Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of February

New Detection Technique - MagicHound

Magic Hound is a persistent attack espionage campaign targeting organizations in the government, energy, and technology sectors primarily in the Middle East. The Magic Hound adversaries are using spear-phishing attacks containing links to malicious documents as the delivery mechanism. The malware utilized by Magic Hound includes Microsoft Word and Excel documents containing embedded malicious macros, portable executable (PE) payloads, PE files compiled in .NET Framework, various forms of IRC bots, and an open source file-less Python remote access tool called Pupy.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, MagicHound
  • System Compromise, C&C Communication, MagicHound SSL activity

New Detection Technique - Kingslayer

RSA has discovered a sophisticated attack campaign, dubbed Kingslayer, against a software supply-chain, specifically targeting Windows operating system administrators of large and sensitive organizations.  The attack involves a Trojan inserted into otherwise legitimate software that is typically used by enterprise system administrators. The software application exploited in the attack campaign is used by system administrators to analyze Windows logs and had been subverted at its distribution point with malicious, signed code (a backdoor) back in April 2015.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Kingslayer

New Detection Technique - XAgent OSX

A macOS variant of the Sofacy group's XAgent trojan, called XAgent OSX, has been discovered. The trojan has ability to receive commands from threat actors via its command and control (C&C) channel, but is also capable of logging key strokes via its keylogger functionality. XAgent OSX uses HTTP requests to communicate with its C&C servers, which allows the threat actor to interact with the compromised system. It uses HTTP POST requests to send data to the C&C server, and GET requests to receive commands from the server.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, XAgent OSX

Adobe Patch Tuesday

This week's updates include Adobe's Patch Tuesday content. Adobe fixed multiple vulnerabilities in its Reader and Flash products.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash MP4 parsing OOB Memory Access M1 (CVE-2017-2984)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash FLV parsing OOB Memory Access (CVE-2017-2986)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash MP4 parsing OOB Memory Access M1 (CVE-2017-2990)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Flash Player Memory Corruption (CVE-2017-2991)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Flash Player Heap Overflow (CVE-2017-2992)

New Detection Techniques

We've added the following correlation rules as a result of recent malicious and exploit activity:

  • Environmental Awareness, Sensitive Data - Unencrypted Session, SmartEmailExtractor Checkin
  • System Compromise, Malware RAT, AthenaGo
  • System Compromise, Targeted Malware, ShellCrew
  • System Compromise, Trojan infection, Abnores
  • System Compromise, Trojan infection, CozyCar
  • System Compromise, Trojan infection, Degestask
  • System Compromise, Trojan infection, Lollipop
  • System Compromise, Trojan infection, Malicious WebClient
  • System Compromise, Trojan infection, Windows Mirai

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, DNSChanger EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity
  • System Compromise, Mobile trojan infection, IOS_XAGENT
  • System Compromise, Targeted Malware, SEDNIT

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, TorrentLocker SSL activity

Updated Detection Technique - Ransomware

In the past week, we've seen increasing ransomware activity in the wild. We've added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Sage
  • System Compromise, Ransomware infection, Satan
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Unknown Ransomware

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Remcos/Remvio

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Suspicious Behaviour, Suspicious BusyBox
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Zbot
  • System Compromise, Targeted Malware, APT.Gabby
  • System Compromise, Targeted Malware, APT29
  • System Compromise, Targeted Malware, APT29 SSL Activity
  • System Compromise, Targeted Malware, CosmicDuke
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Bunitu
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, KOVTER.B
  • System Compromise, Trojan infection, Nemucod
  • System Compromise, Trojan infection, Pegasus
  • System Compromise, Trojan infection, Pony
  • System Compromise, Trojan infection, Qadars
  • System Compromise, Trojan infection, Unknown PowerShell
  • System Compromise, Trojan infection, Unknown trojan