Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of February 2018

New Detection Technique – Adobe Flash 0 day

A new vulnerability in Adobe Flash software was publicly announced at the beginning of February, after identification by the Korean CERT team. It allows Remote Code Execution via a corrupted Flash object.

The first campaign exploiting this vulnerability used a known RAT called ROKRAT. It starts with a malicious Excel file, which could be either distributed by email or downloaded from compromised web sites. It contains a malicious SWF file exploiting CVE-2018-4878. It connects to a compromised web server and downloads additional shellcode, which is loaded in memory and executed.

After confirmation that it is an intended victim, the ROKRAT payload is downloaded and installed.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Delivery & Attack, Client Side Exploit - Known Vulnerability, Adobe Flash Use After Free (CVE-2017-4878)
  • Delivery & Attack, Client Side Exploit - Known Vulnerability, Group123 Encoded ROKRAT Payload (CVE-2018-4878)
  • System Compromise, C&C Communication, Adobe Flash Request Retrieving XOR Key (CVE-2018-4878)
  • System Compromise, Trojan infection, [Flashpoint] Possible CVE-2018-4878 Check-in

New Detection Technique – PZCHAO

Pzchao is the name of a highly specialized espionage campaign. It is a possible return of the Iron Tiger attackers, who are thought to be located in China. Unusually, in addition to typical espionage, the attackers also seem to be concerned with direct commercial gain.

Pzchao malware has targeted notable institutions in government, telecommunications, technology, and education sectors, mainly focused in the USA and Asia. The initial point of compromise is normally spearphishing messages containing a malicious VBS file attachment. This file acts as a downloader for further malicious payloads. At each stage of the communication, new malicious files are downloaded, spreading the spy and administration capabilities. Different servers are accessed at each step, identified with hostnames like 'up.pzchao[.]com'.

Even though the tools used in this attack are a few years old, they are robust and suitable to be used in the future with small modifications. The complexity of the servers network and the amount of information gathered so far have turned this campaign into an extremely powerful tool that is very difficult to identify. The C&C rotation of the trojan's lifecycle helps evade detection at the network level as well. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, up.pzchao

New Detection Technique – Kimsuky

Kimsuky is an APT campaign first identified in 2013. Kimsuky were observed executing a number of attacks in 2014 against organisations in South Korea and those researching North Korea. After a long hiatus, threats from Kimsuky have been observed again, including in possible espionage attacks relating to the Winter Olympics.

The initial compromise starts with spear phishing and regular phishing campaigns to steal account information and passwords of specific targets. In recent attacks, Kimsuky were observed delivering Hangul Word Processor documents. These documents exploit a flaw in Hangul Word Processor to install heavily obfuscated malware, which proceeds to communicate with the C&C server and perform typical reconnaissance tasks.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Kimsuky

New Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Bancos Variant Downloader SSL Certificate
  • System Compromise, C&C Communication, ipinfo[.]io SSL Certificate
  • System Compromise, C&C Communication, ROKRAT SSL Certificate
  • System Compromise, C&C Communication, Sundown SSL Certificate
  • System Compromise, C&C Communication, Zeus Panda SSL Certificate

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, DanderSpritz
  • System Compromise, Trojan infection, ExecPS/Cobolt
  • System Compromise, Trojan infection, KyoznikMiner
  • System Compromise, Trojan infection, Macri
  • System Compromise, Trojan infection, MSIL/mbobbRAT
  • System Compromise, Trojan infection, Scote
  • System Compromise, Trojan infection, Sneark
  • System Compromise, Trojan infection, TohperMiner
  • System Compromise, Trojan infection, Trensil.B

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Huawei Remote Command Execution (CVE-2017-17215)º
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, OrientDB 2.2.x Remote Code Execution
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Mobile trojan infection, Hqwar Dropper
  • System Compromise, Mobile trojan infection, SmsSpy

Updated Detection Technique – Elise

Elise is a custom-built malware toolkit used in APT campaigns during the operation known as Lotus Blossom that started in mid-2015. It includes features such as sandboxing detection and data exfiltration, so it's been considered an espionage software.

Now iDefense analysts team reported that Lotus Blossom have created and distributed a new variant of Elise malware. This latest campaign targeted members of the ASEAN Defense Minister's Meeting (ADMM). This new initial compromise is contained in a Word document, as an OLE object, exploiting CVE-2017-11882.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • System Compromise, Targeted Malware, Elise

Updated Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Andariel Andarat
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, DustySky
  • System Compromise, Trojan infection, Linux/Lady
  • System Compromise, Trojan infection, Loadmoney

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Vulnerable software, Java
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Ransomware infection, GandCrab
  • System Compromise, Ransomware infection, Reveton