Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of December 2016

New Detection Technique - Wingbird

Wingbird is a backdoor malware used in targeted attacks by the NEODYMIUM threat activity group. Wingbird has been used to attack individuals instead of companies. NEODYMIUM has used well-tailored spear-phishing emails with attachments that deliver the exploit code and lead to Wingbird’s installation on the victims' computers. The group utilized the exploit for CVE-2016-4117, a vulnerability in Adobe Flash Player that, at the time, was a zero-day exploit.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, Wingbird

New Detection Technique - TeleBots

ESET researchers have identified a new group named TeleBots, likely an evolution of the BlackEnergy group. The TeleBots group is using a unique malicious toolset in targeted cyberattacks against high-value targets in the Ukrainian financial sector. The attackers are using spear-phishing emails with Microsoft Excel documents attached that contain malicious macros as an initial infection vector. During the first stages of the attack, the TeleBots group abuses various legitimate servers to hide malicious activity in the network.  The main goal of the attackers appears to be cyber sabotage.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, TeleBots

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed vulnerabilities in its Edge Browser, Internet Explorer, and other components of Windows.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge CSS History Information Disclosure Vulnerability (CVE-2016-7206)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Graphics RCE (CVE-2016-7272)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge XSS Request Inbound (CVE-2016-7280)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Security Feature Bypass (CVE-2016-7282)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Memory Corruption Vulnerability in DrawMultiple Payloads (CVE-2016-7283)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2016-7286)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-7287)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2016-7288)

New Detection Technique - Ransomware

In the past week, we have seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect multiple new ransomware families:

  • System Compromise, Ransomware infection, Shigo
  • System Compromise, Ransomware infection, Xbot

Last week, we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Alma
  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Maktub

New Detection Technique - Exploit

The following correlation rules have been added due to recent exploit activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Roundcube 1.2.2 RCE
  • Exploitation & Installation, Service Exploit, Netgear R7000 Command Injection Exploit

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Malware RAT, Revenge
  • System Compromise, Trojan infection, DNSChanger
  • System Compromise, Trojan infection, Instagram Bot
  • System Compromise, Trojan infection, Kwampirs
  • System Compromise, Trojan infection, TrickLoader

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, DNSChanger EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, CobaltStrike SSL activity
  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Suspicious SSL certificate - malicious server
  • System Compromise, Suspicious Behaviour, Suspicious SSL cert from a low reputation server

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Gh0st
  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, njRAT

Updated Detection Technique - StrongPity

StrongPity is a new malware family developed by the StrongPity APT group. This group spreads their malware by utilizing watering hole attacks and infected versions of various popular software (for example, WinRAR). StrongPity malware includes components that give the attackers complete control of the victim’s system, enable them to steal disk contents, and to download additional modules.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, StrongPity

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor named APT28.  ATP28 continues to be active today.  As described in a blog post, "we have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Mobile trojan infection, IOS_XAGENT
  • System Compromise, Targeted Malware, SEDNIT
  • System Compromise, Trojan infection, APT28 activity
  • System Compromise, C&C Communication, APT28 SSL activity
  • System Compromise, C&C Communication, APT28 XAgent SSL activity

Updated Detection Technique -  Linux.Mirai

Linux.Mirai is a malware designed to hijack busybox systems to perform DDoS attacks. It made news recently as the bot used in the DDoS attack on Brian Kreb’s popular security blog. Mirai is known for how easily it can victimize IoT devices. It can generate hundreds of thousands of botnets with the widespread use of telnet and a list of factory-default usernames and passwords for vulnerable IoT devices.

The source code for Linux.Mirai bot was released a few weeks ago. According to Radware, the loader and bot are coded in C, while the scanListen and command and control (C&C) service are written in Go, effectively leveraging go-routines and channels in an efficient Communicating Sequential Processes (CSP) design pattern.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Linux.Mirai

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Anonymous channel, Tor Onion Proxy
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Trojan infection, Adload
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Gootkit
  • System Compromise, Trojan infection, Instagram Bot
  • System Compromise, Trojan infection, Rexpot
  • System Compromise, Trojan infection, Scar
  • System Compromise, Trojan infection, Sefnit
  • System Compromise, Trojan infection, Terdot
  • System Compromise, Trojan infection, Unknown trojan