Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of March

New Detection Technique - Apache Struts S2-045 RCE (CVE-2017-5638)

A vulnerability exists in the Jakarta Multipart parser in Apache Struts 2 (versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1) that allows attackers to execute arbitrary commands via a specially crafted Content-Type HTTP header. 

We've added the following correlation rule to detect this malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Struts S2-045 RCE (CVE-2017-5638)

New Detection Technique - DroppingElephant

DroppingElephant (also known as "Chinastrats" and "Patchwork,") is a threat actor that has been aggressively targeting the Asia region, including multiple diplomatic and government entities with a particular focus on China and its foreign relations. DroppingElephant relies heavily on relatively straightforward spear-phishing and watering hole attacks, coupled wth social engineering tactics, to infect victims with its malware. 

We've added IDS signatures and the following correlation rule to detect this activity:

  •  System Compromise, Trojan infection, DroppingElephant

New Detection Technique - StoneDrill

StoneDrill is a new wiper malware variant of the notorious Shamoon worm, which devastated a Saudi Arabian company in 2012 by wiping over 35,000 computers.  While StoneDrill has similarities to Shamoon, to better evade detection it uses new tools and techniques, has a functional ransomware component, and is less reliant on command and control (C&C) servers. 

We've added IDS signatures and the following correlation rule to detect this activity:

  •  System Compromise, Targeted Malware, StoneDrill

New Detection Technique - Mac OS X HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361)

Mac OS X HelpViewer has an XSS vulnerability that can be exploited with a specially crafted web page, which can result in arbitrary file execution and file read. 

We've added IDS signatures and the following correlation rule to detect this activity:

  •  Delivery & Attack, WebServer Attack, Mac OS X HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361)

New Detection Techniques

We've added the following correlation rules as a result of recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, WIFICAM Cameras Authenticated set_ftp.cgi Command Injection Attempt
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, WIFICAM Cameras .ini Unauthenticated Access Attempt
  • System Compromise, Trojan infection, Neptune
  • System Compromise, Trojan infection, Agent.YDZ
  • System Compromise, Ransomware infection, Vortex
  • System Compromise, Trojan infection, Stengol
  • System Compromise, Ransomware infection, Enjey Crypter
  • System Compromise, Backdoor, Tofu

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, PSEmpire SSL Activity
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Ransomware

In the past week, we've seen an increase in ransomware activity in the wild. We've added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, PSEmpire SSL Activity
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Revenge
  • System Compromise, Malware RAT, njRAT

Updated Detection Technique - Dridex

Dridex is a piece of malware designed to steal banking credentials and other personal information on a system to gain access to the financial records of a user. Dridex performs a technique called web injection into the HTML of banking websites and then sends the stolen data to a remote C&C server.

We've added IDS signatures and updated the following correlation rule that will alert when the system detects Dridex talking to a C&C server:

  • System Compromise, Malware infection, Dridex

Updated Detection Technique - XAgent OSX

A macOS variant of the Sofacy group's XAgent trojan, called XAgent OSX, has been discovered. The trojan has ability to receive commands from threat actors via its command and control (C&C) channel, but is also capable of logging key strokes via its keylogger functionality. XAgent OSX uses HTTP requests to communicate with its C&C servers, which allows the threat actor to interact with the compromised system. It uses HTTP POST requests to send data to the C&C server, and GET requests to receive commands from the server.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, XAgent OSX

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Drupal
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, ZvuZona
  • System Compromise, Targeted Malware, Emdivi
  • System Compromise, Trojan infection, Amonetize
  • System Compromise, Trojan infection, Bancos
  • System Compromise, Trojan infection, Dapato
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Qakbot