Cybersecurity researchers warn defenders of yet another phishing campaign dubbed MULTI#STORM, in which hackers abuse JavaScript files to drop RAT malware onto the targeted systems. The MULTI#STORM attack chain contains multiple stages with the final one spreading Quasar RAT and Warzone RAT samples. According to the investigation, in this campaign threat actors have set eyes on U.S. and India.
MULTI#STORM Attack Detection
SOC Prime Platform for collective cyber defense enables organizations to boost their cyber resilience by delivering cost-efficient and cutting-edge solutions backed by Sigma and MITRE ATT&CK technologies. To arm cyber defenders with behavior-based SOC for content for MULTI#STORM attack detection, SOC Prime Platform curates a set of relevant Sigma rules mapped to ATT&CK and compatible with market-leading SIEM EDR, XDR, and Data Lake technologies.
Click the Explore Detections button below to drill down to the comprehensive list of Sigma rules to detect the novel MULTI#STORM campaign and timely identify any potential traces of RAT malware in the organization’s infrastructure. All detection algorithms are enriched with relevant metadata, like ATT&CK and CTI links, mitigations, and corresponding binaries.
MULTI#STORM Phishing Attack Analysis
Cybersecurity researchers at Securonix Threat Labs have uncovered a novel phishing campaign known as MULTI#STORM that mainly targets individual users in U.S. and India. The infection chain starts by clicking an embedded link leading to a password-protected ZIP file located on Microsoft OneDrive. The latter contains an obfuscated Javascript file that, once double-clicked, spreads the infection further leveraging the Python-based loader, which applies similar capabilities and attacker TTPs as DBatLoader malware. The loader used at the initial attack stage in the MULTI#STORM campaign is responsible for spreading a set of RAT malware samples on the impacted systems and leverages a set of advanced techniques to maintain persistence and evade detection.
Threat actors first drop the notorious Trojan dubbed Warzone RAT, which is capable of encrypted C2 communication, maintaining persistence, and password recovery while also applying a set of adversary techniques for detection evasion, like Windows Defender bypass functionality. Warzone RAT is used by hackers to steal sensitive data, like cookies and credentials from popular web browsers.
Researchers also observed the malicious traces of another payload dubbed Quasar RAT behind the Warzone RAT execution in the MULTI#STORM operation. Threat actors applied a different port for communication after successful Quasar RAT execution.
As potential mitigation measures, cyber defenders recommend continuously monitoring the usage of OneDrive links, avoiding opening any suspicious email attachments, particularly ZIP files, and limiting the execution of unknown binaries through policy updates along with following best security practices for email security protection.
MITRE ATT&CK Context
All above-references Sigma rules are tagged with ATT&CK providing in-depth contextual information and addressing relevant tactics and techniques associated with the MULTI#STORM campaign.
Tactics |
Techniques |
Sigma Rule |
Execution |
Command and Scripting Interpreter (T1059) |
|
Windows Management Instrumentation (T1047) |
||
Persistence |
Boot or Logon Autostart Execution (T1547) |
|
Defense Evasion |
Abuse Elevation Control Mechanism (T1548) |
|
Virtualization/Sandbox Evasion (T1497) |
||
Hide Artifacts (T1564) |
||
Impair Defenses (T1562) |
||
Masquerading (T1036) |
||
Credential Access |
OS Credential Dumping (T1003) |
|
Discovery |
Remote System Discovery (T1018) |
|
Command and Control |
Application Layer Protocol (T1071) |
|
Ingress Tool Transfer (T1105) |
Sign up for SOC Prime Platform to get equipped with cutting-edge cyber defense tools matching your current security needs. Explore the world’s largest repository of over 10K Sigma rules to proactively detect emerging threats; rely on Uncoder AI to advance your detection engineering with Sigma & ATT&CK autocompletion, instant bi-directional query translation to 28+ language formats & in-depth cyber threat context backed by ChatGPT and the power of collective intelligence; or leverage Attack Detective to validate the entire detection stack in less than 300 seconds, find cyber defense gaps and effectively address them to bullet-proof your cybersecurity posture. Striving to keep up with the latest news? Join our open-source cyber defender community at discord.gg/socprime.
The post MULTI#STORM Attack Detection: A New Phishing Campaign Spreading Multiple Remote Access Trojans and Targeting U.S. and India appeared first on SOC Prime.