Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of May 2018

New Detection Technique - Win32/TeleGrab

TeleGrab evolved from malware that historically stole browser credentials and text files in the system. New versions target Telegram's desktop application, attempting to steal various cache files and key files to later hijack the Telegram accounts remotely.

The malware appears to target Russian-speaking victims. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Spyware infection, Win32/TeleGrab

New Detection Technique - Muhstik

The Muhstik botnet was first detected in late March, attempting to exploit Drupal vulnerability CVE-2018-7600. According to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.

Muhstik has adapted to include recent GPON router vulnerabilities (CVE-2018-10561 and CVE-2018-10562) as well as JBoss (CVE-2007-1036) and DD-WRT (Web Authentication Bruteforcing).

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Botnet infection, ELF/Muhstik

New Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Banload Downloader CnC
  • System Compromise, Trojan infection, JS/Javaxs.Loader
  • System Compromise, Trojan infection, Win32.Agent.unk Dropper

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Acrobat Information Disclosure (CVE-2018-4993)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Acrobat Use After Free (CVE-2018-4952) and (CVE-2018-4954)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, NagiosXI SQL Injection (CVE-2018-8734) and (CVE-2018-8735)
  • System Compromise, C&C Communication, InfoBot Exfiltration
  • System Compromise, Mobile trojan infection, Android-Trojan/Downloader.907ce
  • System Compromise, Mobile trojan infection, Android.Click.efpwxg
  • System Compromise, Mobile trojan infection, Android.SmsSend.1848.origin
  • System Compromise, Mobile trojan infection, Android.Trojan.SMSSend.RD
  • System Compromise, Mobile trojan infection, Android.Trojan.Telman.D
  • System Compromise, Mobile trojan infection, Android/HiddenApp.GH
  • System Compromise, Mobile trojan infection, StealthAgent CnC
  • System Compromise, Spyware infection, Nigelthorn Chrome Extension
  • System Compromise, Suspicious Behaviour, HackingTrio UA
  • System Compromise, Worm infection, Win32.Hamweq.A
  • System Compromise, Worm infection, Win32/Moarider.A/Comame

Updated Detection Technique - Win32/Tiggre

Tiggre was originally a malware distributed in the form of a video file, which infected the victim's system to mine cryptocurrencies. The latest update includes Nigelthorn malware, shared as a link to a fake Youtube webpage. The fake webpage requests installation of a Google Chrome extension with credential-stealing capabilities, cryptocurrency mining, and self-propagation through the Facebook profile of the victim.

In order to include the infection in the Google Chrome extension, the attackers copied legitimate extensions and injected the malicious code into them to bypass Google's validation tools. 

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Trojan infection, Win32/Tiggre

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Bancos Variant Downloader SSL Certificate
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, C&C Communication, URLZone C2 Domain
  • System Compromise, C&C Communication, URLzone SSL Certificate

Updated Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Know Malicious Redirector
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, SmokeLoader
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Zeus

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader docID RCE (CVE-2018-4901)
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Mobile trojan infection, Android.Trojan.HiddenApp.EN
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Mobile trojan infection, SmsSpy
  • System Compromise, Targeted Malware, Patchwork