Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of December 2016

New Detection Technique - Goldeneye

Goldeneye is a new ransomware family which spreads via email, utilizing a novel technique by attaching both a 'clean' and a malicious file in an attempt to lull the victim into a false sense of security. Goldeneye is also unique in that, after encrypting a user's files, it then runs a modified variant of the Petya ransomware to encrypt the Master File Table (MFT) of the victim's hard drive. 

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Goldeneye

Last week, we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - Sony IPELA Engine IP Camera Exploit

A backdoor was recently discovered in Sony IPELA Engine IP Cameras. The backdoor could allow attackers to execute commands as an administrative user.

The following correlation rule has been added due to this exploit activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Sony IPELA Engine IP Camera telnet enable

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Adware infection, Addrop
  • System Compromise, Trojan infection, Snatch

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Vawtrak SSL Certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Quasar RAT

Updated Detection Technique - Qadars

Qadars is a banking trojan being used by an unknown threat actor. Qadars primarily has been seen targeting 6 countries: the Netherlands, France, Canada, India, Australia and Italy. Qadars uses a Man-in-the-Browser (MitB) scheme to perform financial fraud.

We've added IDS signatures and updated the following correlation rule to detect Qadars activity:

  • System Compromise, C&C Communication, Qadars 

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique - Dreambot

Dreambot is one of the most active variants of the Ursnif trojan. This variant sets itself apart from the others by introducing Tor and P2P communication functionality. Dreambot is currently being spread through a variety of means including, but not limited to, exploit kits, malicious links, and email attachments.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, C&C Communication, Dreambot SSL activity

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Trojan infection, LatentBot
  • System Compromise, Trojan infection, Unknown trojan