Blog.

Welcome back to our Triage Thursday blog series! It’s been a while since our last post, but our fight with the malware never stops. Today we’ll go over the latest updates this week, along with a full list that covers several additions and changes to configuration extractors and also outlines the expansion of our coverage during the first half of this year.

We’re sure you’ve noticed that we’ve been very quiet over recent months. There’s been a lot to do during the last year but going forwards we will be doing our best to stick to our weekly schedule for the update blogs, though the content will be a scaled back from before. Additionally we’re planning some new series focusing on more technical use cases and conducting deep dives into samples/families within our lovely Triage sandbox. Be sure to stay tuned for our upcoming blog posts!

As always feel free to reach out to us any time directly through the website, or using the Feedback option on an analysis report page.

Not signed up yet? Head over to tria.ge to register for a free account.

Let’s get started to take a look at the latest updates this week:

New Families

• Add detection and extraction for Skuld stealer
• Add detection and extraction for CustomerLoader malware
• Add detection and extractor for WyrmSpy Android spyware used by the APT41 group
• Add detection and extractor for DragonEgg Android spyware used by the APT41 group
• Add rules and extractor for the BrbBot family
• Add detection and extractor for EdgeGuard Stealer
• Add detection for rootkit AuKill

Updates for Existing Families

• Update detection and extraction for the recent Stealc malware
• Update Joker extractor for more C2
• Fix a botnet issue with Vidar
• Add URL path attributes to GCleaner

Past Updates

Deployed July 20th

• Add detection to Legion stealer
• Add detection and extraction to Muggle stealer family
• Add detection and extraction to Phemedrone stealer family
• Add detection for DogeRAT open source Android RAT family
• Add detection and extractor for Letscall Android vishing malware family
• Add new rule for AppleJeus family
• Update detection and extractor for undetected SpyNote Android spyware family
• Fix for missing host in requests when Host header is missing

Deployed July 13th

• Add detection to Meduza stealer family
• Add detection and extraction to Sapphire stealer and update ransomware detection
• Add detection and extractor for Irata
• Add detection for Lazarus MagicRAT family
• Add new signatures for Derusbi (APT19 backdoor)
• Update detection for Gigabud family for recent samples

Deployed July 6th

• Add new rule for RustBucket MacOS family
• Update Lumma stealer rules and extractor
• Update extractor for Flytrap to prevent non-c2 from being extracted
• Update extractor for Aberebot
• Update detection rules and extractor for undetected Irata Android family
• Update detection of Nitro Ransomware and extractor
• Fix extraction issue with Raccoon stealer

Deployed June 29th

• Add detection and extraction for Germinx stealer family
• Add detection and extraction for Babylon RAT family
• Add detection and extraction for 2023 version of GravityRAT Android RAT family
• Add detection and extraction for undetected Cerberus Android family
• Add detection for Daxin rootkit family
• Add detection and extraction for TinyNote malware
• Add detection for Healer Disable Antivirus Dropper
• Add detection PySilon malware using pyinstaller unpacker
• Update rules and condition for recent unextracted Raccoon v2
• Update Strela stealer rules for undetected recent samples
• Update Gootloader signature detection
• Fix Lumma and Raccoon stealer conditions to avoid FP

Deployed June 22nd

• Add detection rules for undetected Cerberus Android family
• Add detection and extractor for HelloTeacher Android banking trojan
• Add new rule and signature for RomCom trojan
• Add detection for Shinolocker payload and extractor
• Update rules for recent Danabot loader
• Update rules and extractor for recent unextracted FatalRat samples
• Update Lumma rules and extractor for recent undetected samples and avoid FP

Deployed June 15th

• Add detection for Rhadamanthys v2
• Add detection and extraction for Umbral stealer family
• Add detection for Dynamic Rat malware
• Add config extractor for Dracarys Android Spyware family
• Add detection and extractor for SpyMax spyware family
• Update rules and extractor for recent BlackGuard stealer
• Update Raccoon rules for recent undetected samples and update fallback detection

Deployed June 8th

• Add Invicta Stealer detection and extraction
• Add new rule for ROKRAT family
• Add rule and extractor for Growtopia stealer
• Add rules and extractor for a new family called EagleRat
• Update rules for Raccoon stealer v2 for recent undetected samples
• Update rules for undetected Amadey v2 recent samples
• Update rules for recent undetected Stealc family
• Update Heuristic for WMIC win32_VideoController

