Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of May 2017

New Detection Technique - WannaCry

WannaCry, also known as WannaCrypt, WanaCrypt0r 2.0 or wCry, is a new ransomware variant that utilizes the EternalBlue and DoublePulsar exploits to spread in a worm-like fashion. Researchers located a "kill switch" in the ransomware in the form of a domain lookup, which prevents the ransomware from running. Due to WannaCry's simplistic architecture, it has resulted in numerous copycat variants in the wild.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, WannaCry

New Detection Technique - Jaff

Jaff is a new ransomware variant which is being distributed by the Necurs bonnet in a global malicious email campaign that peaked at nearly 5 million emails per hour. The emails contain a malicious PDF with an embedded DOCM file in the the macro script, which downloads and runs Jaff.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Jaff

New Detection Technique - OSX/Proton

OSX/Proton, the newest variant of the Proton family, has most recently been distributed via embedding in a popular piece of software called HandBrake. Upon execution, it displays a fake authentication popup in an attempt to elevate its privileges. Proton is currently being sold on the dark web for 40 BTC. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, OSX/Proton

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, FrozrLock
  • System Compromise, Ransomware infection, NewHT

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Hidden-Tear
  • System Compromise, Ransomware infection, Serpent

New Detection Technique - Equation Group Leaks

Shadow Brokers have leaked more of the Equation Group's hacking tools stolen from the NSA. The four-year-old exploits attempt to hijack critical Microsoft Windows systems, from Windows 2000 up through Server 2012 as well as Windows 7 and 8. The leaked files range from Windows exploits to tools for monitoring SWIFT interbank payments.

We've added IDS signatures and the following correlation rules to detect the exploit activity from these tools:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, ERRATICGOPHER

Microsoft/Adobe Patch Tuesday

This week's updates include Microsoft/Adobe's Patch Tuesday content. Adobe and Microsoft fixed multiple vulnerabilities in their products.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0221)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Edge Type Confusion Exploit (CVE-2017-0227)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Edge Chakra UAF Exploit (CVE-2017-0228)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Scripting Engine Memory Corruption Vulnerability (CVE-2017-0234)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Scripting Engine Memory Corruption (CVE-2017-0236)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Edge Type Confusion Exploit (CVE-2017-0238)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Edge UAF Exploit (CVE-2017-0240)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Kernel Information Disclosure Vulnerability (CVE-2017-0259)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Elevation of Privilege Vulnerability (CVE-2017-0263)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Chakra Core Type Confusion Vuln (CVE-2017-0266)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Flash BlendMode Vuln (CVE-2017-3069)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Flash BlendMode Vuln (CVE-2017-3070
  • Delivery & Attack, Denial of Service - Known vulnerability, MS DNS CHAOS Denial of Service (CVE-2017-0171)

New Detection Techniques

We've added the following correlation rules as a result of recent exploit and malicious activity:

  • System Compromise, Trojan infection, Slingup
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Intel AMT Login Attempt Detected (CVE 2017-5689)
  • Delivery & Attack, Malicious website - Exploit Kit, Bingo EK
  • System Compromise, Trojan infection, AZORult
  • Delivery & Attack, WebServer Attack - SQL Injection, Attack Pattern Detection
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Jenkins Java Deserialization RCE CVE-2017-1000353
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Alerton Webtalk 2.5-3.3 Command Injection Attempt
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Logsign Remote Command Injection Attempt
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, WePresent WiPG-1000 - Command Injection
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, GoAhead Camera Command Injection Attempt
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, GoAhead Camera Credential Stealing Attempt
  • Exploitation & Installation, Default Credentials, GoAhead Camera Default Credential Use
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Magento Arbitrary File Upload
  • Exploitation & Installation, Sensitive Data - Configuration File, Apache Tomcat Path Traversal Attempt
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MOXA AWK-3131A
  • System Compromise, Trojan infection, Bondnet
  • System Compromise, Trojan infection, Ploutus-D

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Babylon RAT
  • System Compromise, Malware RAT, Netwire

Updated Detection Technique - Greenbug Ismdoor

The Greenbug cyberespionage group was discovered by Symantec while investigating reports of a new attack in the Middle East targeting various companies in the government, aviation, investment, and energy sectors. The group uses a custom Remote Access Trojan (RAT) known as Ismdoor as well as additional hacking tools to steal sensitive credentials from the compromised organizations.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, Greenbug Ismdoor

Updated Detection Technique - Felismus

Felismus is a recently-discovered piece of malware that appears to have been active for a number of months. Felismus is a modular malware that exhibits multiple techniques to hinder both analysis efforts and discovery of the content of its communications. Given that few samples are available in the wild, it is likely that Felismus is being used in targeted campaigns. It utilizes filenames mimicking that of Adobe's Content Management System and offers a range of commands typical of Remote Access Tools, including file upload, file download, file execution, and command execution.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, Felismus

Updated Detection Technique - DarkHotel

The DarkHotel threat actor has been refining its malware and expanding its target demographic. DarkHotel continues to spear-phish and has recently incorporated Hacking Team's zero-day Flash exploit into some of its attacks.

We have added IDS signatures and updated a correlation rule to detect DarkHotel activity:

  • Exploitation & Installation, Targeted Malware, Darkhotel - Malicious certificate

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible DOUBLEPULSAR Beacon Response
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Emotet
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, Generic PowerShell
  • System Compromise, Trojan infection, KASPERAGENT
  • System Compromise, Trojan infection, Loda
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Zegost