Welcome to this week’s edition of our Triage Thursday blog series. It’s a quieter week this time as we’re working on some larger updates which we will be releasing over coming weeks, but as usual we have updates to family detections for a range of families which have been active recently:
- Vidar stealer signatures
- PoetRAT support
- Matrix ransomware classification
- Buer loader signatures
- Signatures for new SlothfulMedia family
- Warzone RAT support
- Small update to Masslogger detection
If you have any feedback about Triage or sample detections, please do send us feedback. You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account!
Vidar was discovered in late 2018 and is thought to have first appeared in October of that year. It is a fork of the Arkei stealer, having significant similarities in terms of code and string use.
The family has seen consistent use since its creation and is still active in 2020. In mid-2019, Crowdstrike reported it being dropped alongside Gozi ISFB payloads by malicious Office documents.
We have now added support for this family to Triage, including behavioural rules and static detection.
PoetRAT was discovered by Cisco Talos in April 2020 using COVID-19 phishing lures to attack targets in Azerbaijan. The malware is written in Python and uses FTP for exfiltration of stolen data. Talos also reported that the threat actors were pushing additional tools to infected systems as required.
In October 2020 Cisco reported a new version of the malware being deployed, likely linked to the recent military clashes between Armenia and Azerbaijan. This variant is written in Lua instead of Python, greatly reducing the file size of payloads.
We have added detection for the family and will be keeping an eye on developments to it in the future.
Matrix has been in the wild for some time, with reports going back to late 2016. It has seen many different updates and variations over that time, although the core functionality has remained essentially the same.
It often targets Windows Remote Desktop (RDP) services to infect systems, likely by brute-forcing passwords. Its ransoms are not pre-set, but are decided on post-infection by the operators based on the contents of files on an infected system and the size of the victim organisation.
It is an extremely noisy family, carrying out a large number of operations to enumerate the system in addition to encryption. In some cases it has also been observed using repackaged versions of Sysinternals tools such as Handle.
The ransomnote paths and encrypted file extensions vary quite a bit across versions. However the ransomnote is always dropped as a Rich Text Format (RTF) file.
Buer is a loader framework which was first seen in late 2019. It is not operated directly by the developers, but is sold through forums as an off-the-shelf downloader/installer for other payloads.
It has been observed in use by the Fallout Exploit Kit, and in phishing campaigns distributing Trickbot and KPOT stealer. Most recently ZScaler reported it being used to deploy the Bazar Backdoor, a family also associated with the Trickbot gang.
At the start of October 2020 US government agencies published an advisory about a new malware family in use by a “sophisticated cyber actor”. The main sample is a loader which deploys 2 additional modules to infected systems - a remote access trojan (RAT) and a wiper which removes the dropper once persistence has been achieved via services. It is reported to have the ability to kill processes, execute commands, take screenshots, and modify the registry/file system. It carries out C2 communication via HTTP.
Based on the sample and information provided in the CISA advisory, we have implemented initial detections for this malware.
Warzone is openly sold through a branded website, provided as malware-as-a-service for others to use in their own campaigns. As with many of these RATs, it pretends to be a legitimate remote administration tool.
The malware uses its own DNS server to ensure reliable service, and includes a number of evasion techniques to disable Defender and gain persistence. A full writeup of the family, including details of features like its UAC bypasses, can be found in Checkpoint’s blog from February 2020.
Masslogger continues to change and push new versions. We noticed that some samples were failing to run properly with shorter timeouts, so we have expanded signature coverage to provide a fallback for these.