We’ve got some nice detection updates this week, expanding on a few families which have been seen recently, and going back to tidy up some older names which don’t get heard from so often these days.
Read on below for information on the following:
- Added Flubot detection
- Updated configuration extractor for new version of Redline stealer
- Updated detection for Bazar variants
- Additional detection for Gandcrab ransomware payloads
- New family signatures for DoubleBack
- HANTA ransomware family signatures
- LegionLocker family signatures
We are continuing to work on some larger features additions in the background, and are looking forward to being able to share those with you in the coming weeks. We recently announced our upcoming macOS support, and this is continuing to move along well with our initial release planned for the end of May 2021. We’ll have a lot more information on that at the time.
In the meantime, if you come across any unexpected or incorrect results in your Triage browsing please let us know about it! You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Flubot is an Android trojan/stealer which was first discovered in late 2020. Spread via SMS phishing, it has gained a lot of attention recently due to large scale attacks against European users. Initially targeting Spain, the family has since branched out considerably to target - in its most recent campaigns - users in the UK, Germany, Hungary, Italy and Poland.
Regardless of version or exact target, Flubot always uses SMS phishing lures pretending to be from parcel delivery services like FedEx, DHL, and Correos (the Spanish postal service).
We have spent some time carrying out a thorough review of Flubot samples, and have now deployed family detection for the current known versions. Sadly we cannot use an extractor to enrich these results with the C2 configuration as the family uses a DGA at runtime, meaning we can only collect the URLs/domains which are actively contacted.
In addition to the family detections, we have improved our Android support with regard to dumping memory during execution to provide better support for Flubot and other samples.
You can find a technical breakdown of the family and its recent activity from Proofpoint here.
Updated Redline Configuration Extractor
Earlier in the week we noticed a new minor variant of the Redline stealer family which was also deploying IcedID as an additional stage. Besides the changes to Redline itself, this is the first time we have observed these 2 families being used alongside each other in this way.
Spotted a new #Redline stealer sample today dropping #IcedID - first time we've observed those families deployed together like this.— Hatching (@hatching_io) May 10, 2021
We've pushed a small update to our #Redline config extractor to fully support this variationhttps://t.co/LiKV5Q94MG pic.twitter.com/xwu3qNSgp7
We have made some tweaks to our configuration extractor for Redline and deployed it to properly cover other similar payloads. Some examples can be found below.
Updated Bazar Detection
Bazar has changed a lot since it was first observed, and it was recently pointed out to us that some early samples were not being properly detected by Triage.
These were versions that were seen very early in Bazar’s development, containing a number of debug strings and resources which were removed for the later releases. Interestingly this came to our attention due to what appears to be a new campaign using this old version - quite why an actor decided to use this instead of a newer variant we are not sure.
We have no expanded our signatures to cover these for the sake of completeness, although we don’t expect to see much more of them in future. Thanks to @r0ny_123 on Twitter for getting in touch about this one.
Additional Detections for Gandcrab Ransomware
From early 2018 through mid-2019, Gandcrab was one of the most prolific and successful ransomware on the scene. It evolved rapidly, incorporating a series of relevant CVEs into its codebase to make it a highly infectious family.
The creators shut down their infrastructure and distribution channels in 2019 after announcing their ‘retirement’ through a cybercrime forum. However some samples are still floating around and we’re always looking to ensure that we provide accurate judgements even for historic files, so this week we have pushed some improvements to our detection for the family to better catch samples we had noticed during reviews of Triage submissions.
More detailed information on Gandcrab’s career can be found in Fortinet’s 2019 blogpost on the family.
Added Family Signatures for DoubleBack
The DoubleBack backdoor was recently reported in a FireEye blogpost, in which they revealed 3 new families they had observed running campaigns in December 2020.
The 3 families are all linked to the same threat actor - referred to by FireEye as UNC2529 - and form a single execution chain:
- DOUBLEDRAG downloader
- DOUBLEDROP fileless loader/installer
- DOUBLEBACK backdoor module
Based on the findings reported by FireEye, we have implemented detections for the backdoor component of the family, and will continue to monitor available information to update and expand on these as required.
- 210505-n9rqlnyrcs (x64 version)
- 210505-r57hsrp74a (x86 version)
- 210322-ay61e967h2 (x86 version)
Added HANTA Ransomware Signatures
HANTA ransomware was identified by Twitter user @fbgwls245 in March 2021, as a new variant of the open-source HiddenTear family. We noticed it submitted to Triage by @Amigo_A_, who has published an article for the family on their ID Ransomware blog here.
#HiddenTear (HANTA) #Ransomware— dnwls0719 (@fbgwls245) March 26, 2021
Note: how_to_recover.txt@BleepinComputer @demonslay335 @Amigo_A_ @siri_urz @malwrhunterteam pic.twitter.com/PkfAchEilR
Added LegionLocker Family Signatures
During our regular reviews of Triage submissions we observed a few ransomware samples which were showing extracted notes but were not receiving a family tag. Reviewing these anaylses showed them to be LegionLocker samples, a family a which popped up in the wild around April 2021 and has seen regular use since then.
LegionLocker is based on the older CobraLocker malware which has been around in various forms for a year or more. Some basic flaws in the design of CobraLocker mean that it and many of its variants are in fact decryptable without paying a ransom - this reportedly includes the current versions of LegionLocker.
The family has seen a number of updates since it first appeared, with LegionLocker 3.0 being reported by @fbgwls245 at the start of this week.
New Version #LegionLocker 3.0 #Ransomware— dnwls0719 (@fbgwls245) May 9, 2021
New ext: .LGNLCKD
Note: LegionReadMe.txt@BleepinComputer @demonslay335 @Amigo_A_ @siri_urz @malwrhunterteam @JAMESWT_MHT pic.twitter.com/1lWsvT7m3i
In general the samples so far are not advanced, and make no great effort to hide their identity prior to infection. However as it’s continuing to change we will be keeping an eye on it for future changes and adding more advanced detection if needed.