Blog.

Welcome back to our Triage Thursday™ blog series! We’re excited to share this week’s detection updates with you. In these quick posts, we highlight the latest malware families detections that have been added. This edition consolidates the wk25 and wk26 releases.

New Windows Families This Week

• Added detection and extraction for LissaC2, Windows backdoor
  • LissaC2 sample:
    • 260625-hselqaat4q
• Added detection and extraction for LxBaseRAT, Windows RAT
  • LxBaseRAT sample:
    • 260626-kjcrwaax3m
• Added detection and extraction for PaloRAT, Windows RAT
  • PaloRAT sample:
    • 260626-kjg2lahz2z
• Added detection and extraction for SirisuRAT, Windows RAT
  • SirisuRAT samples:
    • 260622-wwfj3sft8w
    • 260622-skftxsdx5n
• Added detection and extraction for chaarlottte, Windows RAT
  • chaarlottte sample:
    • 260626-kja82sax2m
• Added detection and extraction for OvinRAT, Windows RAT
  • OvinRAT sample:
    • 260626-kjdn6sax3q
• Added detection for Prysmax Stealer, Windows stealer
  • PrysmaxStealer sample:
    • 260626-kjhccshz3s
• Added detection for VBVStealer, Windows information stealer
  • VBVStealer sample:
    • 260626-kjjkeshz3w
• Added detection for ZuqraStealer, Windows stealer
  • ZuqraStealer sample:
    • 260626-kjabraaw9r
• Added detection for MegaStealer, Windows stealer
  • MegaStealer sample:
    • 260626-kjew8shz2w
• Added detection for OverWatch, Windows stealer
  • OverWatch sample:
    • 260626-kjjv7ahz3x
• Added detection for DissoluteStealer, Windows stealer
  • DissoluteStealer sample:
    • 260626-kh9p8aaw9m
• Added detection for CloudzRAT, Windows RAT
  • CloudzRAT sample:
    • 260626-kjc3mshy9y
• Added detection for MotionEyeRAT, Windows RAT
  • MotionEyeRAT sample:
    • 260626-kjbvksax3k
• Added detection for DeepSideRAT, Windows RAT
  • DeepSideRAT sample:
    • 260626-kjdzyaax3r
• Added detection for TernDoor, Windows backdoor
  • TernDoor sample:
    • 260626-kjhywshz3t
• Added detection for HavocKiller, Windows EDR-killer hacktool (Gentleman campaigns)
  • HavocKiller sample:
    • 260626-kjcrwahy9x
• Added detection for RoguePlanet, Windows local privilege escalation 0-day (Nightmare-Eclipse toolset)
  • sample: 260626-kjabraaw9q
• Added detection for SeroWorms, Windows worm with ransomware capabilities
  • SeroWorms sample:
    • 260626-kjhywsax4r
• Added detection for DeadLock, Windows ransomware
  • DeadLock sample:
    • 260626-kjg2laax4n

Detection for Android

• Added detection for pcTattletale, Android surveillanceware
  • pcTattletale sample:
    • 260626-kjeapsax4j
• Added detection for TemptingCedar, Android spyware
  • TemptingCedar sample:
    • 260626-ktsabah14s
• Added detection for Triout, Android spyware
  • Triout sample:
    • 260626-kjh9nahz3v
• Added detection for xHelper, Android trojan
  • xHelper sample:
    • 260626-kje71aax4k
• Added detection for ZooPark, Android spyware
  • ZooPark sample:
    • 260626-kh91zsaw9p
• Added detection for HARDRAIN, Android RAT
  • HARDRAIN sample:
    • 260626-kjamhsax2j
• Added detection for XRAT, Android surveillanceware
  • XRAT sample:
    • 260626-kjgqtsax4m
• Added detection for Zen, Android trojan
  • Zen sample:
    • 260626-kjhm5aax4q
• Added detection for Xbor, Android banking trojan
  • Xbor sample:
    • 260626-kjhccsax4p
• Added detection for Viper RAT, Android RAT
  • ViperRAT sample:
    • 260626-kjamhsax2k

Detection for Linux Families

• Added detection for P2Pinfect, Linux worm
  • P2Pinfect sample:
    • 260626-kjb6caax3l
• Added detection for Chalubo, Linux botnet
  • Chalubo sample:
    • 260626-kh91zsaw9n
• Added detection for TeamTNT
  • TeamTNT sample:
    • 260626-kjc3msax3n
• Added detection for Bootkitty family, cross-platform bootkit
  • Bootkitty samples:
    • 260626-kwlkjsh141
    • 260626-kwef8sax9q
• Added detection for RapperBot, Linux botnet
  • RapperBot sample:
    • 260626-kjg2lahz21
• Added detection for Plague, Linux backdoor
  • Plague sample:
    • 260626-kjddeaax3p
• Added detection for Ballista, Linux botnet
  • Ballista sample:
    • 260626-kjj6yshz31
• Added detection for Satori, Linux botnet
  • Satori sample:
    • 260626-kjbvksax3j
• Added detection for IPStorm, multi-platform botnet
  • IPStorm sample:
    • 260626-kjf5asax4l
• Added detection for ReverseSSH, open-source reverse-SSH tool (Golang)
  • sample: 260626-kk3ppaax5r

Detection for APT Groups

• Added detection for Turla RAT, Turla APT
  • TurlaRAT sample:
    • 260626-kjdzyahz2t
• Added detection for Pygmy Goat Backdoor, APT Tstark
  • PygmyGoat sample:
    • 260626-kja82sax2n
• Added detection for MASOL cross-platform RAT backdoor, APT Earth Estries
  • MASOL sample:
    • 260626-kjbjtaax2q
• Added detection for iocontrol Backdoor, APT Cyber Av3ngers
  • iocontrol sample:
    • 260626-kzrkzaay3j
• Added detection for Melofee backdoor, APT41
  • Melofee sample:
    • 260626-kz3y1aay3p
• Added detection for HyperSSL backdoor, APT27
  • HyperSSL sample:
    • 260626-kjbvksax2r

Updates for Existing Families

• Updated detection and extraction for NanoCore v2, Windows botnet
  • NanoCore sample:
    • 260626-kjbjtaax2p
• Updated signatures for new variant of Tsunami aka Kaiten multi-arch botnet
  • Kaiten sample:
    • 260626-kjjv7ahz3y

If you have any feedback, questions, or issues about Triage™ feel free to reach out to us any time - we do our best to respond to all feedback but even if we can’t get back to you straight away your files will go into our list of things to review and help us prioritize tasks.

You can find us directly through the website, or using the Feedback option on an analysis report page.

Not signed up yet? Head over to tria.ge to register for a free account.