Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of January.

New Detection Technique - MM Core

The MM Core backdoor, also known as BaneChant, is an APT family that has been used in targeted attacks against media, government, defense, oil & gas, manufacturing and telecommunications industries all over the world. It is a file-less malware which is executed in memory by the initial downloader. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, MM Core

New Detection Technique – OilRig

An Iranian threat actor known as OilRig, who has been targeting organizations in Israel, Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon since late 2105, has engaged in recent attacks of Israeli organizations. The malware OilRig spreads is digitally signed with a valid certificate issued by Symantec to AI Squared, which was likely stolen. The tools that OilRig uses are not sophisticated, however it does utilize techniques such as DNS command and control, which allow it to avoid detection in many places.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Oilrig

New Detection Technique – Ransomware

In the past week, we have seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rule to detect multiple new ransomware families:

  • System Compromise, Ransomware infection, MRCR1

Last week, we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Fsociety

New Detection Technique – Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Rerdom
  • System Compromise, Trojan infection, Lizard
  • System Compromise, Trojan infection, Excrevie

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Orcus RAT SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Banbra
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Peppy
  • System Compromise, Trojan infection, Unknown PowerShell
  • Delivery & Attack, Malicious website, Phishing activity

·       Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200)