HYAS Threat Intel Report March 25 2024

Weekly Threat Intelligence Report

Date: March 25, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

This report provides detailed insights into the recent activities of the specified ASNs (Autonomous System Numbers), highlighting potential security risks and recommending proactive measures to defend against evolving cyber threats.

Malware needs to communicate to an external address to receive commands, download new capabilities, and exfiltrate data. Here are the top ASNs that malware is communicating with for its C2 (command-and-control).

Top ASNs Under Observation:

1. ASN 9318 (HANARO Telecom):
   • Description: HANARO Telecom is a major Internet service provider (ISP) based in South Korea. It offers broadband, wireless, and enterprise networking services.
   • Recent Activity: Elevated levels of suspicious traffic have been detected originating from ASN 9318, indicating potential malicious behavior within its network infrastructure. This activity includes a notable increase in connections to known malicious domains and sources of malware.
   • Type: ISP; Count: 2755

1. ASN 8968 (BT Italia S.p.A.):
   • Description: BT Italia S.p.A. is an Italian telecommunications company offering a range of services including broadband internet, mobile, and IT solutions.
   • Recent Activity: Unusual network behavior has been observed within ASN 8968, characterized by a surge in encrypted traffic to geographically disparate regions associated with malicious activity. This heightened activity warrants further investigation to ascertain the nature and intent of these connections.
   • Type: ISP; Count 2466

1. ASN 7684 (Sprint):
   • Description: Sprint, now a part of T-Mobile, was a major telecommunications company in the United States, providing wireless and wireline communications services.
   • Recent Activity: An increase in command-and-control (C2) communication has been detected emanating from ASN 7684 in . This activity suggests potential botnet or malware-related operations within the network, necessitating proactive measures to mitigate associated risks.
   • Type: Hosting; Count: 1025

1. ASN 216319 (Telenet Solutions SRL):
   • Description: Telenet Solutions SRL is an internet service provider operating in Romania, offering broadband, data center, and cloud services.
   • Recent Activity: Suspicious network activity has been identified within ASN 216319 out of Great Britain, including connections to malicious domains and indicators of compromise. This activity pattern indicates possible involvement in cyber threats such as botnets or malware distribution.
   • Type: Hosting; Count: 957

1. ASN 216309 (Corporacion Nacional de Telecommunicaciones - CNT EP):
   • Description: Corporacion Nacional de Telecommunicaciones (CNT) is a state-owned telecommunications company in Ecuador, providing a wide range of services including internet, TV, and telephony.
   • Recent Activity: Elevated levels of malicious traffic have been observed originating from ASN 216309, also out of Great Britain. This activity includes indications of phishing campaigns, malware distribution, or other malicious activities, posing significant risks to network security and integrity.
   • Type: Business; Count: 825

Recommendations:

• Conduct thorough analysis and monitoring of traffic originating from the identified ASNs to detect and respond promptly to any malicious activity.
• Implement enhanced network security measures such as intrusion detection systems, traffic filtering, and threat intelligence feeds to mitigate the risk posed by emerging threats.
• Collaborate with relevant ISPs and security partners to share threat intelligence and coordinate response efforts to mitigate the impact of malicious activity across networks.

Top Malware Families Under Observation:

Urelas:

• Description: Urelas is a sophisticated malware family known for its advanced capabilities in data exfiltration, remote access, and espionage. It typically spreads through phishing emails or malicious downloads, targeting organizations and individuals alike.
• Recent Activity: An uptick in Urelas-related malware detonations has been observed, with instances reported across multiple sectors. The malware is being used to exfiltrate sensitive data, including intellectual property and financial information, posing significant risks to affected organizations.
• Risks: Urelas poses a severe threat to confidentiality, integrity, and availability of sensitive data. Its advanced evasion techniques and stealthy behavior make it challenging to detect and mitigate effectively.

Sality:

• Description: Sality is a polymorphic virus known for its ability to infect executable files and propagate across networks. It often incorporates rootkit functionalities to evade detection and removal.
• Recent Activity: Instances of Sality malware detonations have resurfaced, targeting vulnerable systems and exploiting unpatched software vulnerabilities. The malware is capable of compromising system integrity, facilitating unauthorized access, and executing arbitrary code.
• Risks: Sality poses significant risks to system security and stability, with potential consequences including data loss, system downtime, and unauthorized access to sensitive information. Its self-replicating nature makes it particularly challenging to contain and eradicate.

Risepro:

• Description: Risepro is a banking trojan designed to steal sensitive financial information, such as banking credentials and credit card details, from infected systems. It often spreads through malicious email attachments or drive-by downloads.
• Recent Activity: Risepro malware detonations have surged in recent weeks, targeting individuals and financial institutions globally. The malware is capable of keystroke logging, screen capturing, and web injection, enabling threat actors to conduct fraudulent transactions and identity theft.
• Risks: Risepro poses a significant threat to individuals' and organizations' financial security, with potential consequences including financial loss, reputational damage, and regulatory penalties. Its stealthy behavior and encryption capabilities make it challenging to detect and mitigate effectively.

Stealc:

• Description: Stealc is an information stealer purported to be sold as malware-as-a-service on Russian-speaking forums. It is designed to steal sensitive information from infected systems, including credentials, passwords, and cryptocurrency wallets. It often spreads through phishing campaigns or exploit kits.
• Recent Activity: Stealc malware variants have been detected in various cybercrime operations, targeting a wide range of industries and sectors. The malware is adept at harvesting credentials from web browsers, email clients, and FTP programs, compromising user privacy and system security.
• Risks: Stealc poses significant risks to individual and organizational security, with potential consequences including identity theft, financial fraud, and unauthorized access to sensitive systems and data. Its stealthy behavior and frequent updates make it challenging to detect and mitigate effectively.

1. Amadey:
2. 
   
   • Description: Amadey is a versatile malware family known for its capabilities in remote access, data theft, and system manipulation. It typically spreads through spam emails, malicious attachments, or drive-by downloads.
   • Recent Activity: Amadey malware campaigns have been increasingly active, targeting organizations across various sectors, including healthcare, finance, and government. The malware is capable of keylogging, screen capturing, and file exfiltration, facilitating espionage and data theft.
   • Risks: Amadey poses a significant threat to confidentiality, integrity, and availability of sensitive information, with potential consequences including data breaches, financial loss, and reputational damage. Its polymorphic nature and obfuscation techniques make it challenging to detect and mitigate effectively.

Recommendations:

• Maintain up-to-date antivirus software and security patches to protect against known malware threats.
• Implement multi-layered security controls, including email filtering, endpoint protection, and network segmentation, to mitigate the risk of malware infections.
• Conduct regular security awareness training to educate users about the dangers of phishing emails and malicious downloads.
• Deploy advanced threat detection and response capabilities to identify and mitigate emerging malware threats proactively.
  
  

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.