Stantinko Bots Targets Russia

An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan. the trojan masquerades as HTTPd, a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as Stantinko.

Stantinko has been traditionally a Windows malware, the expansion in their toolset to target Linux didn’t go unnoticed, but observed to be a Linux proxy version .

Upon execution, “httpd” validates a configuration file located in “etc/pd.d/proxy.conf” that’s delivered along with the malware, following it up by creating a socket and a listener to accept connections from what the researchers believe are other infected systems.

An HTTP Post request from an infected client paves the way for the proxy to pass on the request to an attacker-controlled server, which then responds with an appropriate payload that’s forwarded by the proxy back to the client.

In the event a non-infected client sends an HTTP Get request to the compromised server, an HTTP 301 redirect to a preconfigured URL specified in the configuration file is sent back.

Stating that the new version of the malware only functions as a proxy, Stantinko is the latest malware targeting Linux servers to fly under the radar, alongside threats such as Doki, IPStorm and RansomEXX.

Cicada 🐞Chinese sponsered

The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon,that can give attackers instant administrator privileges on vulnerable systems. Cicada , which is widely believed to be funded by the Chinese government and also carries the monikers of APT10, Stone Panda

Japan-linked organizations need to be on alert as it is clear they are a key target of this sophisticated and well-resourced group, with the automotive industry seemingly a key target in this attack campaign.

The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows dynamic-link library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so they can keep the hack from being detected by security software.

Microsoft patched the critical privilege-escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. .

Threat Vector

Third-stage DLL has an export named “FuckYouAnti”

Third-stage DLL uses CppHostCLR technique to inject and execute the .NET loader assembly

.NET Loader is obfuscated with ConfuserEx v1.0.0

Final payload is QuasarRAT—an open source backdoor used by Cicada in the past

It’s difficult to say how..when..where.. you get attacked and compromised across geographies… Stay safe and secure

APT Predictions 2020 As it happened..Predicting 2021

Trying to make predictions about the future is a tricky business. As per the researchers what they predicted and what is happened.. and what going to happen they elobrated

  • The next level of false flag attacks
    Olympic Destroyer , Death Stalker
  • From ransomware to targeted ransomware
    Attacks targetting mainly hospitals and universities
  • New online banking and payments attack vectors
    FIN7, Cobalt Groups, Silence and Magecart, as well as APT threat actors such as Lazarus.
  • More infrastructure attacks and attacks against non-PC targets
    Tunnel Snake, Mosaic Regressor
  • Increased attacks in regions that lie along the trade routes between Asia and Europe
    Strongpity4
  • Increasing sophistication of attack methods
    Geo-fencing attacks or hosting malware and used for C2 communications).
  • A further change of focus towards mobile attacks
    TwoSail Junk
  • The abuse of personal information: from deep fakes to DNA leaks
    Leaked/stolen personal information is being used more than ever before in up-close and personal attacks.

Turning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.

APT threat actors will buy initial network access from cybercriminals

More Silicon Valley companies will take action against zero-day brokers

Increased targeting of network appliances

The emergence of 5G vulnerabilities

Demanding money “with menaces”

More disruptive attacks

Attackers will continue to exploit the COVID-19 pandemic

Jupyter..More than a planet . An infostealer

Researchers have discovered a new info stealer written in .NET called Jupyter which targets notable web browsers such as Mozilla Firefox and Google Chrome in addition to the Chromium code in itself.

This is the first version seen in the wild of the infostealer stealing information (autocomplete, cookies, and passwords) only from Chrome browsers.

This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection.

The features of the malware include the ability to download and run malware plus Powershell scripts and commands while also injecting shellcode into different applications that relate to Windows Configuration.

The downloaded file that is run appears to be a Zip file with an installer that shows itself as another legitimate piece of software while in actuality is not. The alarming thing here is that this file according to the researchers has maintained a 0% detection rate in VirusTotal for over 6 months making us wonder how many systems it may have had infected by now.

Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules.

The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter.NET module.

Origin belived it to be Russia , since C2C server pointing over there. Also admin panel image has been reverse searched and has the Russian match .

To conclude, this trend is nothing new in itself because researchers have constantly observed new variants of existing malware types being developed and even going unnoticed. Such research reports are a relief in the face of such calamities helping the cybersecurity community mend their blind spots.