29-August-2023
Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.
Current Stamus Threat Intelligence (STI) release version: 830
This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):
Note: a "method" as referenced below, is a discrete detection vector for a given threat.
The following detections were added to your Stamus Security Platform this past week:
Zscaler ThreatLabz has discovered a new malware variant, RedEnergy stealer (not to be confused with the australian company Red Energy) that fits into the hybrid Stealer-as-a-Ransomware threat category.
RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The name of the malware was kept due to the common method names observed during the analysis. Zscaler
In computing, a Trojan horse (or simply trojan) is any malware which misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Trojans may allow an attacker to access users' personal information such as banking information, passwords, or personal identity. It can also delete a user's files or infect other devices connected to the network. Ransomware attacks are often carried out using a trojan.
RemoteSpy - Microsoft |
The malware, first discovered by security researcher iamdeadlyz, is distributed to both Windows and macOS users in the form of fake blockchain games using names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. These games are promoted on social media, with the threat actors using direct messages to share access codes required to download the fake game client from associated websites. Bleepingcomputer
JanelaRAT involves several tactics, techniques, and procedures (TTPs) such as DLL side-loading, dynamic C2 infrastructure, and a multi-stage attack. Zscaler
JanelaRAT - Malpedia |
The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. MITRE
Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing Standard Application Layer Protocol. Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.
IIS Raid is a native IIS module that abuses the extendibility of IIS to backdoor the web server and carry out custom actions defined by an attacker. Github
A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions.
First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis.
"The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants," InQuest and Zscaler researchers said in an analysis published last week.
Mystic Stealer, like many other crimeware solutions that are offered for sale, focuses on pilfering data and is implemented in the C programming language. The control panel has been developed using Python.
Updates to the malware in May 2023 incorporate a loader component that allows it to retrieve and execute next-stage payloads fetched from a command-and-control (C2) server, making it a more formidable threat.
PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. MITRE
Spark is a Windows backdoor and has been in use since as early as 2017. MITRE
DPRK APT actor tracked by Proofpoint as TA444 Malpedia
Proofpoint researchers have identified a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456. Using the social media persona “Marcella Flores,” TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain. Designed to conduct reconnaissance on the target’s machine, the macro-laden document contained personalized content and demonstrated the importance TA456 placed on the target. Once the malware, which is an updated version of Liderc that Proofpoint has dubbed LEMPO, establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance details to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then cover its tracks by deleting that day’s host artifacts. PFPT
Again, the generic nature of this detection means that the Payloads performed by this group of trojans may be highly variable, and therefore difficult to describe specifically. This group of trojans has been observed to perform any, or all, of the following actions:
redirect Web traffic
- manipulate certain Windows or third-party applications including settings or configurations
- drop or install additional malicious programs
- download and run additional malicious programs
Please note that this list is not exhaustive.
Microsoft
During a routine threat-hunting exercise, Cyble research labs discovered a dark web post where a malware developer was advertising a powerful Windows RAT. Cyble
The following threat detection(s) were improved this past week with new or updated threat methods.
| Name of threat | New coverage | Total coverage | Last updated | ||||
|---|---|---|---|---|---|---|---|
| New Detection methods | Kill chain phases | Protocols involved | Detection methods | Kill chain phases | Protocols involved | ||
| APT35 | 3 | command and control | dns, tls, http | 481 | command and control, delivery | dns, ftp, http, tcp, tls, udp | 2023-08-22 |
| Command and Control | 1 | command and control | tls | 283 | actions on objectives, command and control, delivery, installation | dns, http, tls | 2023-08-23 |
| IIS-Raid | 1 | command and control | http | 5 | command and control, delivery | http | 2023-08-24 |
| JanelaRAT | 1 | command and control | http | 1 | command and control | http | 2023-08-24 |
| Mystic Stealer | 1 | command and control | http | 2 | command and control | http, tcp | 2023-08-24 |
| PlugX | 1 | command and control | udp | 127 | command and control, delivery | dns, http, tcp, tcp-pkt, tls, udp | 2023-08-24 |
| Realst | 1 | command and control | http | 1 | command and control | http | 2023-08-24 |
| RedEnergy Stealer | 1 | delivery | http | 1 | delivery | http | 2023-08-24 |
| RemoteSpy | 1 | actions on objectives | http | 1 | actions on objectives | http | 2023-08-24 |
| Spark | 2 | command and control | http | 8 | command and control | dns, http, tls | 2023-08-22 |
| TA444 | 14 | command and control | dns, tls, http | 1172 | command and control | dns, http, tls | 2023-08-26 |
| TA456 | 1 | command and control | http | 67 | command and control, delivery | dns, http, tls | 2023-08-26 |
| Trojan Agent | 1 | command and control | http | 405 | actions on objectives, command and control, delivery, installation | dns, http, ip, smtp, tcp, tcp-pkt, tcp-stream, tls, udp | 2023-08-24 |
| XWorm | 17 | command and control | tcp-pkt | 809 | command and control, delivery | dns, http, tcp, tcp-pkt, tls | 2023-08-22 |
Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website
ABOUT STAMUS NETWORKS
Stamus Networks is the global leader in Suricata-based network security and the creator of the innovative Clear NDR™ system. Designed to close visibility gaps and reduce alert fatigue, Clear NDR transforms raw network traffic into actionable security insights with unmatched transparency, customization, and effectiveness. Trusted by leading financial institutions, government agencies, and participants in NATO’s largest cybersecurity exercises, Stamus Networks delivers proven, high-performance network detection and response solutions. Stamus empowers security teams – delivering clarity amidst complexity – with greater control, fewer false positives, faster response times, and a more responsive, open approach than legacy vendors.
© 2014-2025 Stamus Networks, Inc. All rights Reserved.
