Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of September 2016

New Detection Technique - Cry

Cry, or CryLocker, is a new piece of ransomware that was uncovered by the MalwareHunterTeam. Once the ransomware infects the computer, it displays a page saying it is from an organization called the "Central Security Treatment Organization" and then appends .cry as an extension to the encrypted files (which is how the ransomware got the name). Similar to the Cerber ransomware, Cry ransomware sends information about the host machine to a command and control (C&C) server using UDP and posts that information on public forums. The distribution method appears to be associated with the Sundown exploit kit, according to TrendMicro. Furthermore, it was uncovered that if the victim attempts to pay the 1.1 bitcoin ransom, he/she will be sent to a decryption page that does not decrypt the encrypted files.  Cry is still being investigated and it may be possible for victims to decrypt their files without paying the ransom.

We've added IDS signatures and the following correlation rule to detect Cry ransomware activity:

  • System Compromise, Ransomware infection, Cry

New Detection Technique - Flyper

Flyper is another ransomware variant based on the Hidden Tear virus and is spread either by exploit kits or common phishing techniques. The ransomware will encrypt the files using RSA-2048 and append a ".flyper" extension. It also replaces the victim's desktop wallpaper with a ransom note demanding 0.5 bitcoins, along with a bitcoin address and an email address (Flyper01@sigaint.org). Unlike other more sophisticated ransomware infections, this one appears to have already been cracked, making it possible to decrypt your files without having to pay the ransom.

We've added IDS signatures and the following correlation rule to detect Flyper ransomware activity:

  • System Compromise, Ransomware infection, Flyper

In addition to that, we've updated the detection techniques for the following ransomware families:

  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Poshcoder
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - APT3

APT3, also known as Buckeye, is a cyber espionage group whose activity has been seen dating back to 2009. The group has been known to utilize zero-day vulnerabilities in Internet Explorer (such as CVE-2010-3962 and CVE-2014-1776). Although activity was seen several years ago, an increase in infections from a Buckeye trojan (Backdoor.Pirpi) has been detected starting in late 2015 through 2016. A majority of the recent infections have been seen in the Hong Kong region, along with some in the US and UK. The Buckeye group is distributing its malware by a spear-phishing campaign that contains a malicious zip attachment with the Internet Explorer icon.  At first they didn't appear to be targeting any specific organization. However, further inspection shows that the infection only remains active on networks for longer than a day in organizations that the group is interested in. APT3 uses a number of hacking tools like keylogger, RemoteCMD, OSinfo, along with the aforementioned Backdoor.Pirpi trojan.

We've added IDS signatures and the following correlation rule to detect APT3 activity:

  • System Compromise, Targeted Malware, APT3

New Detection Technique - LuaBot

LuaBot is malware that has been targeting cable modems like Intel's Puma 5 (ARM/Big Endian) as well as the ARRIS TG862 family. LuaBot seems to be part of a bigger botnet that is targeting embedded devices. The bot takes advantage of command injection in the restricted CLI of ARRIS modems that is accessed by the Password of the Day Backdoor. The malware starts by setting up a Lua environment and then waits for instructions from a C&C server, whose settings are hard coded along with the DNS recurser. There is no persistence mechanism, but the final stages of the malware restrict remote access to the device. In 2015 there were approximately 600,000 devices exposed, with that number declining sharply in 2016 to 35,000. This decrease is probably due to media coverage and security bulletins that were released.

We've added IDS signatures and the following correlation rule to detect LuaBot activity:

  •  System Compromise, Trojan infection, Linux/LuaBot

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, C&C Communication, Hancitor SSL activity
  • System Compromise, C&C Communication, RockLoader SSL activity
  • System Compromise, Trojan infection, Govdi
  • System Compromise, Trojan infection, Mokes
  • System Compromise, Trojan infection, Remexi

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We've updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Vawtrak SSL Certificate

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • Exploitation & Installation, Trojan infection, Sharik
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Targeted Malware, Unknown APT
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Grelog
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Trojan infection, Pony
  • System Compromise, Trojan infection, Tilon
  • System Compromise, Trojan infection, Unknown ScreenLocker
  • System Compromise, Trojan infection, Unknown trojan