entice them to download and run malicious game installers. The large file size and games’ complexity provide TAs opportunities to hide malware within them.
Malware distributed through game installers can be monetized through activities like stealing sensitive information, conducting ransomware attacks, and more. Previously, Cyble Research and Intelligence Labs (CRIL) has discovered several malware campaigns that specifically target gamers and their game-related applications, including Enlisted, MSI Afterburner, FiveM Spoofer, and others.
Recently, CRIL identified a trojanized Super Mario Bros game installer that delivers multiple malicious components, including an XMR miner, SupremeBot mining client, and the Open-source Umbral stealer. The malware files were found bundled with a legitimate installer file of super-mario-forever-v702e. This incident highlights another reason TAs utilize game installers as a delivery mechanism: the powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies.
SupremeBot - malpedia | SupremeBot - darkreading |
Rebate Informer is a potentially unwanted application created by Xacti LLC, which installs on Internet browsers (Internet Explorer, Google Chrome, and Mozilla Firefox) when users download or install free software.
Developers of this adware use a deceptive software marketing method called 'bundling', and thus, most users install the Rebate Informer plugin inadvertently without their consent. After successful infiltration, this add-on generates intrusive 'cash back' rebates, discount coupons, special promotions, and free shipping offers when users visit online shopping websites.
Furthermore, this plugin tracks users' Internet browsing activity by recording IP addresses, browser types, search terms, web pages visited, and other information.
CHAOS is a free and open-source Remote Administration Tool that allow generate binaries to control remote operating systems. Github
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them. Kaspersky
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
First analyzed in early 2014 [1] [2], the Blackmoon banking Trojan targets a user’s online banking credentials using a type of pharming that involves modifying or replacing the local Hosts file with one that redirects online banking domain lookups to an IP address controlled by the attacker. Blackmoon has been observed targeting primarily customers of South Korean online banking sites and services, and is usually distributed via drive-by download. Proofpoint
A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. Malpedia
Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.
Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.
Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".
Voice phishing attacks have a long history in the South Korean market. According to the report published on the South Korean government website, financial losses due to voice phishing constituted approximately 600 million USD in 2020, with the number of victims reaching as many as 170,000 people in the period from 2016 to 2020.
Check Point Research discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis (also called evasions) techniques. The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild. Check Point Research
Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. MITRE
Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals distribute Glupteba through malicious advertisements that can be injected into legitimate websites or advertising networks. Research shows that Glubteba can be used to distribute a browser stealer or router exploiter. In any case, this malware should be uninstalled immediately. Pcrisk
Shipping companies and medical laboratories in Asia are being targeted in a likely intelligence-gathering campaign that relies exclusively on publicly available and living-off-the-land tools.
Hydrochasma, the threat actor behind this campaign, has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines.
This activity has been ongoing since at least October 2022. While Symantec, by Broadcom Software, did not see any data being exfiltrated in this campaign, the targets, as well as some of the tools used, indicate that the most likely motivation in this campaign is intelligence gathering. Symantec
The IcedID banking Trojan was discovered by IBM X-Force researchers in 2017. At that time, it targeted banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, mainly in the U.S. IcedID has since continued to evolve, and while one of its more recent versions became active in late-2019, X-Force researchers have identified a new major version release that emerged in 2020 with some substantial changes. securityintelligence.com
Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related targets, expanding recently to the United States, Russia, and Europe. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise. MITRE
NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013. Nanocore
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools. TrendMicro
It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT). Malwarebytes
The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker form grabbing (finding specific opened windows and stealing their content) keylogging stealing passwords saved in the system and cookies Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C). Malwarebytes
Proofpoint researchers have identified a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456. Using the social media persona “Marcella Flores,” TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain. Designed to conduct reconnaissance on the target’s machine, the macro-laden document contained personalized content and demonstrated the importance TA456 placed on the target. Once the malware, which is an updated version of Liderc that Proofpoint has dubbed LEMPO, establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance details to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then cover its tracks by deleting that day’s host artifacts. PFPT
Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as "TraderTraitor."
