Triage Thursday

Acquisition News and Detection Updates

Blog.

Another week, another Triage Thursday blogpost! Or almost at least - we’re a bit late as we decided to hold off and cover all the news at once. In today’s post we have our usual bundle of detection updates - more on those below - but first we’re excited to share an important announcement with you:

Hatching is now part of the Recorded Future family!

Recorded Future is the world’s largest intelligence company, aiming to provide the most comprehensive information available on threats to empower organisations to take fast, decisive action to deter and disrupt adversaries. Today we can announce that Recorded Future has acquired Hatching, adding our sandboxing platform to their wide range of intelligence sources.

“Recorded Future’s unrelenting focus on intelligence has made it an industry leader. Hatching has been laser focused on sandboxing, and we have a very competitive and scalable malware analysis solution. We’re excited to join forces to deliver high-performance, intelligence-enriched malware analysis that will help organisations stop malware in its tracks, before the damage is done.”

– Jurriaan Bremer, CEO of Hatching

Hatching Triage will be integrated into the Recorded Future ecosystem, creating a critical capability for clients where malware is identified and given a verdict before being further correlated and enriched in the Recorded Future Intelligence Cloud. Data generated by the sandbox will become a valuable data source within this environment and clients will benefit from broader coverage that includes global visibility of malware trends, their targets, and sources.

Triage will also continue to exist on its own outside the Recorded Future ecosystem. For our existing customers and users nothing will change in your day-to-day usage and our team will continue to push out updates and extend our detections as we’ve always done. However with access to all this new intelligence data the opportunities to augment our results and provide more detailed analysis have just grown significantly, and we’ll be looking at ways to make good use of this in the months to come.

“By combining Hatching’s automated malware analysis capabilities with Recorded Future intelligence, we are building the most important intelligence company of our time. Our clients will now have an intelligence advantage against malware exploits, one of the most pervasive threats facing every organization.”

– Dr. Christopher Ahlberg, CEO and Co-Founder of Recorded Future

It’s been a wild ride since we first opened Triage up for early access back in 2019. From our small beginnings we’ve expanded from a relative unknown to one of the major sandboxing solutions available on the market today, with around 10,000 registered users on our public cloud environment and nearly 100 customers all around the world. This acquisition marks the next step in our journey, and we’re very excited to see what the future holds - we look forward to finding out alongside you.

The transaction was supported by Breliant and Greenberg Traurig.


With that bit of news out of the way, let’s take a look at the detection updates this week:

ColdStealer

ColdStealer was reported by AhnLab in February this year, found to be disguising itself as downloads for various software cracks and tools. The initial infection is generally via a dropper that then downloads ColdStealer from its C2 server - reportedly the dropper often deploys multiple families of malware which is quite common for this kind of delivery method.

The family goes after most of the common targets shared by other infostealers - web browser information, cryptocurrency wallets, FTP credentials, and general system information - and has quite an extensive list of software it can harvest from. Rather than exfiltrate these files wholesale the malware parses them in situ and only sends out the useful bits - in their report AhnLab report that this mechanism actually seems to have issues with unicode encoding and errors out when trying to handle files on a Korean-language version of Windows.

We’ve reviewed available samples and implemented detections and a configuration extractor for the family. The extractor is able to dump the C2 domain/URL and a botnet ID used for identifying different campaigns/versions.

Analyses:

YTStealer

YTStealer popped up towards the end of June 2022, reported by Intezer. It is of course another stealer family but with an unusual twist - its only focus is to steal authentication cookies for Youtube accounts, seemingly targeting content creators in an attempt to hijack channels and sell access on the dark web.

Once installed on a system the malware carries out some system checks in an attempt to detect any virtualisation or analysis attempts, and then proceeds to the stealing phase. Its anti-VM checks are carried out using a Golang framework called Chacal which is available on Github and presented as a tool for redteamers and pentesters.

If the malware is able to find authentication cookies for Youtube it will also carry out some additional actions before exfiltrating data to its C2. First it launches a web browser in headless mode and imports the cookie. It will then load the ‘Studio’ page which is used to manage channel content and extracts information such as the channel name, subscriber count, age, monetization status, and verification status. This data is then encrypted and sent to the C2 server.

We have reviewed a large number of samples and implemented yara rules to detect the family. Some examples are provided below.

Analyses:

Blister Loader

Blister is an advanced malware loader which was first reported at the end of 2021 by the Elastic security team. In May of this year they published a detailed follow up going over the changes seen in the interim and providing more details about its usage. According to Elastic the family is actively developed and has seen several improvements including widening the architectures supported.

The malware includes a few anti-VM/anti-analysis techniques including significant code obfuscation, code signing, use of packers, and time-delayed execution. Some aspects of this can be configured for each sample using the hardcoded settings - these are protected using a relatively simple 4 byte key and XOR encryption. In order to try and fool some static techniques it also seems to use legitimate DLLs with malicious code patched in, rather than building the entire file(s) from scratch. Besides potentially tricking standard techniques the Elastic team suggest that may also be aimed at modern tools based on machine-learning.

As a loader Blister is not the final payload in the infection chain. It has been seen in use alongside LockBit ransomware and the SocGholish framework, and Elastic report seeing it in connection with Amadey, BitRAT, Clipbanker, CobaltStrike, Remcos and Raccoon. To deploy these payloads Blister has 3 different techniques for process injection which can be enabled in its configuration.

We have analysed a handful of available samples and implemented initial detections, and since this seems to be an actively developed family we will keep an eye on it to see if changes are needed in the future.

Analyses:

Escobar

Escobar is a new variant of the old Aberebot Android banking trojan with new features and more targets it can extract data from. It was written about by Cyble back in March and for now seems to be in a ‘beta’ phase while being actively developed.

The malware sets out to take as much control of the device as it can, requesting a total of 25 permissions from the user (which Cyble reports it abuses 15 of for malicious purposes). It can steal contacts, text messages, call logs, and location data; record calls and audio; and directly control the device to delete files, send messages, make calls, use the camera etc. Its actions are controlled remotely from the C2 server with a wide range of commands that it can act on.

One of its more interesting additions over the old Aberebot code base is the ability to steal multi-factor codes from Google Authenticator.

We have so far only got hold of one sample to test with but have implemented initial detections, and we will review these as and when more examples become available.

Analysis:

Malibot

Continuing with the Android bankers this week we have also added detections for Malibot, a family reported last month by F5 Labs.

The family is quite fully-featured with an extensive list of capabilities including overlay attacks; theft of data like cryptocurrency wallets, browser cookies and text messages; the ability to steal MFA authentication codes (including Google’s custom 2-step authentication that occurs directly on the device); and direct VNC access for control of the device. It can also send text messages enabling it to try and infect more users via smishing campaigns.

It generally seems to hide as a cryptocurrency miner - F5 Labs mentions names like “Mining X” or “The CryptoApp” (the latter being a legitimate, existing application that it tries to imitate) - but it has also been seen imitating other types of apps.

Analyses:

DNSCat2

DNSCat2 is not a malware family per se, but is a toolkit for DNS tunneling which has been popping up in some malware operations. It can be found on Github and uses a custom protocol to enable stealthy C2 communication entirely via DNS. All communications are encrypted by default (though seemingly with a home-rolled cryptographic algorithm).

The family first came to our attention during the team’s research into the Symbiote Linux backdoor last week. We came across a number of samples on other platforms being identified as Symbiote, but which did not appear to be related once we started digging. We quickly identified what they really were and due to the nature of the application have decided to add it as a family, since we are pretty sure most users/customers of Triage would want to be aware of its presence in their analyses.

Analyses:

You may also like: