Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of August 2016

Emerging Threat - Equation Group

Shadow Brokers is a group that has posted several files from the sophisticated Equation Group. The leaked files contain exploit code that can be used against Cisco ASA, Cisco PIX, and Cisco Firewall Services Modules. One of the exploits, called EXTRABACON, targets a buffer overflow vulnerability (CVE-2016-6366) in the SNMP code. Attackers can send specially crafted SNMP packets to the affected products, potentially giving the attackers full control of the system. In order for this exploit to be successful, SNMP must be configured on the interface that is receiving the packets and the community string has to be known. All supported versions of SNMP are vulnerable, along with all Cisco ASA software releases.

We've added IDS signatures and updated the following correlation rules to detect Equation Group exploiting activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Equation Group ExtraBacon Cisco ASA AAAADMINAUTH Disable Attempt
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Equation Group ExtraBacon Cisco ASA PMCHECK Disable Attempt

New Detection Technique - SmartThings

Samsung SmartThings is a platform to control smart devices such as locks, electrical outlets, and various sensors and cameras. The SmartThings hub uses standard protocols such as ZigBee and Z-Wave to connect smart devices to one another, as well as to the cloud. A newly discovered vulnerability exists in the SmartThings Camera bundle allowing command injection. Exploiting this vulnerability allows the attackers to set a new root password on the device. With the ever growing network of IoT devices, we can expect to see vulnerabilities like this increase in occurrence.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Smartthings Bundled Camera Command Injection Attempt

New Detection Technique - Aveo

Aveo is a new malware family uncovered by Palo Alto Networks that is being used to target Japanese speaking users and is affiliated with the FormerFirstRAT family. The malware is distributed as a Microsoft Excel file with the name 'malware.exe', which is just a placeholder for a self-extracting WinRAR executable file. Once the malware is launched, it establishes a connection with the command and control (C&C) server and sends back information about the victim, including a unique hash, IP address, Microsoft Windows version, and username.

We've added IDS signatures and created the following correlation rule to detect Aveo activity:

  • System Compromise, Trojan infection, Aveo

New Detection Technique - Shakti

Shakti is a new trojan that is used to steal certain types of files and is targeting corporations in hopes of acquiring secret information. Upon initial installation, the malware configures itself to start on login and injects itself into an already established process, like a web browser. Next, it establishes a connection to its C&C server using the Windows Message Queuing protocol to send information about the target, such as computer name, username, Windows version, installed service packs, and a list of programs found in HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall registry key. Lastly, the malware scans the entire drive looking for specific file types and, when found, it exfiltrates those files to the C&C server.

We've added IDS signatures and created the following correlation rule to detect Shakti activity:

  • System Compromise, Trojan infection, Shakti

New Detection Technique - Babylon RAT

The Babylon RAT is an advanced RAT (Remote Administration Tool) that has been cracked and is widely available on the internet for free. This particular RAT is fairly popular among newcomers, in part because it is free, but also because of the large amount of 'how to' guides, video tutorials and hacking forums that offer support if those individuals have trouble trying to use it. Babylon allows attackers to control the victims' peripherals, and navigate their files, evasion utilities, and persistence mechanisms, to name a few.

We've added IDS signatures and created the following correlation rule to detect Babylon RAT activity:

  • System Compromise, Malware RAT, Babylon RAT

In addition to that, we updated some correlation rules and added new IDS signatures to improve the detection of previously known RAT's:

  • System Compromise, Malware RAT, Luminosity Link RAT
  • System Compromise, Malware RAT, Poison Ivy

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible nProtect Netizen ActiveX Drive-By
  • System Compromise, Backdoor, Hadmad
  • System Compromise, Trojan infection, Agent.WTE
  • System Compromise, Trojan infection, Cookle
  • System Compromise, Trojan infection, Joinme
  • System Compromise, Trojan infection, LatentBot
  • System Compromise, Trojan infection, Wrimcom

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, File Download - Poor Reputation Host, Suspicious executable downloaded from a low reputation domain

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28. As we described in a blog post: We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence. 

We have added IDS signatures and updated correlation rules to detect recent malicious APT28 activity.

  • System Compromise, C&C Communication, APT28 XAgent SSL activity

Updated Detection Technique - DarkHotel

The DarkHotel threat actor has been refining its malware and expanding its target demographic. DarkHotel continues to spear-phish and has recently incorporated Hacking Team's zero-day Flash exploit into some of its attacks.

We have added IDS signatures and updated a correlation rule to detect DarkHotel activity:

  • System Compromise, Targeted Malware, DarkHotel

Updated Detection Technique - Ramnit

Ramnit is a computer worm that was first seen in 2009. It spreads through removable drives and by infecting executable files in the infected system.

We have updated IDS signatures and the following correlation rule related to Ramnit activity.

  • System Compromise, Worm infection, Ramnit

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

  • System Compromise, Ransomware infection, Cerber

Updated Detection Technique - Malware SSL Certificates

We added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, WebServer Attack - SQL Injection, SQL Error
  • Reconnaissance & Probing, Service discovery, DNP3
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Malware contacting Dynamic Domain
  • System Compromise, Suspicious Behaviour, EXE file download from a Dynamic DNS host
  • System Compromise, Trojan infection, Bancos
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Cromwi
  • System Compromise, Trojan infection, DDoS trojan Smoke Loader
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, Zeus