MULTI#STORM Attack Detection: A New Phishing Campaign Spreading Multiple Remote Access Trojans and Targeting U.S. and India
- Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America - 24.04.2024
- UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine - 23.04.2024
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
Table of contents:
Cybersecurity researchers warn defenders of yet another phishing campaign dubbed MULTI#STORM, in which hackers abuse JavaScript files to drop RAT malware onto the targeted systems. The MULTI#STORM attack chain contains multiple stages with the final one spreading Quasar RAT and Warzone RAT samples. According to the investigation, in this campaign threat actors have set eyes on U.S. and India.
MULTI#STORM Attack Detection
SOC Prime Platform for collective cyber defense enables organizations to boost their cyber resilience by delivering cost-efficient and cutting-edge solutions backed by Sigma and MITRE ATT&CK technologies. To arm cyber defenders with behavior-based SOC for content for MULTI#STORM attack detection, SOC Prime Platform curates a set of relevant Sigma rules mapped to ATT&CK and compatible with market-leading SIEM EDR, XDR, and Data Lake technologies.
Click the Explore Detections button below to drill down to the comprehensive list of Sigma rules to detect the novel MULTI#STORM campaign and timely identify any potential traces of RAT malware in the organizationās infrastructure. All detection algorithms are enriched with relevant metadata, like ATT&CK and CTI links, mitigations, and corresponding binaries.
MULTI#STORM Phishing Attack Analysis
Cybersecurity researchers at Securonix Threat Labs have uncovered a novel phishing campaign known as MULTI#STORM that mainly targets individual users in U.S. and India. The infection chain starts by clicking an embedded link leading to a password-protected ZIP file located on Microsoft OneDrive. The latter contains an obfuscated Javascript file that, once double-clicked, spreads the infection further leveraging the Python-based loader, which applies similar capabilities and attacker TTPs as DBatLoader malware. The loader used at the initial attack stage in the MULTI#STORM campaign is responsible for spreading a set of RAT malware samples on the impacted systems and leverages a set of advanced techniques to maintain persistence and evade detection.
Threat actors first drop the notorious Trojan dubbed Warzone RAT, which is capable of encrypted C2 communication, maintaining persistence, and password recovery while also applying a set of adversary techniques for detection evasion, like Windows Defender bypass functionality. Warzone RAT is used by hackers to steal sensitive data, like cookies and credentials from popular web browsers.
Researchers also observed the malicious traces of another payload dubbed Quasar RAT behind the Warzone RAT execution in the MULTI#STORM operation. Threat actors applied a different port for communication after successful Quasar RAT execution.
As potential mitigation measures, cyber defenders recommend continuously monitoring the usage of OneDrive links, avoiding opening any suspicious email attachments, particularly ZIP files, and limiting the execution of unknown binaries through policy updates along with following best security practices for email security protection.
MITRE ATT&CK Context
All above-references Sigma rules are tagged with ATT&CK providing in-depth contextual information and addressing relevant tactics and techniques associated with the MULTI#STORM campaign.
Tactics | Techniques | Sigma Rule |
Execution | Command and Scripting Interpreter (T1059) | |
Windows Management Instrumentation (T1047) | ||
Persistence | Boot or Logon Autostart Execution (T1547) | |
Defense Evasion | Abuse Elevation Control Mechanism (T1548) | |
Virtualization/Sandbox Evasion (T1497) | ||
Hide Artifacts (T1564) | ||
Impair Defenses (T1562) | ||
Masquerading (T1036) | ||
Credential Access | OS Credential Dumping (T1003) | |
Discovery | Remote System Discovery (T1018) | |
Command and Control | Application Layer Protocol (T1071) | |
Ingress Tool Transfer (T1105) |
Sign up for SOC Prime Platform to get equipped with cutting-edge cyber defense tools matching your current security needs. Explore the worldās largest repository of over 10K Sigma rules to proactively detect emerging threats; rely on Uncoder AI to advance your detection engineering with Sigma & ATT&CK autocompletion, instant bi-directional query translation to 28+ language formats & in-depth cyber threat context backed by ChatGPT and the power of collective intelligence; or leverage Attack Detective to validate the entire detection stack in less than 300 seconds, find cyber defense gaps and effectively address them to bullet-proof your cybersecurity posture. Striving to keep up with the latest news? Join our open-source cyber defender community at discord.gg/socprime.
