Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of January 2018

New Detection Technique – MeltDown

On January 3rd, 2018, researchers from Google, academic institutions, and private companies publicly revealed two security flaws – Spectre and Meltdown – that exist within nearly every Intel CPU built since 1995. The details of the vulnerabilities are outlined in CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754.

MeltDown can break down the isolation amongst operating systems, and Spectre can break down the isolation amongst different applications. This is achieved by a timing evaluation of the speculative execution of processes.

We've added the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MeltDown

New Detection Technique – Qarallex RAT

Qarallex is the name of the new Remote Access Tool and information stealer developed by Qaverse. It is built around an open-source software known as LaZagne. It allows an attacker to execute a wide variety of actions such as catching mouse, keyboard and camera inputs, recording the screen display, or stealing sensitive pieces of data from the machine. Qaverse group's objective is to sell the functionality of this tool as a RaaS (RAT as a Service).

Infected machines will send HTTPS traffic to the domain vvrhhhnaijyj6s2m.onion[.]casa. It's written in Java. The malware performs a total of 4 HTTPS accesses to the C&C server after installation, in which they provide host information such as running OS, hardware statistics, or user information.

We've added the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Qarallex RAT

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/Zbrain
  • System Compromise, Trojan infection, Sourtoff Receiving Simda Payload
  • System Compromise, Trojan infection, Win32/Agent.o
  • System Compromise, Trojan infection, Win32/CoinMiner.AQL Checkin Observed
  • System Compromise, Trojan infection, Win32/FileTour Variant
  • System Compromise, Trojan infection, Xmrok
  • System Compromise, Trojan infection, Bancos Variant.DZO
  • System Compromise, Trojan infection, Injector.OWL
  • System Compromise, Trojan infection, Spy.Agent.BEV

Added Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, APT32 SSL Certificate
  • System Compromise, C&C Communication, MalDoc SSL activity
  • System Compromise, C&C Communication, Meterpreter SSL Certificate

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, CVE-2017-6736 Malformed Vulnerable OID Inbound
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, AdFraudClicker
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Windows Installer
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Spectre
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS IE 11 Type Confusion RCE CVE-2018-0762
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, PCKeeper
  • Exploitation & Installation, VOIP Service - Hacking Tool, Tech Support Phone Scam

Updated Detection Technique – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Hiloti
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Unknown PowerShell
  • System Compromise, Trojan infection, ZLoader

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Dridex
  • System Compromise, Malware RAT, Bitter RAT
  • System Compromise, Targeted Malware, APT32