Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of March 2018
New Detection Technique – FlawedAmmyy
In February 2018, Proofpoint researchers analyzed a massive email campaign containing a zipped .url attachment, sent by the threat actor they refer to as TA505. TA505 has also been involved in Dridex and Locky campaigns. The subject of the emails matches the pattern 'Receipt No xxxxxxxx,' where 'x' represents random digits, and the word 'Receipt' could also be 'Bill' or 'Invoice.'
The emails deliver malware dubbed 'FlawedAmmy,' which has been in use since 2016.
After downloading and executing the shared .url files (processed by Windows as links to internet sites), a JavaScript file is downloaded. This script is directly executed over SMB, instead of using a web browser. Next, it downloads a tool called Quant Loader, which fetches the FlawedAmmyy RAT as the final payload. The use of '.url' files and JavaScript over SMB is unusual, and this is the first time that these methods have been seen together.
We've added IDS signatures and the following correlation rule to detect this activity:
- System Compromise, Malware RAT, Win32/FlawedAmmyy
New Detection Technique – TSCookie
TSCookie malware has appeared in several targeted attacks since 2015. TSCookie is commonly spread by email, and has recently been observed in fake messages from the Ministry of Education and Sports in Japan.
TSCookie serves as a downloader. It communicates with C&C servers using HTTP and downloads a module and its loader. The malware contains an encrypted DLL that is loaded on memory. The DLL performs core functions such as communicating with C&C servers in an RC4 encrypted channel.
TSCookieRAT is the final malware downloaded and executed on a TSCookie infection. It can perform actions such as executing arbitrary shell commands, sending system information, and retrieving browser passwords. All communications are performed over HTTP, and encrypted separately.
We've added IDS signatures and the following correlation rule to detect this activity:
- System Compromise, Trojan infection, TScookie
New Detection Techniques – Mobile Trojan Infection
We've updated the following correlation rules as a result of additional recent malicious activity:
- System Compromise, Mobile trojan infection, Android.Styricka.GEN6254
- System Compromise, Mobile trojan infection, Android.Trojan.HiddenApp.EN
- System Compromise, Mobile trojan infection, Android/Agent.AMP
- System Compromise, Mobile trojan infection, Android/Arukas.A!tr
- System Compromise, Mobile trojan infection, RiskTool.AndroidOS.Dnotua.olg
- System Compromise, Mobile trojan infection, SMS-Flooder.AndroidOS.Agent.l
- System Compromise, Mobile trojan infection, Trojan.AndroidOS.Agent.on
- System Compromise, Mobile trojan infection, Trojan.AndroidOS.Triada.cx
New Detection Techniques
We've added the following correlation rules as a result of additional recent malicious activity:
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible JScript Coming Over SMB
- System Compromise, Malware infection, Searchjstg
- System Compromise, Ransomware infection, PrincessLocker
- System Compromise, Targeted Malware, Donot Team YTY Framework
- System Compromise, Trojan infection, Malicious EnergyMech Command
- System Compromise, Trojan infection, MSIL/EngWiz
- System Compromise, Trojan infection, MSIL/MinerG8 CoinMiner
- System Compromise, Trojan infection, MSIL/XRoS
- System Compromise, Trojan infection, NSIS/CoinMiner.Downloader
- System Compromise, Trojan infection, OSX/iMessage.Stealer
New Detection Technique – Malware SSL Certificates
We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
- System Compromise, C&C Communication, MalDoc SSL activity
- System Compromise, C&C Communication, Malicious SSL certificate
- System Compromise, C&C Communication, Meterpreter SSL Certificate
Updated Detection Technique – AZORult
AZORult has made recent appearances in the crime cyberspace, spread in spam mail campaigns. Recent malicious emails have impersonated DHL deliveries.
The malicious emails contained a single RTF file, which carries three different exploits in form of .exe files and OLE objects. The vulnerabilities exploited are CVE 2017-8759, CVE 2017-11882, and CVE 2017-0199. These vulnerabilities affect several Microsoft Windows products, such as .NET framework and Office suites. If any of the exploits successfully execute, the system is infected with AzorUlt version 2.
AzorUlt is a trojan horse with spy and C&C capabilities. It can perform actions such as stealing passwords from web browsers and email inboxes, collect wallet.dat files from popular bitcoin clients, and gather other sensitive information like the Skype message history, list of installed programs, file extensions, etc. Applying the proper patches to the affected Windows modules is enough to prevent AZORult from infecting the machine in this campaign.
We've added IDS signatures and the following correlation rule to detect this activity:
- System Compromise, Trojan infection, AZORult
Updated Correlation Rules
We've updated the following correlation rules as a result of recent malicious activity:
- Delivery & Attack , Denial of Service - Known vulnerability, Memcached DDoS Amplification
- Delivery & Attack , Denial of Service - Known vulnerability, Memcached DDoS Amplification Response Outbound
- Delivery & Attack, Malicious website, Phishing activity
- Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
- System Compromise, Backdoor, Bladabindi
- System Compromise, Botnet infection, Win32/Onliner Spam Bot
- System Compromise, Malware infection, CoinMiner
- System Compromise, Malware infection, PhilBot
- System Compromise, Mobile trojan infection, Asacub.a Banker
- System Compromise, Ransomware infection, GandCrab
- System Compromise, Ransomware infection, Princess
- System Compromise, Trojan infection, LiteHTTP Bot