Rule Digest: RATs, Infostealers, and Emotet Malware

Today is Saturday, which means it’s time for our next Rule Digest, in which we will tell you about interesting content for malware detection released this week. And yes, we again pay particular attention to the rules that participants in the Threat Bounty Program have published.

We start with the rule published by Ariel Millahuel, which helps security solutions to detect STRRAT trojan: https://tdm.socprime.com/tdm/info/TO2qaXt0OvI5/m3zowXIBPeJ4_8xcBtsy/?p=1

STRRAT is a Java-based Remote Administration Trojan that can steal login credentials saved on browsers and email clients, install RDPWrap, log keystrokes, and remotely control infected Windows operating systems. This RAT is a fairly new player in the wild, and researchers spotted it in attacks targeting German users.


The following rule from Ariel enables the discovering of yet another Remote Access Trojan – Cybergate RAT: https://tdm.socprime.com/tdm/info/nGtxqmlkgv1h/eHzlwXIBPeJ4_8xc9to-/?p=1

CyberGate – is a powerful, fully configurable and stable RAT coded in Delphi that is continuously getting developed. It allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system. There are a number of versions of CyberGate, each of which can include different features. Most versions are used to steal passwords, files, record audio and take photos using the webcam, and install and execute malicious code.


And another new malware in our digest is TroyStealer, the traces of which can now be detected using the exclusive threat hunting rule submitted by Osman Demir: https://tdm.socprime.com/tdm/info/B2QA4hvraxSW/5VL5wXIBSh4W_EKGolsc/?p=1

TroyStealer is a piece of malware, designed to steal login information, like usernames and passwords stored on web-browsers, which it sends to another system via email. It also logs user keystrokes which may reveal sensitive information. This infostealer has been observed being distributed via email spam campaigns. The deceptive letters spreading this malware were targeted at Portuguese users.


Further in our digest is content for detecting malware that has long and successfully been used in attacks around the world. The new rule from Lee Archinal detects characteristics of AgentTesla through an Excel Spreadsheet using macros: https://tdm.socprime.com/tdm/info/2klZjmsPzzhF/VXz0wXIBPeJ4_8xc2uNg/?p=1

Last month, this malware was used in the COVID-19 phishing attack targeted at Medical Suppliers. AgentTesla is a commercial modular .Net-based malware that is often used by attackers to collect sensitive data from different applications and WiFi credentials. Scammers love to use it preparing to Business Email Compromise attacks.

And the last rule for today is also created by Lee Archinal. Lee created the rule based on recently analyzed lure documents spreading Emotet malware. This exclusive Sigma helps to spot characteristics of an Emotet infection through a Microsoft Word Document: https://tdm.socprime.com/tdm/info/GhSEQiFPVoOx/qVXpwXIBQAH5UgbB8X7z/?p=1

Talking about this malware probably doesn’t make much sense. Emotet is the number one enemy for any organization since with its help dangerous cybercriminals specializing in data theft and encryption get into the network. It seems that the COVID19 pandemic made Emotet botnet operators give up their summer vacation, so researchers regularly observe new campaigns to spread this malware.

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio, 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Defense Evasion, Execution, Persistence, Privilege Escalation, Defense Evasion

Techniques: Modify Registry (T1112), User Execution (T1204), Command-Line Interface (T1059), Scheduled Task (T1053), PowerShell (T1086), Scripting (T1064)

Wait for the next digest, and don’t forget to register to Weekly Talks on Breaking News in Cybersecurity: https://my.socprime.com/en/weekly-talks/