Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of December 2017

New Detection Technique – Cyberbit/PSS

Cyberbit/PSS is an attack campaign rooted in Ethiopia and dating back to 2016. This infection is spread via malspam. An invitation to access a video portal is sent within the email, where the user is prompted to install the malware masquerading as "Adobe Flash update" in order to watch the videos. The downloaded installer contains an "Adobe PdfWriter" package, which actually contains the trojan. If the installer is opened, it will request administrator privileges for installation, allowing it to communicate with its C&C server in Ethiopia. The trojan collects information from the infected hosts, such as system logs, storage statistics, system configuration, etc. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Cyberbit/PSS

New Detection Technique – BoletoMestre

BoletoMestre is a new Trojan detected in campaigns targeting Brazil. It is delivered via spam, simulating a Boleto invoice, which is an electronic payment method commonly used in Brazil. These emails contain a URL to download the invoice, which is embedded with the trojan. BoletoMestre targets Windows XP and Windows 7 SP1. After infection, the machines generate IRC traffic and join the Mestre IRC channel. This malware also modifies Windows registry values, VBS files, and legitimate binaries.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, BoletoMestre

New Detection Technique – StorageCrypt

StorageCrypt is a ransomware that encrypts system files and demands a ransom between 0.4 and 2 bitcoins to get the key to decrypt them. This ransomware utilizes the SambaCry vulnerability, making it really dangerous. SambaCry is a vulnerability that allows an attacker to open a shell with regular user permissions. This shell can be used to download and share the malware package among other machines in the same network. Infected machine owners have reported to find the files 'sambacry' and 'apaceha' within the /tmp folder.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, StorageCrypt

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Dreamsmasher
  • System Compromise, Trojan infection, MSIL/Subti
  • System Compromise, Trojan infection, SluttyPutty
  • System Compromise, Trojan infection, Win32/MewsSpy.AE

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, PSEmpire SSL Activity
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique – SunOrcal Reaver

SunOrcal Reaver is a malware family that has been active since at least late 2016. It has shared C&C infrastructure with SunOrcal, a malware family that has been active since at least 2013. While the malware's origin is not precisely known, it has been linked to the Chinese goverment and movements from its opposition. 

When the payload is loaded, it checks the system configuration to verify if a privilege escalation is achivable. After getting privileges, the malware generates an LNK file for persistence and proceeds to leak sensitive information, such as computer name, volume serial number, version, CPU speed, OEM code page identifier for OS, physical and viertual memory information, etc.

The malware is also easily identifiable because the payload is presented as a Windows Control panel item (CPL file). This practice is highly unusual. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, SunOrcal Reaver

Updated Detection Technique - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Bazidow
  • System Compromise, Trojan infection, Carbanak
  • System Compromise, Trojan infection, IRC Bot
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, Molerats/GazaHacker
  • System Compromise, Trojan infection, Nitol
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Win32/MewsSpy.AE

Updated Correlation Rules

We've also updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Trojan infection, Sharik
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware RAT, njRAT
  • System Compromise, Ransomware infection, GlobeImposter