Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of March

New Detection Technique - NexusLogger

NexusLogger is an unsophisticated cloud-based keylogger that uses the Microsoft .NET Framework. NexusLogger collects keystrokes, system information, passwords, and can take screenshots. It also specifically gathers game credentials for UPlay, Minecraft, Steam, and Origin. NexusLogger is primarily distributed via phishing e-mails, but HTTP download requests have also been observed. NexusLogger is configured to upload data via FTP.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, NexusLogger

New Detection Technique - Acronym

Acronym is a new modular malware, possibly associated with the Potao malware family and the Operation Potao Express campaign. Acronym starts off by setting up persistence, either using the typical Registry Run method or by adding a new task into the Task Scheduler, depending on the Windows version.  After the bot has been initialized, it will start phoning home to its command and control (C&C) servers.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Acronym

New Detection Technique - MajikPOS

MajikPOS is a new breed of point-of-sale (PoS) malware affecting businesses across North America and Canada. Similar to other PoS malware, MajikPOS is designed to steal information, but what makes it unique is its modular approach in execution. MajikPOS is named after its C&C panel (named the "Magic panel") that receives commands and sends exfiltrated data. MajikPOS’s operators use a combination of PoS malware and remote access trojans (RATs) to attack their targets.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware infection, MajikPOS

 New Detection Technique - Fileless PowerShell Framework

A new fileless attack framework has been discovered that's being delivered as a macro-enabled Word document attached to phishing emails sent to targeted high-profile enterprises. The weaponized Word document delivers a PowerShell agent that opens a backdoor and establishes persistence; the rest of the PowerShell commands are delivered through the C&C server.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Fileless PowerShell Framework

 Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed vulnerabilities in its Edge Browser, Internet Explorer, and other components of Windows.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Windows Script Signature Checking Bypass (CVE-2017-0007)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Information Disclosure Vulnerability (CVE-2017-0008)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Scripting Engine Memory Corruption Vulnerability (CVE-2017-0010)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge OOB Read Information Disclosure (CVE-2017-0011)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge PDF Parsing RCE (CVE-2017-0023)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Windows DLL Loading RCE Vulnerability (CVE-2017-0024)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Elevation of Privilege Vulnerability (CVE-2017-0026)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Word Buffer Overflow (CVE-2017-0030)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MS Word UAF RCE (CVE-2017-0031)

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Blue Crypter
  • System Compromise, Ransomware infection, Karmen
  • System Compromise, Ransomware infection, vxCrypt

We also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, CryptoShield
  • System Compromise, Ransomware infection, Hidden-Tear
  • System Compromise, Ransomware infection, Sage
  • System Compromise, Ransomware infection, SDLocker

New Detection Techniques

We've added the following correlation rules as a result of recent exploit activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, HP Smart Storage Administrator Remote Command Injection
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, IBM WebSphere - RCE Java Deserialization

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Terror EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Java
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

 Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Chthonic SSL activity
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Zeus SSL Certificate

 Updated Detection Technique - Apache Struts S2-045 RCE (CVE-2017-5638)

A vulnerability exists in the Jakarta Multipart parser in Apache Struts 2 (versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1) that allows attackers to execute arbitrary commands via a specially crafted Content-Type HTTP header. 

We've updated the following correlation rule to detect this malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Struts S2-045 RCE (CVE-2017-5638)

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Struts S2-045 RCE (CVE-2017-5638)
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Targeted Malware, ZeroT
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Potao