Threat Intel Banner
New Threat Detection Added 06 (8220 Gang, Loli Stealer Malware, BokBot Malware, Kimsuky APT, VPNFilter and CVE-2021-41773)
New IDPS Rules Created 12
Overall Weekly Observables Count 2,369,884


Daily Submissions by Observable Type

Chart, line chartDescription automatically generated


Newly Detected Threats

The following threats were added to Crystal Eye XDR this week:

Threat name: 8220 Gang (Malware)

Microsoft has warned against a malware dubbed as 8220 gang targeting Linux systems and installing crypto-mining malware. Researchers named the attacker 8220 gang and spotted notable updates to the malware campaign, which includes a new variant of crypto miner, and an IRC bot. Microsoft has disclosed the recent attacks of the 8220 gang, in which they were found exploiting a critical bug affecting Atlassian Confluence Server and Data Center. The recent campaign targets i686 and x86_64 Linux systems. It employs RCE exploits for CVE-2019-2725 (Oracle WebLogic) and CVE-2022-26134 (Atlassian Confluence Server and Data Center) for initial access.

Rules Created: 03
Rule Set Type: Balanced – IDS: Alert – IPS: Alert
Class Type: Trojan-activity
Kill Chain:

Initial Access T1189 - Execution T1059 - Persistence - Command and Control T1102

Threat name: Loli Stealer (Malware)
The Loli Stealer Malware packed with UPX & written in Go programming language also dubbed as Golang Stealer recently detected by Malwarebytes as Trojan.CryptoStealer.Go. As its behaviour, the malware calls WindowsAPI for example, PIN tracers. The malware then calls to the Yandex browser, which is popular mainly in Russia. Next, it searches for the desktop and copies all files to a folder created in %APPDATA%. The malware finally copies all files, compresses them all and sends them to its command-and-Control server.
Rules Created: 2
Rule Set Type: Balanced
Class Type: Trojan Activity
Kill Chain: Execution T1204- Discovery T1087-Collection T1119- Command and Control T1071

Threat name: BokBot (Malware)

BokBot, also known as IcedID, was initially known as a banking trojan that steals credentials from a victim's online banking session. Once installed on a computer, it finds credentials from the browser and initiates fraudulent bank transactions. A recent campaign from the threat group TA551 was observed to push BokBot from their activities.

Red Piranha has deployed rules that will detect the initial download of this password-protected archive. The domains have also been identified and shall be rejected once domain requests are observed from machine endpoints.

Rules Created: 3
Rule Set Type: Security – IDS: Alert – IPS: Reject
Class Type: Trojan-activity
Kill Chain: Initial Access T1566 - Execution T1059 – Credential Access T1539 - Command and Control T1102

Threat name: Kimsuky APT (Threat Actor)

Kimsuky APT, a North Korean threat group known to conduct government cyber espionage operations, has been recently discovered targeting military base maintenance providers. A common tactic for Kimsuky APT is to lure their targets with phishing emails resembling a notice from the government ministry department. This will include a malicious document that appears as a sign-up form; once executed, it will immediately contact its command-and-control server for further instructions.

Red Piranha has deployed new rules that will detect the initial domain requests for recently discovered Kimsuky APT-related sites. The traffic shall be rejected once observed from machine endpoints.

Rules Created: 1
Rule Set Type: Balanced – IDS: Alert – IPS: Reject
Class Type: Trojan-activity
Kill Chain:

Initial Access T1566 - Execution T1204 - Command and Control T1102

Threat name: VPNFilter (Malware)

The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber-attack operations. The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.

The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.

In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. there are two known plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor.

Rules Created:
Rule Set Type: Balanced - IDS: Alert - IPS: Alert
Class Type: Malware
Kill Chain: Initial Access T1566 - Execution T1204 - Command and Control T1102

Threat name: CVE-2021-41773

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete.

Rules Created: 2
Rule Set Type: Balanced - IDS: Alert - IPS: Alert
Class Type: RCE
Kill Chain: Initial Access: T1133

Total Counts by Observable Type

The table below shows the total counts of observables, we’ve been collecting for the last four months, the last four weeks, and the total since February 2017.

Date

File Hash

IP Address

Domain

URL

Email

Network Traffic

Host

File Properties

Total

Month

Apr 2022

4,124,667

1,837,957

396,073

637,235

592

3,514,384

371,365

563,861

11,446,134

May 2022

4,029,272

1,798,537

476,808

448,583

168

3,194,022

179,741

590,291

10,717,422

Jun 2022

4,798,835

2,138,981

548,365

473,164

735

3,645,625

115,609

585,476

12,306,790

Jul 2022

3,292,459

1,463,827

484,583

212,732

17

2,955,718

68,835

551,316

9,029,487

Week

7/1-7/7

943,452

438,030

126,350

62,360

0

810,711

23,358

135,432

2,539,693

7/8-7/14

751,304

314,639

113,855

54,821

14

710,598

15,133

139,544

2,099,908

7/15-7/21

817,762

312,021

117,953

46,922

0

576,167

11,451

137,726

2,020,002

7/22-7/28

779,941

399,137

126,425

48,629

3

858,242

18,893

138,614

2,369,884

Total

Since Feb 2017

154,801,123

36,825,172

20,219,962

15,829,282

198,904

30,096,704

2,822,491

3,365,864

264,159,502