In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the
information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Stilachi Remote Access Trojan
Oracle Data Breach
Betruger Custom Backdoor
CISA KEV updates
Stilachi Remote Access Trojan
Microsoft Incident Response has identified a previously unknown remote access trojan (RAT), dubbed StilachiRAT, which employs advanced techniques for evasion, persistence, and data exfiltration. Analysis of the malware revealed a range of capabilities designed to collect sensitive information, including browser-stored credentials, digital wallet data, clipboard contents, and system details. Persistence and anti-forensic mechanisms used by SilachiRAT make it particularly hard to both analyze and eradicate.
At the time of reporting, Microsoft has not attributed StilachiRAT to any known threat actor or geographic origin. While the malware is not currently observed at scale, its stealthy nature and the dynamic threat landscape warrant continued vigilance. These findings are being shared to support broader awareness and proactive monitoring efforts. IOCs discovered for this threat, so far, are listed below.
Source: Microsoft
Oracle Data Breach
On March 21, CloudSEK reported a potential breach of Oracle Cloud, claiming a threat actor exploited a WebLogic zero-day to steal 6 million records, potentially impacting over 140,000 tenants. Oracle has initially denied the breach. The actor, "rose87168," allegedly offered stolen data—including encrypted SSO credentials, Java Keystore (JKS) files, and key material—linked to Oracle SSO and LDAP services. Despite Oracle’s denial, CloudSEK published additional findings on March 24 to support its claims.
Since the initial post, the threat actor has shared further samples corroborating the initial claim. Furthermore, several customers have shared a notification from Oracle that Crowdstrike and the FBI are currently investigating the incident.
CloudSEK has provided a tool to check whether your domain may have been exposed in the breach:
https://exposure.cloudsek.com/oracle
If you think you may have been affected, please reach out to Oracle Support or your Oracle CSM for further guidance. Additionally, CloudSEK has provided a list of mitigation strategies that can be found here: CloudSEK
Source: Darkreading
Betruger Custom Backdoor
The Betruger backdoor has been observed in multiple recent RansomHub attacks, indicating its availability to at least one affiliate within the operation. An analysis of the backdoor revealed the following functionality including screenshotting, keylogging, uploading files to a command and control (C&C) server, network scanning, privilege escalation and credential dumping RansomHub, a ransomware-as-a-service (RaaS) platform operated by the cybercriminal group Greenbottle (as identified by Symantec), has been active since February 2024 and rapidly expanded its footprint. By Q3 2024, it had become the most active ransomware group based on the volume of claimed attacks.
Greenbottle has attracted numerous affiliates by offering more favorable terms than competing RaaS groups, including a higher share of ransom payments and a payout structure in which affiliates receive payments directly from victims before forwarding the operator’s portion.
A recommended strategy to help mitigate this threat would be to make sure you have EDR deployed and operational across your organization. Additionally, logging and assessing suspicious network activity is crucial in helping to identify this threat before ransomware can be deployed.
Source: Symantec
CISA KEV updates
CISA has added 5 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact