Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of October 2016

New Detection Technique - HadesLocker

HadesLocker is a new ransomware strain which copies the ransom note of the well-known Locky ransomware. It is currently thought that HadesLocker is the next generation of the Zyklon Locker and Wildfire Locker ransomware strains. HadesLocker is known to be distributed via a spam email campaign with a malicious word document attached. 

We've added IDS signatures and created the following correlation rule to detect this ransomeware activity:

  • System Compromise, Ransomware infection, HadesLocker

New Detection Technique - Kostya

Kostya is a new ransomware variant that appears to be targeting Czech-speaking countries, with no English language versions currently seen in the wild. Kostya is spread via spam email with an attached malicious PDF file that masquerades as a payment notification.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Kostya

In addition to that, we've updated the detection techniques for the following ransomware families:

  • System Compromise, Ransomware infection, CryptoWall
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Locky

Emerging Threat - BIND9 DoS CVE-2016-2776

CVE-2016-2776 is new vulnerability found in BIND 9. This vulnerability can be exploited by a crafted query to BIND 9 which can allow attackers to cause a denial of service (DoS).

We've added IDS signatures and created the following correlation rule to detect this activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, BIND9 msg->reserved Assertion DoS Packet Inbound (CVE-2016-2776)

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Raum
  • System Compromise, Trojan infection, Xiazai
  • System Compromise, Trojan infection, UBN
  • System Compromise, Trojan infection, Kniaz

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, APT28 SSL activity

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We've updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Pony
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Nemucod
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Mobile trojan infection, IOS_XAGENT