Deployed June 1st

• Add rules and update extractor for recent Stealc family
• Add rule detections for the recent Pikabot variant
• Add detection and extractor for AhRat Android RAT family
• Add detection and extractor for AhMyth Android RAT
• Update rule for recent unextracted Rhadamanthys
• Update general ransomnote detection
• Update the signature for Fabookie
• Update extractor for covering more Daam Android samples
• Update extractor for new variant of Joker Android family
• Update rules and extractor for Xworm rat new variant
• Fix PlugX fallback detection to avoid FP

Deployed May 25th

• Add new rule for Kraken family
• Add new version of Xworm stealer
• Update Strela detection
• Update rules and extractor for recent unextracted Lumma stealer
• Update rules for undetected Gurcu/Whitesnake stealer
• Fix Redline fallback detection to avoid FP
• Update extractor for Fakecalls Android malware family
• New signatures for RTM Locker
• New signatures for BianLian ransomware

Deployed May 18th

• Add detection and extractor for SMSFactory Android SMS trojan
• Add detection for Rootnik Android rooting malware family
• Add detection and extraction for a Warhawk family
• Add new rule for HinataBot family
• Add generic Linux IoC for ESXI manipulation
• Add PoshC2 rules for
• Add rules for Epsilon Stealer family
• Update rules for recent undetected Danabot loader
• Update new detection and extractor for RambleOn Android malware family
• Update detection rules for Fakecalls Android malware family
• Update detection to handle new variant of Linux BPFdoor malware family
• Fix detection for GandCrab family to avoid false-positive

Deployed May 11th

• Add rules and extraction for Strela stealer v2
• Add detection for FluHorse Android malware family
• Add detection for Chameleon Android banking trojan family
• Add a new rule for PingPull Linux variant
• Add a new rule for Sword2033 Linux family
• Update Redline fallback detection for latest obfuscated samples
• Fix rules to avoid FP in XWorm stealer
• Update rules for unextracted Lumma stealer and avoid FP

Deployed May 4th

• Add detection and extractor for Drinik Android malware family
• Add new rule for Lobshot family
• Add new rule for BADCALL Linux family
• Added Gurcu V2 yara and extractor
• Fixed FP for bazarBackdoor
• Update rules and extractor for LucaStealer family
• Update extractor for recent DarkCloud samples

Deployed April 27th

• Add detection and extractor for DAAM

Deployed April 20th

• Update rules and extractor for the recent Aurora stealer variant
• Update signature and extractor for the latest Laplas clipper variant
• Update detection and extraction for recent Stealc stealer variant
• Fix extractor for recent Gurcu stealer samples

Deployed April 13th

• Add extraction support to Rhadamanthys stealer family
• Add fallback extraction to obfuscated Cryptbot family
• Add signatures for Linux Golang written botnet called GoBruteforcer
• Add a new rule for Andardoor backdoor
• Add a new rule for Typhon stealer
• Update detection rule for a new variant of RambleOn Android family
• Update rules and extractor for a new variant of Lumma stealer

Deployed April 6th

• Add detection and extraction for Gurcu stealer family
• Update Yara and extractor for recent Raccoon stealer V2 family
• Update Yara and extractor for recent undetected or extracted DarkCloud stealer samples
• Update new extraction for new variant of the Harly Android family
• Update Nosu rules and extractor to extract more samples

Deployed March 30th

• Add detection and extraction for FakeCalls Android family
• Add detection and extraction for recent SandroRAT Android RAT
• Add extractor for Gafgyt, updating signatures for undetected variant, and fix FP issue
• Update fallback signature detection for obfuscated Cryptbot samples
• Update extraction for Xorddos, add extraction support to CRC polynomial, and fix parsing errors
• Update detection for new variant of Vultur Android dropper family
• Update yara and extractor for recent Lumma stealer
• Update yara and extractor for new variant of Qakbot

Deployed March 23th

• Add extractor for MasterFred Android family
• Add detection and extractor for an open source AndroRAT family
• Update extractor for undetected S.O.V.A v5 C2
• Update yara and extractor for undetected Danabot loader
• Update yara and extractor for Stealc recent undetected samples
• Update detection and extraction support to recent Xworm version
• Update detection for Vidar to fix extraction issues with the latest samples

