Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of March 2016

Emerging Threat - Rokku Ransomware

Rokku is new ransomware that currently has a low rate of detection by anti-virus vendors. The ransomware uses offline encryption and has anti-analysis capabilities that prevent it from being run in virtualized environments.

We've added IDS signatures and created the following correlation rule to detect Rokku activity:

  • System Compromise, Ransomware infection, Rokku

Last week we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Alphacrypt
  • System Compromise, Ransomware infection, Locky

New Detection Technique - APT Cmstar

Cmstar is a downloader that is similar to the Lurid and Enfal families of malware. Cmstar is typically delivered through phishing emails that contain malicious Microsoft documents and has recently been used to download BBSRAT. The group that utilizes Cmstar and BBSRAT appears to be targeting Russian victims and most recently have proxied their attacks via compromised systems in Mongolia. It is suspected that the threat group responsible for these attacks is operating out of China.

We've added IDS signatures and created the following correlation rule to detect Cmstar activity:

  • System Compromise, Targeted Malware, APT Cmstar

New Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, NetSpy RAT
  • System Compromise, Malware RAT, ChadowTek

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Backdoor, Nidiran
  • System Compromise, Trojan infection, Dupzom
  • System Compromise, Trojan infection, StealerReborn
  • System Compromise, Trojan infection, Volt Logger

Updated Detection Technique - NetTraveler

NetTraveler (A.K.A. TravNet) is an old piece of malware that has been used by nation state threat actors for over a decade. Most recently it has been used in a spear phishing campaign against Uzbekistan diplomats. Newer versions of NetTraveler use the DLL side-loading technique to load its malicious code. NetTraveler will wait for commands from a command and control (C&C) server and is able to download and execute additional files.

We've added IDS signatures and created the following correlation rule to detect NetTraveler activity:

  • System Compromise, Targeted Malware, NetTraveler

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Ramnit

Ramnit is a computer worm that was first seen in 2009. It spreads through removable drives and by infecting executable files in the infected system. We have updated IDS signatures and correlation rules to detect Ramnit activity.

  • System Compromise, Worm infection, Ramnit

Updated Detection Technique - Syndicasec

Syndicasec was used in spear phishing emails targeting Indian government organizations. It installs a backdoor that can be controlled remotely. It connects to a C&C server to receive further commands. All of the RTF attachments in the spear phishing emails try to exploit the already-patched Microsoft Word ActiveX control vulnerability CVE-2012-0158.

We have added IDS signatures and updated the following correlation rule to detect Syndicasec activity:

  • System Compromise, Trojan infection, Syndicasec

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, Malicious website, VBScript Exploit
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Blacked
  • System Compromise, Trojan infection, Banbra
  • System Compromise, Trojan infection, ServStart
  • System Compromise, Trojan infection, Thetatic
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Nymaim
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, AutoRun
  • System Compromise, Trojan infection, MSIL/IRCBot
  • System Compromise, Trojan infection, Generic trojan dropper