Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of April 2017

New Detection Technique - Felismus

Felismus is a recently discovered piece of malware that appears to have been active for a number of months. Felismus is a modular malware that exhibits multiple techniques to hinder both analysis efforts and discovery of the content of its communications. Given that few samples are available in the wild, it is likely that Felismus is being used in targeted campaigns. It utilizes filenames mimicking that of Adobe's Content Management System and offers a range of commands typical of Remote Access Tools, including file upload, file download, file execution, and command execution.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, Felismus

New Detection Technique - MICROPSIA

KASPERAGENT and MICROPSIA are two new malware families that have been recently discovered in targeted attack campaigns in the Middle East. MICROPSIA is an information stealing malware family written in Delphi with a wide range of built-in data theft functionality. KASPERAGENT, the most common malware involved in the campaign, is developed in Microsoft Visual C++ and attempts to disguise itself as a product that does not exist: “Adobe Cinema Video Player”. The attack campaigns utilizing these malware favor using URL shortening services to disguise the true links they are sending in spear phishing emails. Another method favored by the attackers was the setting up of fake news sites and driving traffic there. Most of the attacks discovered have targeted users in the United States, Israel, the Palestinian Territories, and Egypt.

We've added IDS signatures and the following correlation rules to detect this activity:

  • System Compromise, Trojan infection, KASPERAGENT
  • System Compromise, Trojan infection, MICROPSIA
  • System Compromise, C&C Communication, MICROPSIA SSL activity

New Detection Technique - MoonWind

MoonWind is a RAT that was used in an attack campaign targeting organizations in Thailand in the fall of 2016. The attackers used the Trochilus RAT along with MoonWind and compromised a legitimate Thai website to host their malware, including the student portal for a Thai University. The attackers used different command and control (C&C) servers for each malware family to thwart attempts to tie the attacks together using infrastructure alone.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, MoonWind

New Detection Technique - RedLeaves

RedLeaves is a malware that has been observed in spear phishing emails since 2016. JPCERT/CC found that RedLeaves's code has a lot in common with the source code of the open source RAT Trochilus. RedLeaves injects itself into the process of Internet Explorer, communicates to specific sites by HTTP or its custom protocol, and then executes commands that are received.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, RedLeaves

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, CrypMIC
  • System Compromise, Ransomware infection, EDA2
  • System Compromise, Ransomware infection, GX40
  • System Compromise, Ransomware infection, Stolich

We also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, Matrix
  • System Compromise, Ransomware infection, Sage
  • System Compromise, Ransomware infection, SNSLocker
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Unknown Ransomware

New Detection Techniques

We've added the following correlation rules as a result of recent exploit and malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, D-LINK DIR-615 Cross-Site Request Forgery (CVE-2017-7398)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, TP-Link Archer C2 and Archer C20i Remote Code Execution
  • System Compromise, Trojan infection, Fatboy
  • System Compromise, Trojan infection, NR42 Bot
  • System Compromise, Trojan infection, ScanBox
  • System Compromise, Trojan infection, TinyNuke

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Terror EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

 Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, C&C Communication, APT28 SSL activity
  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, njRAT
  • System Compromise, Malware RAT, Remcos/Remvi

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Targeted Malware, TurlaCarbon
  • System Compromise, Trojan infection, GhostAdmin
  • System Compromise, Trojan infection, Loki Bot
  • System Compromise, Trojan infection, Neutrino
  • System Compromise, Trojan infection, Unknown trojan