Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of July 2016

New Detection Technique - Ranscam

Ranscam, recently uncovered by the Cisco Talos team, is a new unsophisticated ransomware that simply deletes users files and demands a ransom to get access to them again. It also performs other destructive actions like deleting the core Windows executable responsible for System Restores, deleting several registry key associated with booting into Safe Mode, and more. 

We've added IDS signatures and the following correlation rule to detect Ranscam activity:

  • System Compromise, Trojan infection, Ranscam

New Detection Technique - Patchwork

Patchwork is a targeted attack that was first observed in December 2015 and has infected approximately 2,500 machines since then. Patchwork targets military and political personnel, specifically those working on issues relating to Southeast Asia and the South China Sea.

We've added IDS signatures and the following correlation rule to detect Patchwork activity:

  • System Compromise, Targeted Malware, Patchwork

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed several vulnerabilities in their products, including Edge and Internet Explorer. There was also a coordinated release with their partner Adobe. 

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Flash Local Security Policy Bypass (CVE-2016-4178)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Information Disclosure Vulnerability (CVE-2016-3261)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-3240)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-3242)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge OOB Read Vulnerability (CVE-2016-3277)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Edge UAF Vulnerability (CVE-2016-3264)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2016-3246)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Security Feature Bypass (CVE-2016-3244)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Office Protected View Bypass Inbound (CVE-2016-3279)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption (CVE-2016-4191)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption (CVE-2016-4192)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption (CVE-2016-4195)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption (CVE-2016-4196)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption (CVE-2016-4197)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption (CVE-2016-4198)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption (CVE-2016-4199)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption (CVE-2016-4200)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader Memory Corruption (CVE-2016-4202)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Privilege Elevation Vulnerability (CVE-2016-3249)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Privilege Elevation Vulnerability (CVE-2016-3250)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Privilege Elevation Vulnerability (CVE-2016-3252)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Privilege Elevation Vulnerability (CVE-2016-3254)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k full OOB Read Privilege Elevation Vulnerability (CVE-2016-3251)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Print Spooler Elevation of Privilege CVE-2016-3239
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Word 2010 OOB Access Via dpgroup Objects (CVE-2016-3280)

New Detection Technique - SFG

SFG is a dropper tool potentially originating in Eastern Europe that is being used to gain access to carefully targeted network users. Once access is gained, the dropper is then used to introduce the payload, which could either work to extract data or insert the malware to potentially cause damage to the infected network. The exploit affects all versions of Microsoft Windows and has been developed to bypass traditional antivirus solutions, next-generation firewalls, and even more recent endpoint solutions that use sandboxing techniques to detect advanced malware.

We've added IDS signatures and the following correlation rule to detect SFG activity:

  • System Compromise, Targeted Malware, SFG

New Detection Technique

We've added the following correlation rules due to recent malicious activity:

  • System Compromise, Malware infection, WaterTiger
  • System Compromise, Ransomware infection, Deshacop
  • System Compromise, Targeted Malware, ZeroT
  • System Compromise, Trojan infection, Camplz
  • System Compromise, Trojan infection, Razy
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Boa HTTPd RCE Attempt
  • System Compromise, Trojan infection, Zekapab

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures which include certificates identified by Abuse.ch associated with botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We've updated a correlation rule that groups different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, CryptXXX
  • System Compromise, Ransomware infection, Encryptor RaaS
  • System Compromise, Ransomware infection, PadCrypt

Updated Correlation Rules

We've updated the following correlation rules due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-0189)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • Exploitation & Installation, Trojan infection, Sharik
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware infection, Zbot
  • System Compromise, Targeted Malware, Derusbi
  • System Compromise, Targeted Malware, ZeroT
  • System Compromise, Trojan infection, APT28 EK
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Bergard
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Camplz
  • System Compromise, Trojan infection, Derusbi
  • System Compromise, Trojan infection, Generic PowerShell
  • System Compromise, Trojan infection, Kbot
  • System Compromise, Trojan infection, Trojan with Autoit
  • System Compromise, Trojan infection, Unknown trojan