It’s Thursday again, and that means it’s time for another roundup of the week’s Triage updates. We’ve released several family detection changes recently, for behavioural signatures and configuration extractors, and we’ll go over these below and provide some links for reference.
In today’s post:
- Improved support for IcedID
- Added detection for TeaBot Android malware
- Updated Guloader handling
- Updated Redline handling for new variant
- Added detection for Snatch Ransomware
As usual, if you have any feedback on Triage or particular samples please do get in touch! You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account.
Improved IcedID support
Continuing our changes from the last few weeks we have some additional tweaks to extend support for the IcedID family.
In previous updates we have added and improved detection for the first stages of an IcedID infection, covering the loaders which deploy the malware to an infected host.
This week we have extended this with new configuration extractors for the core modules - i.e. the 2nd stage loader and the final payload. We have also added static detection based on an element on the core payload’s functionality - browser injection. The family injects shellcode into web browser processes and Triage now has dedicated detection for this - both to act as a secondary method of detection if future changes cause issues with any of the others, but also to further enrich the data returned by Triage.
You can examples below. Under the malware config section there are multiple entries, each referring to a particular part of the infection - one for the loader, 2 for aspects of the payload. Together they now provide a good overview of the sample and its exact configuration.
Analyses:
Added Detection for TeaBot Android Malware
Last week we deployed detection for the Flubot Android trojan, and this week sees the addition of another family in very much the same vein - TeaBot.
TeaBot - also known as Anatsa or Toddler - was first seen in early January 2021 attempting to steal banking credentials and 2FA SMS messages related to a specific set of banks. Over the months since the family has expanded to include additional institutions, as well as improved capabilities to inject into and interact with apps more directly.
Cleafly - the original observers of the family in the wild - suggest that TeaBot is likely in early stages of development. Besides the rapid updates, it contains multiple oddities which suggest it is not yet in a stable form. Their initial writeup for the family can be found here.
Analyses:
Updated Guloader Handling
We recently observed some new samples of Guloader which had made some changes to their obfuscation methods. These variants have tweaked their use of the djb2 algorithm and no longer contain any readable strings to hint at the nature of the file.
We have made some modifications to our detections to catch these samples properly.
Analyses:
Updated Redline Stealer Handling
In recent blogposts we have mentioned Redline a few times, as we’ve improved our detections and handled some false positives. Since these updates we have been keeping an eye on the family to ensure they are working as expected, and in doing so noticed another new variant this week.
This one represents a relatively minor change, but does show a continued evolution of the Redline family. These samples have new encryption for their C2 communications, presumably in an attempt to hide some of their more obvious indicators.
We have reviewed the available samples and implemented changes as needed.
Analyses:
- 210520-qp6rcgd7ja
- 210519-a8jqzs8sv2
- 210519-4v4jtnth7x
- 210518-w542592d32
- 210518-j1epb7f7re
- 210518-7p2mkkbmh2
Added Detection for Snatch Ransomware
Snatch ransomware has been around for a few years, and has been on our radar for some time. It initially came to our attention in June 2020 when The DFIR Report published a blogpost covering recent campaigns by the family - this can be found here.
The ransomware is highly manual in its deployments. Initial access is gained by bruteforcing RDP services, with the attackers then taking over and running various surveillance and information gathering operations before attempting to encrypt machines. The toolkit includes a module capable of capturing and exfiltrating sensitive data from infected networks, and in at least some reported cases additional tools like Advanced Port Scanner have been found during investigations.
We have added some initial detection for the family this week, and will keep an eye out for any future campaigns which vary from the versions reported last year.
Analyses: