Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of May 2018

New Detection Technique – Adobe Flash 0 day

CVE-2018-4944 allows for arbitrary remote code execution on machines running Adobe Flash 29.0.0.140 and earlier. An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux, and Chrome OS. This patch also addresses several security vulnerabilities in the Creative Cloud desktop applications.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Player Type Confusion (CVE-2018-4944)

New Detection Technique - BKransomware

BKRansomware was discovered in the wild in mid-April. Unusually, files affected by BKRansomware are not really encrypted. Instead, the files are encoded with ROT23, which is a simple letter substitution cipher.

BKRansomware encrypts a small number of extensions, such as .txt, .cpp, .docx, .doc, .pdf, .jpg, .png, .py, or .sql. Encrypted files are renamed .hainhc after encryption.

The ransomware message shows up in a command console window, and it is quite brief. It asks for just 50 viettel in order to restore the encrypted data. A viettel is a form of credit for mobile phones, used in Vietnam and neighboring countries.

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Ransomware infection, BKransomware

New Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/Agent.SLZ
  • System Compromise, Trojan infection, MSIL/Vega Stealer
  • System Compromise, Trojan infection, RedCap Downloader
  • System Compromise, Trojan infection, W32/Agent.TAQ
  • System Compromise, Trojan infection, W32/StrawberryKR.Screenlocker
  • System Compromise, Trojan infection, Win32.Wakme
  • System Compromise, Trojan infection, Win32/c4tger

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache ActiveMQ File Upload RCE (CVE-2016-3088)
  • Exploitation & Installation, WebServer Attack, In-Browser Miner JS Inject
  • System Compromise, Botnet infection, Muhskit Bot
  • System Compromise, Botnet infection, W32/Bloop.A
  • System Compromise, Malware infection, W32/JbossMiner
  • System Compromise, Mobile trojan infection, Trojan.AndroidOS.Wifle
  • System Compromise, Ransomware infection, Iron Ransomware
  • System Compromise, Ransomware infection, Ransom Precist

Updated Detection Technique - Emotet

Emotet is a loader that has been observed in multiple campaigns globally. Though it was originally focused on credential data theft, it has also been used to deliver banking trojans.

Stolen credentials are stored in a temporary file, then encrypted and delivered to a command and control (C&C) server. Emotet utilizes the SMTP protocol to send out the emails.

Emotet is usually distributed via phishing or social engeneering campaigns, inserted into mail attachments, or downloaded from malicious links. Some Emotet samples have internal network propagation capabilities built in, mostly relying on credential brute-forcing. It can also insert itself into other running processes.

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Malware infection, Emotet

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Cobalt Group SSL
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, C&C Communication, Response from a DGA Domain
  • System Compromise, C&C Communication, URLZone C2 Domain
  • System Compromise, C&C Communication, Ursnif SSL activity

Updated Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Monero Miner
  • System Compromise, Trojan infection, Razy
  • System Compromise, Trojan infection, Shiz
  • System Compromise, Trojan infection, TinyNuke
  • System Compromise, Trojan infection, Zusy

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Mobile trojan infection, Android/Agent.AGK
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Ransomware infection, GandCrab
  • System Compromise, Ransomware infection, LockCrypt
  • System Compromise, Targeted Malware, DarkHotel