Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of January.

New Detection Technique - Linux/Venom

Linux/VENOM is a rootkit that can be used to maintain unauthorized access on compromised Linux systems. It requires root privileges to be installed. The rootkit is comprised of an encrypted backdoor with remote code execution and proxy functionalities, as well as a Linux loadable kernel module, providing an additional port-knocking service for the backdoor. The attacker attempts to remove all local traces of the rootkit by erasing local log files and manipulating filesystem timestamps.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Linux/Venom

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Bluerid
  • System Compromise, Trojan infection, ShinoBot

New Detection Technique - Ransomware

In the past week, we have seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect multiple new ransomware families:

  • System Compromise, Ransomware infection, CrypMic
  • System Compromise, Ransomware infection, Marlboro/Wicked
  • System Compromise, Ransomware infection, Spora

Last week, we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, CryptoWall
  • System Compromise, Ransomware infection, Maktub
  • System Compromise, Ransomware infection, PadCrypt

Adobe Patch Tuesday

This week's updates include Adobe's Patch Tuesday content. Adobe fixed multiple vulnerabilities in its Reader and Flash products.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash mp4 parsing OOB Memory Access (CVE-2017-2926)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash ATF parsing OOB Memory Access (CVE-2017-2927)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash OOB Memory Access (CVE-2017-2928)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash OOB Memory Access (CVE-2017-2931)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash UAF (CVE-2017-2932)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash ATF parsing OOB Memory Access (CVE-2017-2933)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash ATF parsing OOB Memory Access (CVE-2017-2934)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash ATF parsing FLV Memory Access (CVE-2017-2935)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash UAF (CVE-2017-2936)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash UAF (CVE-2017-2937)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader (CVE-2017-2941)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader (CVE-2017-2946)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader (CVE-2017-2947)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader (CVE-2017-2948)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader (CVE-2017-2949)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader (CVE-2017-2950)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Acrobat Reader JS Use After Free (CVE-2017-2955)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Acrobat Reader JS Use After Free (CVE-2017-2957)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Acrobat Reader JS Use After Free (CVE-2017-2958)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Memory Corruption Attempt (CVE-2017-2960)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader (CVE-2017-2961)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader TIFF Memory Corruption (CVE-2017-2963)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Memory Corruption Attempt (CVE-2017-2964)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Memory Corruption Attempt (CVE-2017-2965)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Memory Corruption Attempt (CVE-2017-2966)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader (CVE-2017-2967)

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

 We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Chthonic SSL activity
  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, TrickBot SSL activity

 

Updated Detection Technique - APT Cmstar

Cmstar is a downloader that is similar to the Lurid and Enfal families of malware. Cmstar is typically delivered through phishing emails that contain malicious Microsoft documents and has recently been used to download BBSRAT. The group that utilizes Cmstar and BBSRAT appears to be targeting Russian victims and most recently have proxied their attacks via compromised systems in Mongolia. It is suspected that the threat group responsible for these attacks is operating out of China.

 We've added IDS signatures and updated the following correlation rule to detect Cmstar activity:

  • System Compromise, Targeted Malware, APT Cmstar

 Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Kyle and Stan
  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Trojan infection, ARIK Keylogger
  • System Compromise, Trojan infection, Bunitu
  • System Compromise, Trojan infection, Fareit
  • System Compromise, Trojan infection, Oilrig
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Pony
  • System Compromise, Trojan infection, PSEmpire
  • System Compromise, Trojan infection, Unknown PowerShell
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, VertexNet