Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of June 2016

New Detection Technique - Redirect to Flash Exploit (CVE-2015-0313)

CVE-2015-0313 is a critical vulnerability in Adobe Flash Player 16.0.0.296 and earlier versions, for both Windows and Mac platforms. Exploitation of this vulnerability could potentially cause a system crash and allow attackers to take full control of the affected machine. Adobe has since released an update to patch this vulnerability.

We've added IDS signatures and created the following correlation rule to detect CVE-2015-0313:

  • Exploitation & Installation, Vulnerable software, Redirect to Flash Exploit (CVE-2015-0313)

New Detection Technique - Qarallax

QRAT or Qarallax RAT is an emerging piece of malware targeting travelers applying for a US Visa. QRAT is a JAVA application that runs silently on systems with JAVA Runtime (JRE) installed. Once the malware has been installed, it downloads JAVA libraries from the IP address 95.211.141[.]215, which resolves to QARALLAX[.]COM. It connects to the same IP address over port 1714 which acts as its command and control (C&C) server. After installation, attackers have the capability to capture mouse movements and clicks, to take full control of the system's webcam, and start logging keyboard activity. QRAT is being distributed via Skype and email. Visa applicants communicating with US Visa Office support should double check the Skype handle of the person they are communicating with and the documents they receive as attachments to avoid becoming a victim.

We've added IDS signatures and created the following correlation rule to detect Qarallax:

  • System Compromise, Malware RAT, Qarallax

Last week we also updated some rules and added new IDS signatures to improve the detection of previously known RATs:

  • System Compromise, Malware RAT, PCRat
  • System Compromise, Malware RAT, Poison Ivy

New Detection Technique - FastPOS

FastPOS is a newly discovered malware family that is designed to exfiltrate stolen card data immediately rather than storing it locally and sending it in batches over time. Victims have been identified worldwide. The three main methods of distribution are direct file transfer via VNC, real-time file sharing services, and links to compromised medical sites focused on laser surgical techniques. Although no specific industry is being targeted, this new POS malware family seems to be targeting small-to-medium sized businesses, with simple DSL modems where ports are forwarded to the POS system, and where network level detection is less likely to be implemented. 

 We've added IDS signatures and created the following correlation rule to detect FastPOS:

  • System Compromise, Trojan infection, FastPOS

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Malware SSL Certificates

We added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, DustySky SSL activity
  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, TorrentLocker SSL
  • System Compromise, C&C Communication, URLzone SSL Certificate
  • System Compromise, C&C Communication, Ursnif SSL activity
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have updated a correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

  • System Compromise, Ransomware infection, BandarChor
  • System Compromise, Ransomware infection, Crypmod
  • System Compromise, Ransomware infection, DMA Locker
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Torrentlocker

Updated Detection Technique - Keyloggers

Keylogging malware is used to record a victim's keystrokes when they type on a keyboard. Keyloggers can send a victim's keystrokes to a malicious party or store them for retrieval at a later time. Keylogging malware can be used to steal sensitive data such as login credentials or banking information. We have added IDS signatures and updated the correlation rule to detect the following key logger(s):

  • System Compromise, Trojan infection, Generic Keylogger

Updated Detection Technique - DarkHotel

The DarkHotel threat actor has been refining its malware and expanding its target demographic. DarkHotel continues to spear-phish and has recently incorporated Hacking Team's zero-day Flash exploit into some of its attacks. We have added IDS signatures and updated a correlation rule to detect DarkHotel activity:

  • System Compromise, Targeted Malware, DarkHotel 

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28. As we described in a blog post: We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence. 

We have added IDS signatures and update correlation rules to detect Sofacy activity.

  • System Compromise, Targeted Malware, SEDNIT

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Bruteforce Authentication, IMAP
  • Delivery & Attack, File Download - Poor Reputation Host, Suspicious executable downloaded from a low reputation domain
  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Desktop Software - BitCoin, BitcoinMiner
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, Backdoor, Zeprox
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Fleercivet
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Malware contacting Dynamic Domain
  • System Compromise, Mobile trojan infection, IOS_XAGENT
  • System Compromise, Suspicious Behaviour, EXE file download from a Dynamic DNS host
  • System Compromise, Trojan infection, ExtenBro
  • System Compromise, Trojan infection, Hancitor
  • System Compromise, Trojan infection, Kitkiot
  • System Compromise, Trojan infection, Neutrino
  • System Compromise, Trojan infection, ProjectBot