Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of January 2018

Master IP CAM 01 Patch

This week's updates include a number of detections for exploits against Master IP Cameras.

We've added IDS signatures and correlation rules to detect the following activity:

  • Environmental Awareness, Confidential Data - Password in Cleartext, Master IP CAM 01 Hardcoded Password (CVE-2018-5723)
  •  Reconnaissance & Probing, Configuration Changed, Master IP CAM 01 Unauthenticated Configuration Download and Upload (CVE-2018-5724)
  • Reconnaissance & Probing, Configuration Changed, Master IP CAM 01 Unauthenticated Configuration Change (CVE-2018-5725)

New Detection Technique – OSX/Mami

Mami is a new Mac OS DNS Hijacker discovered in early 2018. It seems to be the first DNS Hijacker for this platform.

The malware is spread inside Mac OS installation files (.dmg). It adds a DNS server (with the IPs 82.163.143[.]135 and 82.163.142[.]137) and persists these changes through a routine that overrides the system's DNS entries periodically. In addition to creating malicious DNS entries, the malware is capable of taking screenshots, generating mouse events, downloading and uploading files, and elevating privileges.

A different version for Windows has existed since 2015 under the name of DNSUnlocker. Like Mami, it also adds the IPs listed above as DNS servers and malicious SSL certificates.

We've added the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, OSX/Mami

Added Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include more certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Lazarus SSL Certificate
  • System Compromise, C&C Communication, Adwind SSL Certificate

Updated Detection Technique – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Bancos Variant.DZO
  • System Compromise, Trojan infection, Blouiroet
  • System Compromise, Trojan infection, Colony Rootkit
  • System Compromise, Trojan infection, Commonly Abused File Sharing Site Domain
  • System Compromise, Trojan infection, Downloader.Fon
  • System Compromise, Trojan infection, Evrial
  • System Compromise, Trojan infection, Injector.OWL
  • System Compromise, Trojan infection, MoneroPay Ransomware Payment
  • System Compromise, Trojan infection, MSIL/Backdoor.Magoo
  • System Compromise, Trojan infection, PTsecurity
  • System Compromise, Trojan infection, Spy.Agent.BEV
  • System Compromise, Trojan infection, W32/z.wll
  • System Compromise, Trojan infection, Win32/Downloader.Ursa.29157

Updated Detection Technique – Zyklon

Zyklon is a well-known HTTP malware, first observed in the wild in 2016, which has been spread in recent campaigns thanks to new vulnerabilities detected in Microsoft Office. It's publicly available, and provides features such as keylogging, password harvesting, conducting distributed denial-of-service attacks, and self-upload and removal. It communicates with a C&C server anonymously, via the Tor network.

Similarly to other versions of the family, it is able to download executables, steal passwords from web browsers, and perform cryptocurrency mining. The most common infection vector is spam emails containing a ZIP attachment with a malicious DOC file, which executes a PowerShell script on Windows. The most common vulnerabilities exploited by Zyklon malware are CVE-2017-8759 and CVE-2017-11882. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Zyklon

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Malware infection, AdFraudClicker
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Trojan infection, APT28 activity
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Compromised Chrome Extension