UnpacMe Weekly: Hunting Improvements & Threat Coverage
Updated capa to use the latest version 6.0.0, expanded Goodware corpus for testing Yara rules, and improved byte search performance.
Highlights
- [Updated] We updated capa to use the latest version 6.0.0
- [Improved] Yara Hunting improvements and fixes.
- [Improved] Byte search performance, based on user feedback using the Ida Search Plugin.
- [Improved] Expanded Goodware corpus for testing Yara rules.
- [Improved] Updated malware labels for search results.
- Expanded coverage for several threats observed in recent weeks.
Weekly Threat Hunting
This week Redline and Amadey have remained as the most frequently submitted threats, followed by SmokeLoader and AgentTesla. As noted in recent weeks, we continue to observe Downloaders and Information Stealers as the top submitted threat types. Over the past few weeks, we've seen a decline in Stop/Djvu Ransomware submissions that we saw spike in June.
This week we've observed a decrease in Bot and RAT threat types compared to previous weeks. This decline may be a secondary effect of the high volume of Redline and Amadey malware samples processed this week. We will be looking at how we compile the top threats to determine if there are additional metrics that may provide a more accurate view of the weeks most prominent threats and threat trends between the weeks.
Threat Coverage
- RootTeam - Added coverage for RootTeam a Go based information stealer that can be built via a telegram bot.
- Laplas Clipper - Updated coverage for Laplas Clipper a Go based clipboard stealer.
- BanditStealer - Added coverage for BanditStealer a Go based information stealer that primarily targets browser credentials and crypto wallets.
- Truebot - Updated coverage and malware configuration extraction for Truebot downloader.
- Raccoon Stealer - Updated Coverage for Raccoon Stealer.
- DCRat - Updated coverage for DCRat a .NET based information stealer frequently modified by less-skilled threat actors.
- Sliver - Updated coverage for Sliver Adversary Emulation Framework.
- Stealc - Updated coverage for the Stealc information stealer.
- XWorm - Updated coverage XWorm a .NET based information stealer
- Meduza Stealer - Added coverage for Meduza Stealer an information stealer first observed in June 2023
As always, if you have any feedback or issues please let us know.
Happy Hunting!