Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of January 2016

Emerging Threat - Cryptojoker

Cryptojoker is ransomware that encrypts a victim's files with AES-256 encryption -- encrypted files are renamed with the extension .crjoker. Cryptojoker will delete Windows shadow volume copies and disable the Windows automatic startup repair to prevent recovery of encrypted files.

We added IDS signatures and a correlation rule to detect Cryptojoker activity:

  • System Compromise, Ransomware infection, Cryptojoker

New Detection Technique - Encryptor RaaS

Encryptor RaaS is a Ransomware-as-a-Service platform. The service generates an executable that will encrypt a victim's files and open a TOR-based website (via a proxy) with ransom demands.

We added IDS and correlation rules to detect Encryptor RaaS activity:

  • System Compromise, Ransomware infection, Encryptor RaaS 

New Detection Technique - MrBlack

MrBlack (A.K.A. DDOSTF) is malware that causes infected machines to participate in DDoS attacks. MrBlack is similar to the BillGates malware, which also launches DDoS attacks. Both families have Linux and Windows versions, share attack methods, and have similar C&C consoles.

We have added IDS signatures and a correlation rule to detect MrBlack activity:

  • System Compromise, Malware infection, MrBlack

New Detection Technique - OSX malware

We have enhanced our detection capabilities for some families of OSX malware. 

We've added IDS rules and correlation rules to detect activity from OceanLotusCoinThiefKiTM and LaoShu.

  • System Compromise, Targeted Malware, OceanLotus
  • System Compromise, Trojan infection, CoinThief 
  • System Compromise, Trojan infection, KitM
  • System Compromise, Trojan infection, LaoShu

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Malware RAT, Mobi Rat
  • System Compromise, Malware infection, Agent XOA
  • System Compromise, Malware infection, Blackmoon
  • System Compromise, Malware infection, Browserlocker
  • System Compromise, Malware infection, Jongiti
  • System Compromise, Ransomware infection, NanoLocker
  • System Compromise, Trojan infection, Agent RNW
  • System Compromise, Trojan infection, Cl0wnbot
  • System Compromise, Trojan infection, Fourthrem
  • System Compromise, Trojan infection, Like4uBot
  • System Compromise, Trojan infection, PUA.KUWO
  • System Compromise, Trojan infection, Rifdoor
  • System Compromise, Trojan infection, Sacto
  • System Compromise, Trojan infection, SpywareLyndra
  • System Compromise, C&C Communication, APT.SSLSneak SSL activity
  • System Compromise, Targeted Malware, APT.SSLSneak
  • System Compromise, Targeted Malware, APT.T9000

Updated Detection Technique - DustySky

DustySky is composed of multiple pieces: a dropper, keylogger and backdoor. It attempts to avoid running in a virtual machine and checks for the presence of anti-virus software. DustySky is known to be used by the Molerats attacker group.

We added IDS signatures and updated correlation rules to detect DustySky activity:

  • System Compromise, Trojan infection, DustySky

Updated Detection Technique - DarkHotel

The DarkHotel threat actor has been refining its malware and is expanding its target demographic. DarkHotel continues to spearphish and has recently incorporated Hacking Team's zero-day Flash exploit into some of its attacks. We have added IDS signatures and created a correlation rule to detect DarkHotel activity:

  • System Compromise, Targeted Malware, DarkHotel

Updated Detection Technique - Careto

Careto is advanced malware that targets victims through malicious websites included in spear-phishing emails. In addition to standard backdoor functionality, Careto has stealth capabilities that make it difficult to detect. Careto is usually bundled with other malware such as a rootkit, bootkit and malware for different platforms (Win32, Win64, OSX and Linux). The sophistication of Careto indicates that it could be part of a state-sponsored campaign.

We have added IDS signatures and updated correlation rules to detect Careto activity:

  • System Compromise, Targeted Malware, Careto

Updated Detection Technique - Dridex

Dridex is a piece of malware designed to steal banking credentials and several social media sites. Dridex performs a technique called web injection into the HTML of banking websites and then sends the stolen data to a remote command and control server. We have added several IDS signatures and correlation rules that will alert when the system detects Dridex talking to a command and control server:

  • System Compromise, Malware infection, Dridex

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, PlugX

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Gozi SSL Activity

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection. This week we added IDS signatures and updated correlation rules to enhance exploit kit detection.

  • Exploitation & Installation, Malicious website - Exploit Kit, Nuclear EK
  • Delivery & Attack, Malicious website - Exploit Kit, Neutrino EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware are starting to use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain. We have updated a correlation rule that groups different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed trough the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Trojan infection, DDoS trojan BlackEnergy
  • System Compromise, Malware infection, Nivdort
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, SpyAgent
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Malware infection, Generic
  • System Compromise, Targeted Malware, Elmer
  • System Compromise, Trojan infection, Bulta
  • System Compromise, Trojan infection, Jukbot
  • System Compromise, Fake Antivirus infection, Generic FakeAV
  • System Compromise, Trojan infection, Nitol
  • System Compromise, Malware infection, Codelux Video Keylogger
  • System Compromise, Trojan infection, Danginex