Welcome to the first Triage Thursday blogpost of the year! We hope you’ve all had a great Christmas and New Year if you observe those holidays, and are re-energised and looking forward to 2023.
We missed a few blogposts over the holiday period so this week is more of a short patch notes format to quickly round up all changes since early December. We won’t be going in depth with each family, but wherever available we have linked to previous writeups to provide a bit of background if you’re not familiar with it. The full list, broken down week by week, is shown below.
As always, if you have any feedback, questions or issues about Triage feel free to reach out to us any time - we do our best to respond to all feedback but even if we can’t get back to you straight away your files will go into our list of things to review and help us prioritise tasks. You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account.
Deployed January 12th:
- New configuration extractor for Purecrypter
- Signatures and configuration extractor for new Joker variant
- New signatures and configuration extractor for Stealerium stealer
- Small update to AgentSmith signatures to fix false-positives
- Small update to Harly yara rule to detect recent samples
- Small update to Darkcloud yara rule to detect recent samples
January 5th:
- Updates for Raccoon signatures and extractor to handle recent samples
- Updates for Lumma stealer signatures and extractor to handle new variant
- Updates for Lockbit ransomnote and added new fallback rule for samples that do not execute properly
- Small update to Rhadamanthys yara rule
- New signatures and configuration extractor for Brasdex Android banking trojan
December 29th:
- Updated signatures for Hive ransomware to detect v6
- New signatures and extractor for Godfather Android banker
December 22nd:
- New signatures for Zerobot Linux botnet
- New signatures and configuration extractor for Icarus stealer
- New signatures and configuration extractor for GCleaner loader
- Updates for Vidar to detect recent samples
- Updates for CobaltStrike to address extraction issues
- Updated signatures and added a new extractor for Ginp Android banking trojan
December 15th:
- New signatures for Rhadamanthys stealer
- New signatures and extractor for ModernLoader
- New signatures and extractor for Truebot downloader
- New signatures and extractor for new Alienbot variant
- Small update for Laplas yara rule
- Small update for Jupyter yara rule
- Small update for Bandook yara rule to address new version
- Small update for Coldstealer yara rule
- Small fix for Joker extractor to avoid garbage C2 results appearing in the output
December 8th:
- Small fix for Asyncrat to fix extraction issue
- Tweaks for Netwire yara rule to fix extraction issue
- Tweaks for Warzone rules and extractor to handle recent samples
- Updates for Guloader yara rule to detect recent samples
- New signatures for BlueEagle RAT
- New signatures and extractor for Aurora stealer
- New signatures and extractor for Titan stealer
- New signatures and extractor for Agenda ransomware
- Updates for Sharkbot rule and added extractor for a new dropper variant
- Updates for Bahamut rules and extractor addressing a new variant