In today’s Triage Thursday update blogpost we’re taking a look at the updates which have been deployed over the course of the week. It’ll be a shorter post than some, as we’re still working hard in the background on features like macOS support - we’ll have more news on that and more in the weeks to come.
Read on below for details on the following changes:
- Improved Guloader configuration extractor
- Improved CobaltStrike configuration extractor
- Updated Kutaki family detection
- Updated Dridex configuration extractor
- Updated Bazar family detection
- Improved IcedID configuration extractor
- AsyncRAT configuration extractor update
- Added SolarMarker family signatures
- Taurus detection update
- Added fallback detection for CryptBot
- Added family signatures for StormKitty stealer
If you discover any issues or missing detections while using Triage, please do send us feedback. It’s a big help in deciding what we should be prioritising. You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account!
Updated Guloader Configuration Extractor
Changes in Guloader over time have meant that again our configuration extractor for the family has been failing to process recent samples. We’ve been reviewing the family and have pushed an update to our configuration extractor to better support these variants - we can now pull C2 configuration data directly from relevant shellcode which is more reliable than our previous strategy.
We will be carrying out reprocessing for recent samples, but any Guloader submissions going forwards will have the new extractor.
Improved CobaltStrike Configuration Extractor
CobaltStrike returns to our blog this week with another tweak to its configuration extractor. Based on feedback from users, we have extended Triage’s support for the family to also dump the URL and UserAgent values for CobaltStrike stagers.
A relevant example can be found below.
Updated Kutaki Family Detection
Kutaki is a stealer which mainly targets live acqusition of data from infected systems through keylogging, clipboard harvesting, and recording from webcams, microphones and screens.
The family also includes a range of anti-VM and anti-analysis techniques, but these are mostly now quite old and are easily bypassed. We initially added signatures for the family back in August 2020, and this week we have made some changes to improve detection and handle some recent samples we have observed on Triage.
Updated Dridex Configuration Extractor
We have implemented an update for Triage’s Dridex configuration extractor to better handle some of the recent variants. It can now detect the length of the sample’s RC4 key and correctly handles extraction when it varies from ‘standard’ value. This should provide much better support for the latest samples.
Updated Bazar Detection
The Bazar family has changed a lot since it first popped up, and this week we have deployed some more modifications to keep up with the latest versions. Triage’s detection for the backdoor module is still functioning without issue, but we have tweaked static detection for the loader modules to catch recent samples from Triage.
Updated IcedID Configuration Extractor
As with others already mentioned like Bazar and Dridex, recent changes to IcedID samples we are observing had started to cause some issues with our configuration extractor. We have reviewed the changes and updated our rules to properly extract the latest samples. As usual we’ll continue to keep an eye on future developments and apply changes if needed.
Updated AsyncRAT Configuration Extractor
AsyncRAT is an open source remote administration tool written in C#. We implemented a configuration extractor for the family back in October 2020.
We have made some updates this week to fix an issue which was causing the dumped configurations to be garbage data in some cases. We’ll continue to keep an eye for any other bugs around this but based on our testing this should now work reliably.
SolarMarker Family Signatures
SolarMarker is a multi-stage loader and backdoor first reported by Crowdstrike in early 2021. The family is often also referred to as Jupyter.
It consists of 4 stages:
- Powershell loader/installer which is initially deployed through phishing etc.
- Decrypter for the 3rd stage written by the installer
- Drops 4th stage script and writes the actual backdoor to AppData
- Establishes persistence for the backdoor dropped by the 3rd stage and launches it directly
The backdoor itself includes a wide range of functionality, including the ability to download and execute additional payloads - Crowdstrike reports observing the use of a custom stealer module.
We have implemented some initial family signatures based on the installer and backdoor stages, and will expand and update these as required.
A full and detailed write up of the family by Crowdstrike is available through their blog here.
- 210316-trddssyj5s (Main Installer)
- 201124-s6byj2xess (Main Installer)
- 201015-1vserrrdqx (Backdoor/Client Only)
- 200625-v2p6x68mm6 (Backdoor/Client Only)
Updated Taurus Stealer Detection
The Taurus stealer was first observed back in April 2020, believed to be developed by the same group who created the older “Predator the Thief” stealer. We initially covered this family earlier in 2021, and this week we have deployed some additional static rules to expand on the detection we added in January.
You can find some examples of the family below.
CryptBot Backup Yara Rule
Similarly to Taurus, this week sees some small additions to our rules for the Cryptbot family to catch additional samples we have observed on Triage. We have expanded our static detection to reliably catch samples regardless of the status of their C2 infrastructure.
Cryptbot is an infostealer which was discovered in 2019. It is commonly distributed alongside cracked software downloads and torrents, masquerading as some benign file.
StormKitty Family Signatures
StormKitty is a relatively minor stealer family which has been seen in the wild since late 2020. It includes a variety of functionality including stealing credentials stored locally, keylogging, webcam/video capture, and more. It was available publicly on Github for a while but appears to now be unavailable/private. The creator is responsible for a number of other minor trojans and stealers, like BlazeRAT and decryption tools for stolen Chromium and Firefox password files.
We have reviewed some samples which were observed submitted to Triage and implemented family detection.