Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of February 2018

New Detection Technique – Shurl0ckr

Shurl0ckr is a new ransomware discovered in the wild in February 2018. This ransomware is available at no cost on the dark web, and the creator receives a percentage of each paid ransom.

Shurl0ckr encrypts JPEG and PNG images, Windows Office files, PDFs, and text files, among others. Encrypted files are given the .cypher extension after encryption. The malware also creates an HTML file with a link to the instruction to decrypt afterwards.

It evades Google Drive and Microsoft 365 protection schemes, and is capable of encrypting files located in these cloud platforms, what could increase its visibility.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Shurl0ckr

New Detection Technique – Rogue.WinPCDefender

This malware installs software in the compromised machine that pretends to act as an antivirus tool. Typically, installation occurs by tricking users into installing PcDefender either as software to fix a fake malware infection, or as software required to play online videos. 

After installation, the software performs a false scan of the machine and displays a list of numerous infections found. Trying to remove any of these fake infections results in a prompt to first buy the paid version of the program. Some of the files recognized as malware are actually legitimate OS files, so it is a bad idea to remove them by other methods.

Finally, WinPCDefender will try to install further malware into the machine and will prevent the user from installing or removing any packages that could actually help with the corruption.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Fake Antivirus infection, Rogue.WinPCDefender

New Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, ShinoBot SSL Certificate
  • System Compromise, C&C Communication, Trensil.B SSL Certificate

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Agent.BIC
  • System Compromise, Trojan infection, Kolabc
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, NameCoin DNS Sinkhole
  • System Compromise, Trojan infection, W32/SPARS/ARS
  • System Compromise, Trojan infection, Win32/CoinBit

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Acrobat JP2 OOB (CVE-2018-4912)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Use After Free (CVE-2017-4877)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader EMF Memory Corruption M1 (CVE-2018-4906)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader TIFF Memory Corruption (CVE-2018-4903)

Updated Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, APT28 activity
  • System Compromise, Trojan infection, Chthonic
  • System Compromise, Trojan infection, Evrial
  • System Compromise, Trojan infection, Houdini
  • System Compromise, Trojan infection, KyoznikMiner
  • System Compromise, Trojan infection, Oilrig
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Win32/ASPC
  • System Compromise, Trojan infection, TopherMiner

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, VOIP Service - Hacking Tool, Tech Support Phone Scam
  • System Compromise, C&C Communication, Ursnif SSL activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware RAT, PCRat