StegBaus: Because Sometimes XOR Just Isn’t Enough
This past week, our team has identified a group of malware samples that matched behavioral heuristics for multiple known malware families. These samples all displayed their typical respective malware characteristics and contacted known command and control (C2) servers from those families. However, initial static analysis revealed that these samples appear to be identical on the surface, leading us to believe that we had discovered a new loader. The malware families identified now are DarkComet, LuminosityLink RAT, Pony, ImmenentMonitor, and some multiple variations of shellcode. We are calling the malicious loader StegBaus based on its use of custom steganography and a PDB string, which was found in an embedded DLL.
Shell Crew Variant StreamEx
Shell Crew, first named by RSA, has been incredibly proficient over time and breached numerous high-value targets. The backdoor provided an alternative foothold in several observed instances for the group and employed a few tricks like using the Intel SSE extended instruction set to avoid emulation and obscure analysis. The StreamEx family can access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild.
The curious case of a reconnaissance campaign targeting ministry and embassy sites
Forcepoint Security Labs™ came across a malicious reconnaissance campaign that targets websites. It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat (APT) actors. As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.
Malicious Word document targeting Mac users
A malicious Word document targeting Mac users. "U.S. Allies and Rivals Digest Trump’s Victory - Carnegie Endowment for International Peace.docm"
IKITTENS: IRANIAN ACTOR RESURFACES WITH MALWARE FOR MAC (MACDOWNLOADER)
A macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against a human rights advocate. MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, to extract system information and copies of OS X keychain databases. Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.
Lurk: Retracing the Group’s Five-Year Campaign
The cybercriminal group Lurk was one of the first to effectively employ fileless infection techniques in large-scale attacks—techniques that arguably became staples for other malefactors. A typical Lurk infection uses browser exploits to deliver non-persistent payloads to potential victims, probing their targets before deploying additional malware. The infection chain had multiple stages, and was accomplished using bodiless/fileless exploit payloads executed in-memory without additional persistence mechanisms. No traces were left on affected systems apart from files from the exploit process if the target machine wasn’t interesting to the Lurk operators. This eponymous lurking behavior would earn them notoriety until their operations were stymied and the perpetrators arrested. Lurk was believed to have siphoned over $45 million from financial organizations, ultimately disrupting the victims’ operations, reputation, and bottom line.