Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of June 2016

Emerging Threat - Operation Daybreak

Operation Daybreak, uncovered by Kaspersky Labs, is a targeted attack that appears to have been launched by the APT group ScarCruft and employs a new zero-day exploit. The primary method of infection has been through spear-phishing emails containing a malicious link pointing to a compromised website that delivers an exploit kit. Once a user clicks on the malicious link, a couple of browser checks are performed, followed by a redirection to a server hosted by the attackers.

We've added IDS signatures and created the following correlation rule to detect Operation Daybreak:

  • Exploitation & Installation, Malicious website - Exploit Kit, Operation Daybreak

Emerging Threat - JS/RAA

RAA is a newly discovered ransomware threat that is made entirely of JavaScript and delivered in a standard JS file. Since JavaScript does not include any advanced inherent encryption methods, the developers of the ransomware used the CryptoJS library. The main distribution method has been through email attachments that mask themselves as doc files. Once the attachment is opened, it will encrypt the files on the computer and ask for a ransom of $250 for decryption.

We've added IDS signatures and created the following correlation rule to detect JS/RAA:

  • System Compromise, Ransomware infection, JS/RAA

Last week we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Crypren/Zcrypt
  • System Compromise, Ransomware infection, Ryzerlo
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Unknown Ransomware

New Detection Technique - ShimRat

ShimRat is one of the malware tools used by the Chinese based APT group Mofang. Mofang usually targets organizations with investments or technological advances that could be a threat to China. The preferred method of ShimRat infection is through social engineering and not exploit kits, which are typically used by APT groups. Once infected, the attacks are carried out in 3 stages: reconnaissance, distraction, and then main compromise or objective.

We've added IDS signatures and created the following correlation rule to detect ShimRat:

  • System Compromise, Malware RAT, ShimRat

Last week we also added IDS signatures and updated correlation rules to detect the following RAT's:

  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Poison Ivy

New Detection Technique - PhotoMiner

PhotoMiner is a worm discovered by GuardiCore earlier this year. The worm scans for FTP servers with weak credentials, then searches for public HTML folders and alters the source code of the web pages to include a malicious download. This is achieved by embedding an iframe tag within the page and setting the source attribute to Photo.scr. Once infected, two Windows processes are started: one for mining crypto currency and the second for spreading to nearby computers.

We added IDS signatures and created the following correlation rule to detect PhotoMiner:

  • System Compromise, Trojan infection, PhotoMiner

 Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed several vulnerabilities in their products, including Edge and Internet Explorer. There was also a coordinated release with their partner Adobe. 

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, ATMFD.DLL Privilege Elevation Vuln (CVE-2016-3220)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-0200)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-3211)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2016-3222)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Rich Text File Download With Vulnerable MailMerge OOB (CVE-2016-3234)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible CVE-2016-3218 Executable Inbound
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible CVE-2016-3219 Executable Inbound
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Internet Explorer Memory Corruption Vulnerability (CVE-2016-0199)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Internet Explorer Memory Corruption Vulnerability (CVE-2016-3206)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Internet Explorer Memory Corruption Vulnerability (CVE-2016-3210)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Scripting Engine Memory Corruption Vulnerability (CVE-2016-3199)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Scripting Engine Memory Corruption Vulnerability (CVE-2016-3205)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Privilege Elevation Vuln (CVE-2016-3221)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Diagnostics Hub Privilege Elevation Vuln Inbound (CVE-2016-3231)

New Detection Technique - Malware

We've added the following correlation rules due to recent malicious activity:

  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, Malware RAT, XPCSpyPro
  • System Compromise, Trojan infection, Agent.RWB
  • System Compromise, Trojan infection, PWS.Agent.OMJ
  • System Compromise, Trojan infection, SpyBot
  • System Compromise, Trojan infection, IndigoRose
  • System Compromise, Trojan infection, Xbagger

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Neutrino EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We've updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Correlation Rules

We've updated the following correlation rules due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Targeted Malware, Inexsmar
  • System Compromise, Trojan infection, Adload
  • System Compromise, Trojan infection, Bagsu
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Bayrob
  • System Compromise, Trojan infection, FlyStudio
  • System Compromise, Trojan infection, PWS.Agent.OMJ
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, iSpy KeyLogger
  • System Compromise, Worm infection, Jenxcus