Deployed March 16th

• Add detection for XMRig crypto miner to cover Linux version
• Add detection for Coper Android malware family
• Add extraction support to Gh0strat family
• Add extraction support to Sakula family
• Add new signatures for Royal Linux ransomware
• Add detection and extraction to Mylobot family
• Add new rule for SoulSearcher family
• Add detection for detecting UPX in ELF
• Add new detection and extractor for xenomorph v3 Android malware family
• Update Raccoon V2 undetected new variant
• Small update for undetected Redline stealer
• Update and support for older Grandorerio variant

Deployed March 9th

• Add detection and extraction for Chinotto Android spyware
• Fix Emotet C2 extraction issue
• Update ransomnote for Cerber ransomware
• Update yara and extractor for Lumma stealer new variants
• Update yara for undetected recent Kutaki samples
• Update extractor for new variant of S.O.V.A v5 Android banking trojan

Deployed March 2nd

• Add detection for MosaicLoader family
• Add detection and extraction for GoatRAT Android RAT malware
• Add detection for APT42 Android malware
• Add extracting support for Smokeloader’s botnet id
• Add extraction support for FatalRat family
• Update extractor for new variant of GodFather Android malware family
• Update detection for undetected Echelon stealer sample
• Update Vidar for new botnet and fix extractor
• Update Raccoon V2 to extract the new version
• Small update for Laplas IoCs to support extracting more samples

Deployed February 23th

• Small update to detect and extract Smokeloader version 2022
• Small update to get config of misextracted Warzone samples
• Fix Asyncrat extractor for non-ASCII characters and clean up old signatures generating false-positives
• Update Lumma stealer for a new variant and add fallback detection
• New rule and extractor for stealc family
• New rule and extractor for Aberebot Android banking trojan
• New rule for RambleOn Android spyware
• Small update rules to cover more samples and new extractor for SpyNote variant

Deployed February 16th

• Added new family called Enigma with detection and extraction and updated Stealerium rules and extractor as core stealer of Enigma
• New rule for Brunhilda Android dropper
• New signature for Batloader
• New rule for HZRat
• New rule for Pikabot
• New signatures for TgToxic Android banking trojan
• Small update Limerat yara rules to get missed samples extracted
• Update for Xworm yara rules and extractor for a new variant

Deployed February 9th

• Add detection and extraction for new family called Predator stealer
• Generic anti-vm & network signatures ioc-sig-generic
• New rule for CaddyWiper family
• New rule for HeadCrab backdoor
• New signatures for PixPirate Android banking trojan
• New signatures for Turian Chinese backdoor ioc-sig-turian
• New signature for Batloader
• New rule for Brunhilda Android dropper
• New rule for HZRat
• New rule for pikabot
• New rule for Manuscrypt for newly undetected samples ioc-sig-manuscrypt
• Old update in windealer rule
• Small detection update to get the recent Netwire extracted
• Small update for Raccoon’s v2 yara rule to detect recent samples
• Small update Limerat yara rules to get missed samples extracted
• Update extractor for GodFather Android banking trojan variant
• Update for Laplas detection and extraction to get config of the new variant
• Update for Xworm yara rules and extractor for a new variant
• Update signatures and extractor for undetected XLoader Android banker
• Update yara rule and extractor for new Bumblebee variant

Deployed February 2nd

• New signatures for Vultur Android RAT
• New signatures for Pegasus Android spyware
• New extractor for GodFather Android banking trojan variant
• Small update for Jupyter’s yara rule to detect recent samples
• Update for Fabookie’s yara rule to detect recent samples
• Update for Lumma’s yara rule and extractor for recent samples
• Update for Panda’s yara rule to detect missed samples
• Add new rule for Mimic ransomware
• Add new signatures for Trigona ransomware
• Add new signatures for SwiftSlicer wiper

Deployed January 26th

• Small update for Vidar yara rule to detect recent samples
• Small update for Systembc yara rule to detect recent samples
• Small update for Avoslocker iocs to detect recent sample
• Small update for Icarus extractor to prevent garbage config
• Small update for Aurora extractor to support domain extraction
• Updates for Laplas iocs to detect and extract from recent samples
• Updates for Xmrig yara rule to avoid FPs
• New extractor for Strrat
• New signatures and extractor for new Agenttesla variant
• New signatures and extractor for Hook Android banker
• New signatures and extractor for Gigabud android rat

Deployed January 19th

• Updates for Sectoprat and VjW0rm signatures to detect recent samples
• New signatures and extractor for Nosu stealer
• New signatures and extractor for new Erbium stealer variant
• New signatures and extractor for new Spynote variant
• New signatures and extractor for airavat Android RAT