Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of April 2016

New Detection Technique - OSX/Pirrit

OSX/Pirrit is an invasive piece of OSX adware that is derived from the Windows version of the adware. The adware intercepts all HTTP traffic and injects ads into the proxied traffic and maintains persistence by installing a Launch Daemon.

We've added IDS signatures and created the following correlation rule to detect OSX/Pirrit activity:

  • System Compromise, Adware infection, OSX/Pirrit

New Detection Technique - DMRC CVE-2016-2345

A buffer overflow vulnerability in the DameWare Mini Remote Control (DMRC) software could allow an attacker to execute arbitrary code. DMRC is typically used to share screens, chat, transfer files and initiate MRC, RDP or VNC sessions. Since remote management software often runs with elevated privileges and accessbility, this kind of software is often attractive for attackers to target.

We've added an IDS signature and correlation rule to detect exploitation of the DMRC buffer overflow:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Knokker
  • System Compromise, Trojan infection, Shouqu
  • System Compromise, Trojan infection, ATRAPS
  • System Compromise, Trojan infection, Ratty

New Detection Technique - Client-Side Exploits

As part of a maintenance update, we've added a couple of IDS signatures related to older vulnerabilities in Microsoft Office. We also added the following correlation rules to detect exploitation attempts:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Excel corrupted incorrect type assumed BiffRecord download (CVE-2014-6361)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Office Memory Corruption Vulnerability (CVE-2015-6172)

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, Luminosity Link RA
  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, njRAT

Updated Detection Technique - Malware SSL Certificates

We have added new IDS signatures to include the list of SSL certificates identified by Abuse.ch to be associated with malware or botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Dyre SSL Certificate

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Delivery & Attack, File Download - Poor Reputation Host, Suspicious executable download from a bad IP reputation web site
  • Exploitation & Installation, Malicious website - Exploit Kit, Nuclear EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK

Updated Detection Technique - Maktub Ransomware

Maktub Locker is a ransomware that comes with a well designed GUI and a few interesting features, such as encrypting and compressing files. The ransomware comes packed in a crypter, and upon execution, it makes many benign-looking API calls used to deceive any tools in place to detect malicious behavior, and then it re-writes itself. Maktub's name originates from the Arabic word maktub, which roughly translates to "this is written” or "this is fate”.

We've added IDS signatures and updated the following correlation rule to detect Maktub activity:

  • System Compromise, Ransomware infection, Maktub

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Teslacrypt
  • System Compromise, Ransomware infection, BandarChor

Updated Detection Technique - Point Of Sale Malware

Point of Sale (POS) Systems are a juicy target for cybercriminals. Large retailers process thousands of transactions daily using these systems, meaning they often contain large volumes of credit card information. There are several pieces of malware available in the black market that can be used to steal data from the memory of the Point Of Sale devices.

We have added IDS signatures and updated correlation rules to detect the following POS malware:

  • System Compromise, C&C Communication, FrameworkPOS

Updated Detection Technique - Derusbi

Derusbi is a trojan that has typical trojan features (e.g. remote access, file management, credential stealing) and comes in both server and client variants. Other trojans that are derived from Derusbi include Sakula and Kakfum. Derusbi uses a custom network handshake to establish communication between server and client and applies basic encryption to the communication channel.

We have added IDS signatures and updated the following correlation rule to detect Derusbi activity:

  • System Compromise, Targeted Malware, Derusbi

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed trough the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Trojan infection, IRC Bot
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, iSpySoft
  • Delivery & Attack, File Download - Poor Reputation Host, Suspicious executable downloaded from a low reputation domain
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Unknown trojan