Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of May 2016

New Detection Technique - Hancitor

Hancitor (also known as Tordal and Chanitor) is a downloader used to download other malware and maintain persistence on the system for further communication.

We've added IDS signatures and created the following correlation rule to detect Hancitor:

  • System Compromise, Trojan infection, Hancitor

New Detection Technique - Ruckguv

Ruckguv is a downloader that is dropped by a malicious macro into a Microsoft Word document. This malware is then used to download other malware families.

We've added IDS signatures and created the following correlation rule to detect Ruckguv:

  • System Compromise, Trojan infection, Ruckguv

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed several vulnerabilities in their products, including Edge and Internet Explorer. There was also a coordinated release with their partner Adobe. 

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Uninitalized Stack Pointer Use (CVE-2016-0192)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer Memory Corruption Vulnerability (CVE-2016-0189)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe PDF Universal 3D file corrupted download (CVE-2016-1037)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1038)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1039)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1040)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1041)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1042)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1043)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1044)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1045)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1050)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1051)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1052)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1053)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1054)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1055)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1061)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1062)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1064)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1065)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1067)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1068)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1069)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1072)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1073)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1079)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1081)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1082)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1083)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1084)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1085)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Adobe Reader (CVE-2016-1086)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible EDGE OOB Access (CVE-2016-0193)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible EDGE UAF (CVE-2016-0184)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Uninitalized Stack Pointer Use (CVE-2016-0191)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Elevation of Privilege Vulnerability Inbound (CVE-2016-0171)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Elevation of Privilege Vulnerability Inbound (CVE-2016-0172)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Elevation of Privilege Vulnerability Inbound (CVE-2016-0173)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Elevation of Privilege Vulnerability Inbound (CVE-2016-0174)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Elevation of Privilege Vulnerability Inbound (CVE-2016-0176)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Elevation of Privilege Vulnerability Inbound (CVE-2016-0196)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Graphics Component Information Disclosure Vulnerability (CVE-2016-0168)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Media Center RCE Inbound Payload (CVE-2016-0185)

New Detection Technique - Apache Struts RCE (CVE-2016-3081)

A vulnerability in Apache Struts could allow an unauthenticated remote attacker to execute arbitrary code on a targeted server.

We've added IDS signatures and created the following correlation rule to detect CVE-2016-3081:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Struts RCE (2016-3081)

New Detection Technique - Novell Service Desk Authenticated RCE (CVE-2016-1593)

Service Desk is a service management solution by Novell. A vulnerability (CVE-2016-1593) was discovered which allows remote authenticated users to upload and execute arbitrary JSP files.

We've added IDS signatures and created the following correlation rule to detect CVE-2016-1593:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Novell Service Desk Authenticated RCE (CVE-2016-1593)

New Detection Technique - Malicious Activity

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, IndoXploit
  • System Compromise, Trojan infection, Saber

Updated Detection Technique - Malware SSL Certificates

We added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Zeus SSL Certificate
  • System Compromise, C&C Communication, Ursnif SSL activity

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We have updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, NanoCore

Updated Detection Technique - Sality

Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, ex-filtrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date. We have added IDS signatures and created a correlation rule to detect Sality activity.

  • System Compromise, Trojan infection, Sality

Updated Detection Technique - Keyloggers

Keylogging malware is used to record a victim's keystrokes when they type on a keyboard. Keyloggers can send a victim's keystrokes to a malicious party or store them for retrieval at a later time. Keylogging malware can be used to steal sensitive data such as login credentials or banking information. We have added IDS signatures and a correlation rule to detect the following key loggers:

  • System Compromise, Trojan infection, Hawkeye Keylogger

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

  • System Compromise, Ransomware infection, Cryptolocker
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, CryptXXX
  • System Compromise, Ransomware infection, Unknown Ransomware
  • Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Desktop Software - Chat Client, TeamSpeak
  • System Compromise, Adware infection, InstallCore
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, H1N1
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Unknown trojan