Triage Thursday

New Year, New Family Updates

Blog.

We’re a little late, but happy New Year! We hope you had at least some chance to relax and have a break, whether that was celebrating Christmas yourself or just making the most of the peace and quiet without the rest of us getting in the way.

Here at Hatching we’re back up to full speed now, and some of our team have been working hard over the Christmas period to improve on detections and tick off some old todo items. In today’s blogpost we’ll go over the main changes and, as usual, provide some examples for you to check out yourself.

In the news today:

If you discover any issues or missing detections while using Triage, please do send us feedback - it’s a big help in deciding what we should be prioritising. You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.

Not signed up yet? Head over to tria.ge to register for a free account.


Danabot

Danabot returns to the blog this week with a new version which required a few changes at our end. We mentioned the family in our previous blogpost as we expanded the fields dumped by our configuration extractor, and this new tweak sees changes to our background triggers to ensure that it works with the latest samples we’ve observed.

It’s only a minor change, but it should mean that all samples are correctly dumped. As usual we’ll continue to monitor for any new variants which may interfere with results and will provide updates as needed.

Analysis:

PseudoManuscrypt

PseudoManuscrypt was reported by Kaspersky in December 2021 as a new threat they had been monitoring for some time. According to their report they initially detected it around June of that year.

The malware itself is a stealer with an extensive feature set. It is reported to be quite similar to the older Manuscrypt malware used by the Lazarus APT and this is where it draws its name from. However Kaspersky do not suggest that this family is also associated with Lazarus for a couple of key reasons, the main one being that it does not appear to have been used in the targeted attacks normally associated with these kinds of groups. Instead it seems to be deployed more generally via compromised downloads for pirated software, and has also been dropped by the Glupteba botnet which similarly makes use of dodgy downloads for its initial infection.

Functionality for the family is varied and comprehensive, essentially giving an attacker full remote control over the infected machine. According to Kaspersky, it includes built-in support for “stealing VPN connection data, logging keypresses, capturing screenshots and videos of the screen, recording sound with the microphone, stealing clipboard data and operating system event log data …, and much more”.

The team has taken a look at many samples made available by Kaspersky and have implemented initial detections for the family.

Analyses:

Rook Ransomware

Rook is a relatively new ransomware family that was first observed around November 2021 by researcher Zack Allen.

It has been reported by several analysts since that Rook has a significant code overlap with Babuk, whose source code was leaked in the middle of last year. However it’s by no means just a simple case of copying, as it has a number of changes over its predecessor and seems mostly to have cherry-picked certain sections of the code rather than the overall program. It is not particularly stealthy however, opening up a visible command line terminal at execution and leveraging a driver used by Process Hacker to help with disabling certain protections.

As with most modern ransomware, the family attempts to exfiltrate data from infected network before encryption to be used as leverage in ransom negotiations.

A full write up of Rook is available from SentinelOne on their blog here. We have reviewed a number of samples and created some initial detections to classify it properly.

Interestingly, Rook’s successor appears to have appeared already. The NightSky ransomware was observed right at the start of 2022 and although initially identified as a separate project, is now thought to be a new version of Rook using VMProtect and with some under-the-hood changes and improvements. We’ll be taking a look at this family in the coming weeks so watch for updates there.

Analyses:

ModiLoader

ModiLoader, also known as DBatLoader or NatsoLoader, is a dropper first observed in June 2020. It is a 2 stage loader, and has been observed deploying Formbook, Netwire, and Remcos trojans.

We added detections for it not long after it was spotted, and these have lasted well up until now. However we recently spotted a newer variant which wasn’t being handled properly so have revisited the family to address that. We have also taken the opportunity to review our signatures for it generally and have made some improvements there which we hope will see us through another 18 months.

Analyses:

Arkei Stealer

Arkei and its younger brother Vidar were something of a regular appearance on this blog through the second half of 2021, with a new configuration extractor being added back in October and a number of tweaks being made since to address new versions/variants.

Although not hugely common on its own these days Arkei has led to multiple forks of the original project which have been quite successful in their own right, and the family itself is still regularly used in the wild. The Vidar and Baldr infostealer families were both developed from the source code of Arkei.

As with the previous appearances, it returns to the news this week with some configuration extractor updates for a new variant spotted on Triage since the start of 2022. Examples are provided below.

Analyses:

FlagPro

FlagPro is a new payload spotted in late December 2021. It has been linked to the Chinese state APT group called BlackTech, which is generally considered to be engaged in cyber espionage against foreign companies.

The malware is mainly aimed at network discovery and then deployment of additional payloads. It uses Windows commands to analyse the system and any networks it is associated with and transmit the findings to its C2 infrastructure, which can then send back additional commands to run or a payload to fetch and install.

It is reportedly mainly distributed via crafted, targeted phishing emails against companies. So far it has mostly gone after organisations in Taiwan and Japan, but based on language support within the samples it appears to also be able to target English-speaking users. Based on the report by NTT Security, it is likely that the family has been in use in some form since around October 2020 - about a year before being reported openly.

A full writeup can be found by NTT Security in Japan here. Some samples are provided below for reference.

Analyses:

PhoenixStealer

PhoenixStealer - not to be confused with Phoenix Keylogger which we’ve covered on this blog before - is a new C++ infostealer pointed out on Twitter back in November 2021.

We observed a few samples on Triage around that time, but in general it doesn’t seem to have taken off as a widely used solution. However we have reviewed the family and implemented detections anyway, and if we see it start popping up more in the future we may revisit it for improvements and/or a proper configuration extractor as relevant.

Analyses:

You may also like: