Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of April 2018

New Detection Technique – InnaputRAT

InnaputRat is a recent phishing campaign targeting commercial manufacturing in the US and Europe. InnaputRAT is a Remote Access Trojan which profiles machines and exfiltrates documents from infected machines.

The attackers continue making improvements to InnaputRat, recently adding the 'Godzilla Loader' as an intermediary loader that obfuscates key elements in the binary. We will continue to update the signatures as InnaputRat evolves.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Win32/InnaputRAT

New Detection Technique – Rarog

Rarog is a new coin mining trojan observed in the past few months. It primarily mines Monero but has the ability to mine other coins. The malware is very advanced and has multiple techniques for infecting USB flash drives and loading DLLs and code in the infected machine. It also can use multiple-process mining. Cryptocurrency mining malware is the latest trend worldwide and we can see infections in any country. In this case, the criminals have primarily targeted Russia and Indonesia.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Win32/Rarog

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/Agent.BIN
  • System Compromise, Trojan infection, MSIL/SocketPlayer RAT
  • System Compromise, Trojan infection, MSIL/SQLConn
  • System Compromise, Trojan infection, MSIL/SquirtStealer
  • System Compromise, Trojan infection, Win32/1ms0rry Stealer Variant
  • System Compromise, Trojan infection, Win32/InnaputRAT
  • System Compromise, Trojan infection, Win32/Rarog
  • System Compromise, Trojan infection, Win32/SocStealer.Socelars

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Spring Data REST (CVE-2017-8046)
  • System Compromise, C&C Communication, W32/PinoRAT
  • System Compromise, Mobile trojan infection, Trojan.AndroidOS.HiddenMiner

Updated Detection Technique – Panda Banker

Panda Banker is a malware family based on Zeus malware. It was first seen in the wild in 2016 and has developed significantly since then. A lot of cybercriminals sell and trade with it in underground forums, making it an easy and versatile piece to propagate in many campaigns. Panda Banker has been seen primarily in Japan, as well as in many other countries such as Canada, Germany, United States, Australia, and the UK.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Panda Banker

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, C&C Communication, Cobalt Group
  • System Compromise, C&C Communication, Cobalt Group SSL
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, C&C Communication, URLZone C2 Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Emotet
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Malware RAT, Revcode
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Ransomware infection, GandCrab
  • System Compromise, Targeted Malware, OceanLotus
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Harvester
  • System Compromise, Trojan infection, LiteHTTP Bot
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, MSIL/MinerG8 CoinMiner
  • System Compromise, Trojan infection, NameCoin DNS Sinkhole
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Rodecap
  • System Compromise, Trojan infection, SmokeLoader
  • System Compromise, Trojan infection, Trickbot