Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of April 2018

New Detection Technique - N0f1l3 Stealer

N0f1l3 is a recent password and cryptocurrency stealer created by the Russian hacker 1ms0rry who sells n0f1l3 and different variants, including different options and prices. The malware works without admin rights and is capable of stealing passwords and cookies from a list of browsers (the number depends on the price), crypto-wallets, and different text files from the user's desktop. 

The hacker 1ms0rry has also been associated with other names like Gorno and Gatsoev, as well as with a trojan coin miner, which appears to reuse code and methods from n0f1l3.

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Trojan infection W32.Gorno/n0f1l3 Stealer

New Detection Technique - DarkSky

DarkSky, a botnet reported by Radware in early February, 2018, has generated new beacon methods and corresponding Command and Control systems to avoid detection through known IOCs. This botnet is capable of performing DDoS attacks, downloading malicious files, and performing as a proxy.

Since the malware is capable of downloading malicious files from a remote server and executing the downloaded files on the infected machine, hackers are leveraging DarkSky as a method to spread criptomining trojans. Some of the observed mining trojans have been associated with the previously mentioned Russian hacker 1ms0rry (author of n0f1l3), who commented online about the capabilities and effective development of the DarkSky botnet.

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Trojan infection, MSIL/DarkSky

New Detection Technique - Tiggre

Tiggre malware (also known as Tiggre!rfn and Streamto) is a cryptomining bot that was first seen in South Korea. Once the malware has been accidentally downloaded by the victim, who believes it is a video, this malware downloads 7zip and additional malware files, creates copies of itself, and modifies the registry to create a persistence mechanism. Next, it uses Google Chrome to mine cryptocurrencies and transfer data to the Command & Control (C&C). 

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Trojan infection, Win32/Tiggre

New Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Adderall
  • System Compromise, Trojan infection, MSIL/CRMSvc.ru
  • System Compromise, Trojan infection, MSIL/Limitail
  • System Compromise, Trojan infection, MSIL/Sentinal Keylogger
  • System Compromise, Trojan infection, MSIL/UA-Loader
  • System Compromise, Trojan infection, RubberDucky
  • System Compromise, Trojan infection, Win32/Agent.SRX
  • System Compromise, Trojan infection, Win32/DanijBot

New Detection Techniques - Mobile Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Mobile trojan infection, Marcher.w Banker
  • System Compromise, Mobile trojan infection, SLocker.PN
  • System Compromise, Mobile trojan infection, Triada.dm

New Detection Techniques - Client Side Exploit

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Flash Player Heap Overflow Vuln (CVE-2018-4936) 
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Flash Player Out-of-Bounds Vuln (CVE-2018-4934)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, SocGoth B64 Inject

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Backdoor, Android.Backdoor Lazarus
  • System Compromise, C&C Communication, APT28 SSL activity
  • System Compromise, C&C Communication, Bateleur SSL activity
  • System Compromise, C&C Communication, CoreBot SSL activity
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Mobile trojan infection, Android/TrojanDropper.Shedun.V
  • System Compromise, Mobile trojan infection, Anubis Android Loader
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Ransomware infection, Maktub
  • System Compromise, Trojan infection, Loki Bot
  • System Compromise, Trojan infection, MailRuSputnik
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, Pontoeb
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Win32.Snoja