Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of February 2016

New Detection Technique - Possible 2015-7547 Malformed Server response

A stack-based buffer overflow exists in the getaddrinfo() library function of the glibc DNS client side resolver. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or potentially execute code with the permissions of the user running the library. The issue affects all versions of glibc since 2.9.

We added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Service Exploit, Possible 2015-7547 Malformed Server response

New Detection Technique - GCman Backdoor

GCMAN is a recently identified APT group specializing in infecting banking institutions and attempting to transfer money to e-currency services. GCMAN's initial infection mechanism is spear-phishing, targeting financial institutions with e-mails carrying a malicious RAR archive. Once inside the network, the GCMAN group uses legitimate penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement.

We added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, GCman Backdoor

New Detection Technique - Ransomware

Last week we added new IDS signatures and correlation rules to detect new ransomware:

  • System Compromise, Ransomware infection, Locky

In addition to that, we updated some rules and added new IDS signatures to improve the detection of previously known ransomware families:

  • System Compromise, Ransomware infection, HydraCrypt
  • System Compromise, Ransomware infection, PornoAsset

New Detection Technique - Internet Explorer MSHTML Form Element Type Confusion (CVE-2016-0061)

Microsoft Internet Explorer and Edge are prone to a remote memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks can lead to denial of service conditions.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer MSHTML Form Element Type Confusion (CVE-2016-0061)

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, AlphaBot
  • System Compromise, Trojan infection, Fowap
  • System Compromise, Trojan infection, Dacic
  • System Compromise, Trojan infection, Agent XRA

Updated Detection Technique - OceanLotus

The OS X version of OceanLotus malware pretends to be an Adobe Flash update, and has been used in spear phishing attacks related to Chinese infrastructure.

We have added IDS signatures and updated the correlation rule to detect OceanLotus activity:

  • System Compromise, Targeted Malware, OceanLotus

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, PlugX
  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated the following correlation rules to enhance exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK

Updated Detection Technique - Dridex

Dridex is a piece of malware designed to steal banking credentials and other personal information on a system to gain access to the financial records of a user. Dridex performs a technique called web injection into the HTML of banking websites and then sends the stolen data to a remote command and control server.

We have added several IDS signatures and correlation rules that will alert when the system detects Dridex talking to a command and control server:

  • System Compromise, Malware infection, Dridex

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We have updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, Network Anomaly, Network anomalies- Firewall
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-0063)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Malware infection, Bedep
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Targeted Malware, HTTPBrowser
  • System Compromise, Targeted Malware, Superman
  • System Compromise, Trojan infection, Andromeda
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, BestaFera
  • System Compromise, Trojan infection, KOVTER.B
  • System Compromise, Trojan infection, Skeeyah
  • System Compromise, Trojan infection, Small
  • System Compromise, Trojan infection, Suloc
  • System Compromise, Trojan infection, Tendrit