Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of March 2018

New Detection Technique – FlawedAmmyy

In February 2018, Proofpoint researchers analyzed a massive email campaign containing a zipped .url attachment, sent by the threat actor they refer to as TA505. TA505 has also been involved in Dridex and Locky campaigns. The subject of the emails matches the pattern 'Receipt No xxxxxxxx,' where 'x' represents random digits, and the word 'Receipt' could also be 'Bill' or 'Invoice.'

The emails deliver malware dubbed 'FlawedAmmy,' which has been in use since 2016.

After downloading and executing the shared .url files (processed by Windows as links to internet sites), a JavaScript file is downloaded. This script is directly executed over SMB, instead of using a web browser. Next, it downloads a tool called Quant Loader, which fetches the FlawedAmmyy RAT as the final payload. The use of '.url' files and JavaScript over SMB is unusual, and this is the first time that these methods have been seen together.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Win32/FlawedAmmyy 

New Detection Technique – TSCookie

TSCookie malware has appeared in several targeted attacks since 2015. TSCookie is commonly spread by email, and has recently been observed in fake messages from the Ministry of Education and Sports in Japan. 

TSCookie serves as a downloader. It communicates with C&C servers using HTTP and downloads a module and its loader. The malware contains an encrypted DLL that is loaded on memory. The DLL performs core functions such as communicating with C&C servers in an RC4 encrypted channel.

TSCookieRAT is the final malware downloaded and executed on a TSCookie infection. It can perform actions such as executing arbitrary shell commands, sending system information, and retrieving browser passwords. All communications are performed over HTTP, and encrypted separately.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, TScookie 

New Detection Techniques – Mobile Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Mobile trojan infection, Android.Styricka.GEN6254 
  • System Compromise, Mobile trojan infection, Android.Trojan.HiddenApp.EN 
  • System Compromise, Mobile trojan infection, Android/Agent.AMP 
  • System Compromise, Mobile trojan infection, Android/Arukas.A!tr 
  • System Compromise, Mobile trojan infection, RiskTool.AndroidOS.Dnotua.olg 
  • System Compromise, Mobile trojan infection, SMS-Flooder.AndroidOS.Agent.l 
  • System Compromise, Mobile trojan infection, Trojan.AndroidOS.Agent.on 
  • System Compromise, Mobile trojan infection, Trojan.AndroidOS.Triada.cx 

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity: 

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible JScript Coming Over SMB 
  • System Compromise, Malware infection, Searchjstg 
  • System Compromise, Ransomware infection, PrincessLocker 
  • System Compromise, Targeted Malware, Donot Team YTY Framework 
  • System Compromise, Trojan infection, Malicious EnergyMech Command 
  • System Compromise, Trojan infection, MSIL/EngWiz 
  • System Compromise, Trojan infection, MSIL/MinerG8 CoinMiner 
  • System Compromise, Trojan infection, MSIL/XRoS 
  • System Compromise, Trojan infection, NSIS/CoinMiner.Downloader 
  • System Compromise, Trojan infection, OSX/iMessage.Stealer 

New Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

 

  • System Compromise, C&C Communication, MalDoc SSL activity
  • System Compromise, C&C Communication, Malicious SSL certificate
  • System Compromise, C&C Communication, Meterpreter SSL Certificate

Updated Detection Technique – AZORult

AZORult has made recent appearances in the crime cyberspace, spread in spam mail campaigns. Recent malicious emails have impersonated DHL deliveries.

The malicious emails contained a single RTF file, which carries three different exploits in form of .exe files and OLE objects. The vulnerabilities exploited are CVE 2017-8759, CVE 2017-11882, and CVE 2017-0199. These vulnerabilities affect several Microsoft Windows products, such as .NET framework and Office suites. If any of the exploits successfully execute, the system is infected with AzorUlt version 2.

AzorUlt is a trojan horse with spy and C&C capabilities. It can perform actions such as stealing passwords from web browsers and email inboxes, collect wallet.dat files from popular bitcoin clients, and gather other sensitive information like the Skype message history, list of installed programs, file extensions, etc. Applying the proper patches to the affected Windows modules is enough to prevent AZORult from infecting the machine in this campaign.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, AZORult

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack , Denial of Service - Known vulnerability, Memcached DDoS Amplification
  • Delivery & Attack , Denial of Service - Known vulnerability, Memcached DDoS Amplification Response Outbound
  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, Botnet infection, Win32/Onliner Spam Bot
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, PhilBot
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Ransomware infection, GandCrab
  • System Compromise, Ransomware infection, Princess
  • System Compromise, Trojan infection, LiteHTTP Bot