Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of January 2016

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed several vulnerabilities in their products, including Internet Explorer and Office. A specially crafted webpage could use these vulnerabilities to trigger arbitrary code execution.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MSIE Use After Free Exploit Attempt (CVE-2016-0002)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge Browser Type Confusion Vulnerability (CVE-2016-0003)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS16-004 Office RCE ASLR bypass vulnerability (CVE-2016-0012)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS16-007 DirectShow Heap Corruption RCE M1 (CVE-2016-0015)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS16-007 Office DLL Loading RCE M01 (CVE-2016-0016)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS16-007 Office DLL Loading RCE M1 (CVE-2016-0018)

Emerging Threat - Trochilus RAT

Trochilus RAT is a new remote access Trojan (RAT) that is being used in targeted threat operations. Trochilus can evade sandbox analysis, is adept at carrying out espionage, and is part of a multi-pronged malware operation that researchers at Arbor Networks are calling the Seven Pointed Dagger.

We've added an IDS signature and a correlation rule to detect Trochilus activity:

  • System Compromise, Malware RAT, Trochilus RAT

New Detection Technique - CVE-2016-0777

An information disclosure vulnerability in OpenSSH client (versions 5.4 through 7.1) has been reported in an undocumented feature called 'roaming' that allows the client to resume a session that has been interrupted. The information leak is exploitable in the default configuration of the OpenSSH client, and allows a malicious SSH server to steal the client's private keys. It can be easily hot-fixed by setting the undocumented option "UseRoaming" to "no".

We've added the following IDS signatures and correlation rules to detect this activity:

  • Environmental Awareness, Client Side Exploit - Known Vulnerability, Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support
  • Environmental Awareness, Client Side Exploit - Known Vulnerability, Possible CVE-2016-0777 Client Sent Roaming Resume Request

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Micrass
  • Environmental Awareness, Desktop Software - P2P, MS WUDO Peer Sync
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, TrendMicro node.js HTTP RCE Exploit
  • System Compromise, Trojan infection, Linux/Torte
  • System Compromise, Malware infection, Agent.XST
  • System Compromise, Backdoor, Conpee

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection. This week we added the following IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Nuclear EK
  • Exploitation & Installation, Malware infection, Exploit kit

Updated Detection Technique - Malware SSL Certificates

We have added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, KINS SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We have added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Poison
  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, njRAT
  • System Compromise, Malware RAT, FakeM RAT
  • System Compromise, Malware RAT, Chistudi
  • System Compromise, Malware RAT, Unknown RAT

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Backdoor, Webshell
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Ransomware infection, Alphacrypt
  • System Compromise, Suspicious Behaviour, Suspicious user-agent detected
  • System Compromise, Targeted Malware, APT.9002
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Duuzer
  • System Compromise, Trojan infection, ELF/STDbot
  • System Compromise, Trojan infection, FlyStudio
  • System Compromise, Trojan infection, FrauDrop
  • System Compromise, Trojan infection, Generic trojan dropper