Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of November 2017

New Detection Technique - ChessMaster Campaign

ChessMaster is a constantly evolving cyber-espionage campaign that leverages everything from spearphishing and infected documents to malware such as the ANEL and remote access trojans like RedLeaves and PlugX to compromise its targets. Its targets are mainly focused around Japanese media, technology companies, government agencies, and academia. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Backdoor, ANEL

New Detection Technique - InPage Exploit Campaign

InPage is a word processor that supports languages such as Urdu, Persian, Pashto, and Arabic. A specially crafted document containing malicious shellcode exploits the InPage program and drops one known malware family, CONFUCIUS_B, and two unknowns, BioData and MY24.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, BioData
  • System Compromise, Trojan infection, MY24

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, SAD

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Generic Ransomware
  • System Compromise, Ransomware infection, Hidden-Tear

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Win32/Randrew
  • System Compromise, Trojan infection, Win32/Leviwa
  • System Compromise, Trojan infection, RouteX
  • System Compromise, Trojan infection, BoteVote
  • System Compromise, Trojan infection, ProjectHook

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Remcos/Remvio

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, PSEmpire SSL Activity
  • System Compromise, C&C Communication, Panda Banker SSL activity

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As AlienVault's Jaime Blasco described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique - OceanLotus

The OS X version of OceanLotus malware pretends to be an Adobe Flash update, and has been used in spear phishing attacks related to Chinese infrastructure.

We've added IDS signatures and updated the following correlation rule to detect OceanLotus activity:

  • System Compromise, Targeted Malware, OceanLotus

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Trojan infection, MSIL/IRCBot
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Scar
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Worm infection, DELF