Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of October 2016

Emerging Threat - StrongPity

StrongPity is a new malware family developed by the StrongPity APT group. This group spreads their malware by utilizing watering hole attacks and infected versions of various popular software (for example, WinRAR). StrongPity malware includes components that give the attackers complete control of the victim’s system, enable them to steal disk contents, and to download additional modules. 

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, C&C Communication, StrongPity SSL activity

Emerging Threat - Odinaff

Odinaff is a new malware family that has been active since early January 2016. The attackers leveraging Odinaff have primarily targeted organizations in the banking, securities, trading, and payroll sectors.  They have been known to use many techniques to gain access to these sectors, however the most common of which is a word document containing a malicious macro. 

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, C&C Communication, Odinaff SSL activity

New Detection Technique - TheTrick

TheTrick, sometimes known as TrickBot, is a new malware bot that is believed to have a connection to the well-known banking trojan Dyre. TheTrick has been observed utilizing webinjects to target banks in Australia. 

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, TheTrick

New Detection Technique -  Linux.Mirai

Linux.Mirai is a malware designed to hijack busybox systems in order to perform DDoS attacks. It has been in the news the past few weeks as it is the bot that was used in the DDoS attack on Brian Kreb’s security blog.  Mirai is known for the ease with which it can victimize IoT devices. The widespread use of telnet, along with a list of factory default usernames and passwords, result in botnets with sizes that is beyond imagination.

The source code for Linux.Mirai bot was released a few weeks ago. According to Radware, the loader and bot are coded in C, while the scanListen and command and control (C&C) service are written in Go, effectively leveraging go-routines and channels in an efficient Communicating Sequential Processes (CSP) design pattern.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Linux.Mirai

New Detection Technique -  Confucius

Confucius is a new malware family that is shown to have connections to prior known espionage campaigns (including Operation Patchwork). Rather than using standard techniques to communicate with their C&C server, Confucius leverages legitimate web services to retrieve a C&C address instead of using a DNS request (which could be more easily identified and blocked). 

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, C&C Communication, Confucius SSL activity

New Detection Technique - Enigma

Enigma is a new ransomware variant that appears to be targeting Russian-speaking users. No english-language variants have yet been seen in the wild. The ransomware is spread via spam email with an attached malicious HTML file. 

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Enigma

In addition to that, we've updated the detection techniques for the following Ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Philadelphia
  • System Compromise, Ransomware infection, Torrentlocker

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed vulnerabilities in their Edge Browser, Internet Explorer, and other components of Windows and Adobe.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2016-3267)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2016-3268)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2016-3331)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer and Edge Memory Corruption Vulnerability (CVE-2016-3382)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2016-3385)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption (CVE-2016-3386)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Information Disclosure Vulnerability (CVE-2016-7189)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2016-7190)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k Elevation of Privilege Vulnerability (CVE-2016-7191)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-7194)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Player Memory Corruption (CVE-2016-4273)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Acrobat Reader Heap Overflow (CVE-2016-6939)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Acrobat Reader Use After Free (CVE-2016-6946)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Acrobat Reader XSLT parsing engine Memory Corruption (CVE-2016-6960)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Flash Player Use After Free (CVE-2016-6981)

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Snifula
  • System Compromise, Trojan infection, RaaLoader
  • System Compromise, Trojan infection, AutoLOG
  • System Compromise, Backdoor, Mocker
  • System Compromise, Ransomware infection, Nuke

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We've updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Luminosity Link RAT
  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Poison Ivy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Backdoor, Korplug
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware infection, Zacom
  • System Compromise, Mobile trojan infection, IOS_XAGENT
  • System Compromise, Targeted Malware, APT29
  • System Compromise, Targeted Malware, APT29 SSL Activity
  • System Compromise, Trojan infection, Corebot
  • System Compromise, Trojan infection, Quant Loader
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Wemosis