Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of November 2017

New Detection Technique – IcedID

IcedID is a new banking trojan that has been active since September 2017. The trojan is built in a modular form, with similar capabilities to the infamous Zeus Trojan. However, what sets this trojan apart from the others is the fact that it does not seem to borrow code from other trojans. Instead, the malware authors implement comparable features in unique ways. Currently, the trojan is being spread by the Emotet Trojan and is targeting banks, payment card providers and other financial related types of companies.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, C&C Communication, IcedID SSL Activity

Microsoft/Adobe Patch Tuesday

This week's updates include Microsoft / Adobe's Patch Tuesday content. Adobe and Microsoft fixed multiple vulnerabilities in their products.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Acrobat PDF Reader use after free JavaScript engine (CVE-2017-16393)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe TIFF processing module Out of Bounds Access Violation (CVE-2017-16396)

New Detection Technique – Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Reypston

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Alma
  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, CrypMic

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Environmental Awareness, Desktop Software - Remote Desktop, AeroAdmin
  • Environmental Awareness, Hacking tool, PWNJS
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apple Safari UXSS (CVE-2017-7089)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Edge Browser Type Confusion Vuln (CVE-2017-11873)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Google Chrome XSS (CVE-2017-5124)
  • Exploitation & Installation, Weak Configuration - Vulnerable Authentication, Actiontec C1000A backdoor account
  • System Compromise, Trojan infection, Agent.SFR
  • System Compromise, Trojan infection, Agent.SFZ
  • System Compromise, Trojan infection, SunOrcal Reaver
  • System Compromise, Trojan infection, Win32/RCAP
  • System Compromise, Trojan infection, Zebrocy

Updated Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, PSEmpire SSL Activity

Updated Detection Technique – Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As AlienVault's Jaime Blasco described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, Malicious website, Social Engineering Toolkit
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, BlueNoroff/Lazarus
  • System Compromise, Trojan infection, Chthonic
  • System Compromise, Trojan infection, LokiBot
  • System Compromise, Trojan infection, Unknown PowerShell