Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of April 2016

Emerging Threat - Jigsaw Ransomware

Jigsaw is a new ransomware that not only encrypts your files but also starts deleting them if you take too long to pay the ransom. Currently the distribution method of this ransomware is unknown. This is not the first time a ransomware has threatened to delete files but it is one of the first times it has actually been carried out. The good news is that a method to decrypt the files for free has already been discovered.

We've added IDS signatures and created the following correlation rule to detect Jigsaw Ransomware:

  • System Compromise, Ransomware infection, Jigsaw

In addition to that, we updated some correlation rules and added new IDS signatures to improve the detection of previously known ransomware families:

  • System Compromise, Ransomware infection, Coverton
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Unknown Ransomware
  • System Compromise, Ransomware infection, Virus-Encoder

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed several vulnerabilities in their products, including Edge and Internet Explorer. A specially crafted webpage could use these vulnerabilities to trigger arbitrary code execution.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Windows win32k.sys Privilege Escalation (CVE-2016-0143)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible MSXML RCE (CVE-2016-0147)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Browser Memory Corruption Vulnerability (CVE-2016-0154)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge Memory Corruption (CVE-2016-0155)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2016-0157)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge Privilege Elevation Vulnerability (CVE-2016-0158)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, IE AddRow OOB Access (CVE-2016-0159)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-0164)

We also added an IDS signature to detect DoS attacks against LSARPC:

  • Delivery & Attack, Denial of Service - Known vulnerability, Possible LSARPC DOS (CVE-2016-0135)

New Detection Technique - LiteHTTP Bot

LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system.  

We've added IDS signatures and created the following correlation rule to detect LiteHTTP Bot:

  • System Compromise, Trojan infection, LiteHTTP Bot

New Detection Technique - Ebury

Ebury is a trojan for Linux operating systems. It is used to steal login credentials from SSH traffic. The stolen credentials are then sent to servers controlled by the attackers. Compromised systems are used for a variety of criminal activity such as sending out spam, redirecting visitors of compromised websites to drive-by-exploits or running name servers for malicious domains.

We've added IDS signatures and created the following correlation rule to detect Ebury:

  • System Compromise, Trojan infection, Linux/Ebury

New Detection Technique - Cdorked

Cdorked is a stealthy backdoor meant to drive traffic to malicious websites. The backdoor leaves no traces of the compromised hosts on the hard drive other than its modified httpd binary which complicates forensic analysis.

We've added IDS signatures and created the following correlation rule to detect Cdorked:

  • System Compromise, Trojan infection, Linux/Cdorked

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, CrimeScene Mailer
  • System Compromise, Targeted Malware, APT Hedas
  • System Compromise, Trojan infection, Hagcons

New Detection Technique - Policy violation

The following correlation rules have been added to alert on activity violating corporate policy:

  • Environmental Awareness, Weak Configuration - Unauthenticated Access, Open Mgate Device

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed trough the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - TDrop2

Palo Alto Networks recently identified a new campaign targeting the transportation sector in Europe with ties to the Dark Seoul and Operation Troy campaigns that took place in 2013. This new campaign used updated instances of the Tdrop malware family discovered in the Operation Troy campaign. (Dark Seoul was the name given to a major cyber attack on South Korea in March 2013 affecting tens of thousands of computer systems in the financial and broadcasting industries. In June 2013, McAfee (pdf warning) published a report detailing the chronology and variance of the Dark Seoul campaign, but renamed it ‘Operation Troy’. The report analyzed the entirety of the purported attack campaign, beginning in 2009 using a family of tools dubbed ‘Troy’. Furthermore, in February 2016, the actors behind Dark Seoul and Operation Troy were linked to the Lazarus Group as published in the Operation Blockbuster report.)

In this new attack, attackers embedded the TDrop2 malware inside a legitimate video software package hosted on the software distributor’s website. By doing this, they were able to target organizations that relied on the distributor’s security camera solution and infect their systems with malware.

We've added IDS signatures and updated the following correlation rule to detect TDrop2 activity:

  • System Compromise, Targeted Malware, TDrop2

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Gootkit SSL activity

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Linux DDoS Malware
  • System Compromise, Malware infection, Windingo - Linux Backdoor
  • System Compromise, Trojan infection, Andromeda
  • System Compromise, Trojan infection, Bagsu
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Dorifel
  • System Compromise, Trojan infection, Linux DDoS Bot
  • System Compromise, Trojan infection, Linux.Mayhem
  • System Compromise, Trojan infection, MSIL/Injector.MHV
  • System Compromise, Trojan infection, MayhemBruter
  • System Compromise, Trojan infection, ServStart
  • System Compromise, Trojan infection, Skeeyah
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Trojan infection, Trojan with Autoit
  • System Compromise, Trojan infection, Tsunami
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, iSpy KeyLogger