Stantinko Bots Targets Russia

An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan. the trojan masquerades as HTTPd, a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as Stantinko.

Stantinko has been traditionally a Windows malware, the expansion in their toolset to target Linux didn’t go unnoticed, but observed to be a Linux proxy version .

Upon execution, “httpd” validates a configuration file located in “etc/pd.d/proxy.conf” that’s delivered along with the malware, following it up by creating a socket and a listener to accept connections from what the researchers believe are other infected systems.

An HTTP Post request from an infected client paves the way for the proxy to pass on the request to an attacker-controlled server, which then responds with an appropriate payload that’s forwarded by the proxy back to the client.

In the event a non-infected client sends an HTTP Get request to the compromised server, an HTTP 301 redirect to a preconfigured URL specified in the configuration file is sent back.

Stating that the new version of the malware only functions as a proxy, Stantinko is the latest malware targeting Linux servers to fly under the radar, alongside threats such as Doki, IPStorm and RansomEXX.

Trickbot turns 100 1️⃣0️⃣0️⃣

TrickBot is a malware infection commonly installed via malicious phishing emails or other malware. When installed, TrickBot will quietly run on a victim’s computer while it downloads other modules to perform different tasks. Now a new 100th version has been released.

They perform a wide range of malicious activity, including stealing a domain’s Active Directory Services database, spreading laterally on a network, screen locking, stealing cookies and browser passwords, and stealing OpenSSH keys.

TrickBot is known to finish an attack by giving access to the threat actors behind the Ryuk and Conti ransomware to make matters worse.

New features added to TrickBot v100

TrickBot is now injecting its DLL into the legitimate Windows wermgr.exe (Windows Problem Reporting) executable directly from memory using code from the ‘Memory Module’ project.

“Memory Module is a library that can be used to load a DLL completely from memory – without storing on the disk first,” .

Initially started as an executable, TrickBot will inject itself into wermgr.exe and then terminates the original TrickBot executable. They use dippelganging technique to evade detection

“This technique makes use of transactions, a feature of NTFS that allows to group together a set of actions on the file system, and if any of those actions fails, a complete rollback occurs. The injector process creates a new transaction, inside of which it creates a new file containing the malicious payload. It then maps the file inside the target process and finally rolls back the transaction. In this way it appears as if the file has never existed, even though its content is still inside the process memory

Trickbot gang has not allowed the disruption of their infrastructure to hold them back, and they continue to integrate new features to prevent the malware from being undetected.

TrickBot is here to stay for the foreseeable future, and consumers and the enterprise need to remain diligent and be smart about what email attachments they open.

Qakbot 🐎 ->Prolock ☠️-> Egregor 👹

Group-IB discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe.

Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand was at $4 million worth of BTC till now.

Egregor operators in a spam of 3 months have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password.Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.

Muhstik bots

IoT botnet operators keep expanding their arsenal by adding new scanners and exploits to harvest new IoT devices. One such popular botnet Muhstik, also known as Muhstik, has been observed targeting cloud infrastructures by leveraging several web application exploits.

What you need to know

  • The Muhstik gang has a multi-layered attack strategy that importantly involves a payload named pty that helps downloads other malicious components and then contacts IRC servers—the botnet’s C2 infrastructure—to receive commands.
  • Muhstik has been using the XMRmrig miner and scanning modules to target other Linux servers and home routers, along with Mirai source code to encrypt the configurations of its payload and scanning module.
  • Its primary method of propagation is via home routers such as GPON home router, DD-WRT router, and Tomato router.
  • Muhstik has actively exploited web application exploits in Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271) and Drupal RCE flaw (CVE-2018-7600).

Worth noting

  • The botnet has been found to be linked to a Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd.
  • Other notable characteristics in Muhstik malware and infrastructure include the use of a Google Analytics ID and references to anime character ‘Jay’ from a game at Jaygame.net.

Security tips

Experts recommend that users should be cautious when installing open-source firmware and pay attention to security updates and maintenance patches necessary to keep devices safeguarded. In addition, regular scans and instant patches for vulnerabilities are advisable.