The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. CISA
Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft
A dropper is a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage). Wikipedia
Malicious programs of this family secretly send information to the criminal from the user’s infected Android mobile device. Kaspersky
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| Backdoor | 2 | command and control | dns, tls | 389 | actions on objectives, command and control, delivery, installation | dns, ftp, http, icmp, smtp, tcp, tls, udp | 2023-07-29 |
| Banker Stealer | 8 | command and control | http, dns, tls | 248 | actions on objectives, command and control, delivery | dns, http, smtp, tcp, tls | 2023-07-29 |
| Blackmoon | 2 | command and control | tls, dns | 55 | actions on objectives, command and control, delivery, installation | dns, http, smtp, tcp, tcp-pkt, tls | 2023-07-29 |
| CHAOS RAT | 2 | command and control | http | 2 | command and control | http | 2023-07-26 |
| CryptBot | 1 | command and control | http | 25 | actions on objectives, command and control, delivery | dns, http | 2023-07-25 |
| DDoSia | 2 | command and control, delivery | http | 2 | command and control, delivery | http | 2023-07-26 |
| Fake Browser | 6 | delivery, command and control | dns, tls | 10 | command and control, delivery | dns, http, tls | 2023-07-25 |
| FakeCalls | 1 | command and control | http | 19 | command and control | dns, http | 2023-07-29 |
| Gamaredon | 1 | delivery | http | 403 | actions on objectives, command and control, delivery | dns, http, tcp-pkt, tls | 2023-07-28 |
| Glupteba | 1 | command and control | tls | 69 | command and control | dns, http, tcp, tls | 2023-07-26 |
| Hydrochasma APT | 1 | command and control | tcp | 2 | command and control | tcp | 2023-07-28 |
| IcedID | 14 | command and control | dns, tls | 486 | actions on objectives, command and control, delivery | dns, http, tcp, tls | 2023-07-29 |
| Kimsuky | 27 | actions on objectives, command and control | http, dns, tls | 149 | actions on objectives, command and control, delivery | dns, ftp, ftp-data, http, tls | 2023-07-27 |
| NanoCore | 14 | command and control | tcp | 65 | command and control | dns, tcp, tls | 2023-07-27 |
| PennyWise | 1 | actions on objectives | http | 4 | actions on objectives | http | 2023-07-29 |
| Raspberry Robin | 1 | command and control | http | 277 | command and control | dns, http | 2023-07-28 |
| Rebate Informer | 1 | command and control | http | 1 | command and control | http | 2023-07-26 |
| SocGholish | 2 | command and control | tls | 356 | actions on objectives, command and control, delivery, exploitation, reconnaissance | dns, http, tcp, tcp-pkt, tls | 2023-07-27 |
| Stealer and Exfiltration | 1 | actions on objectives | http | 340 | actions on objectives, command and control, delivery, exploitation, installation | dns, ftp, http, smtp, tcp, tcp-pkt, tls | 2023-07-26 |
| SupremeBot | 4 | command and control | dns, http | 4 | command and control | dns, http | 2023-07-26 |
| TA456 | 2 | command and control | tls | 25 | command and control, delivery | dns, http, tls | 2023-07-28 |
| TraderTraitor | 24 | command and control | dns, tls | 41 | command and control | dns, http, tls | 2023-07-27 |
| Trojan Agent | 1 | command and control | http | 388 | actions on objectives, command and control, delivery, installation | dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, tls, udp | 2023-07-26 |
| Trojan Dropper | 2 | delivery | dns | 302 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls, udp | 2023-07-29 |
| TrojanSpy-Android | 7 | command and control | http, dns, tls | 801 | actions on objectives, command and control, delivery, installation | dns, http, tcp, tls | 2023-07-29 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS
Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response.
© 2014-2024 Stamus Networks, Inc. All rights Reserved.
