Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of May 2016

Emerging Threat - APT Group

We have added detection for a group targeting government and industry:

  • System Compromise, Targeted Malware, APT.HILIGH
  • System Compromise, Targeted Malware, APT.MADMA
  • System Compromise, Targeted Malware, APT.ZoxPNG
  • System Compromise, C&C Communication, APT.HTTPBrowser SSL activity

New Detection Technique - ImageTragick

ImageTragick, the nickname given to CVE-2016-3714, is a serious vulnerability in the ImageMagick software. Due to improper filtering of file names, it allows attackers to execute commands remotely when uploading malicious images. This has the potential to lead to full remote code execution (RCE) in the image uploader. This vulnerability is actively being exploited in the wild.

We have added new IDS signatures and correlation rules to detect this activity:

  • Exploitation & Installation, Vulnerable software, ImageMagick Inbound Exploit

New Detection Technique - Pemtaka

Pemtaka is a trojan that targets the Windows family. It collects various system information which is then delivered to a remote server. It uses a custom protocol to receive instructions ranging from downloading and executing a file to taking webcam videos.

We have added new IDS signatures and correlation rules to detect this activity:

  • System Compromise, Trojan infection, Pemtaka

New Detection Technique - Barkiofork

Barkiofork is a trojan that targets Windows machines. It is propagated through malicious documents in a spear phishing campaign targeting groups in the aerospace and defense industry. It has the ability to steal system information, update itself, and communicate with a remote server.

We have added new IDS signatures and correlation rules to detect this activity:

  • System Compromise, Trojan infection, Barkiofork

New Detection Technique - Infy

Infy is a trojan that is spread utilizing a spear-phishing email carrying a Word or PowerPoint document. The attached document file contains a multi-layer Self-Extracting Executable Archive (SFX), and content attempting to socially engineer the recipient into activating the executable.

We have added new IDS signatures and correlation rules to detect this activity:

  • System Compromise, Trojan infection, Infy

New Detection Technique - Magento Shoplift Exploit

A critical RCE (remote code execution) vulnerability was found, via SQL injection, in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store. This vulnerability is actively being exploited in the wild.

We have added new IDS signatures and correlation rules to detect this activity:

  • Exploitation & Installation, WebServer Attack - SQL Injection, Magento Shoplift Exploit

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Backdoor, Absolute Eye
  • System Compromise, Malware infection, Kuping
  • System Compromise, Trojan infection, Upgilf
  • System Compromise, Trojan infection, Strumapine
  • System Compromise, Trojan infection, Losabel

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added new IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We've added new IDS signatures and the following correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Ozone RAT
  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Unknown Ransomware

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. Many ransomware schemes use these services to receive payments and conduct other malicious activities. 

We've created a new correlation rule that will detect when a system is accessing one of these services: 

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy
  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer - CVE-2014-6332
  • System Compromise, Backdoor, Absolute Eye
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Vawtrak
  • System Compromise, Targeted Malware, DeputyDog
  • System Compromise, Targeted Malware, Emissary
  • System Compromise, Targeted Malware, HTTPBrowser
  • System Compromise, Targeted Malware, Pirpi
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Darpapox
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, Magania
  • System Compromise, Trojan infection, MultiGrainPOS
  • System Compromise, Trojan infection, Rexpot
  • System Compromise, Trojan infection, SpyAgent
  • System Compromise, Trojan infection, Unknown trojan