Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of July 2016

Emerging Threat - Keydnap

Keydnap, discovered by ESET, is the latest malware targeting Mac OS X operating systems. The malware steals login credentials from the keychain allowing attackers to take over the system and maintain a persistent backdoor. Keydnap is distributed as a zip file that contains a Mach-O executable disguised as an image or text file. Once the malware is installed, one of its components, icloudsyncd, connects to Tor to send data back to the Command and Control (C&C) server. System changes are also made to allow for automatic execution when rebooted. The latest versions of Mac OS X utilize the Gatekeeper security feature which prevents successful installation of this malware.

We've added IDS signatures and the following correlation rule to detect Keydnap activity:

  • System Compromise, Trojan infection, Keydnap

New Detection Technique - Wget Arbitrary File Write Exploit Attempt (CVE-2016-4971)

CVE-2016-4971 is a vulnerability found in old versions of wget. In 2010, many command line programs were patched to distrust filenames provided by HTTP servers via Location and Content-Disposition headers. Wget gained command line options to let users revert to the old (risky) behavior. The fix for wget was incomplete, not covering the case of HTTP to FTP redirects. An updated version of wget (v 1.18) has been released that fixes this issue. Update your systems to this latest version to remediate this vulnerability.

We've added IDS signatures and the following correlation rule to detect the activity related to the vulnerability:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Wget Arbitrary File Write Exploit Attempt (CVE-2016-4971)

New Detection Technique - Malware

We've added the following correlation rules due to recent malicious activity:

  • Reconnaissance & Probing, Vulnerability Scanning, Redis scanning
  • System Compromise, Backdoor, Muirim
  • System Compromise, Backdoor, ShadowDoor
  • System Compromise, Trojan infection, XXMM2

Updated Detection Technique - APT Scarcruft

Scarcruft is a fairly new APT group that was responsible for both Operation Daybreak and Operation Erebus. The group has been targeting victims in Russia and Asia with very targeted attacks that utilize multiple zero day vulnerabilities.

We've added IDS signatures and updated the following correlation rule to improve Scarcruft detection:

  • System Compromise, Targeted Malware, APT Scarcruft

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Neutrino EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We have added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures which include certificates identified by associated with botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We've updated a correlation rule that groups different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, CryptXXX
  • System Compromise, Ransomware infection, Locky

Updated Correlation Rules

We've updated the following correlation rules due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • System Compromise, File Download - Poor Reputation Host, Suspicious executable downloaded from a low reputation server
  • System Compromise, Spyware infection, Generic spyware
  • System Compromise, Suspicious Behaviour, Suspicious HTTP request
  • System Compromise, Trojan infection, Dapato
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, PSEmpire
  • System Compromise, Trojan infection, Adwind