Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of September 2017

New Detection Technique - .NET SOAP Code Injection (CVE-2017-8759)

A new vulnerability, CVE-2017-8759, has been discovered in the Microsoft .NET Framework (2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7). This vulnerability allows an attacker to execute code remotely via a malicious document or application.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, .NET SOAP Code Injection (CVE-2017-8759)

New Detection Technique - Kedi Rat

Kedi is a new remote access trojan (RAT) that is spread via spear phishing with a payload disguised as a Citriz utility.  Threat actors can use Kedi for keylogging, screenshot capabilities, remote shell access, the  ability to extract usernames, computer names, and domains and other common RAT functionality. Kedi RAT is unique in that it utilizes Gmail to receive instructions and transmit data. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Remote Access Trojan, Kedi

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Salsa

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, Sage

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, BackConnect
  • System Compromise, Trojan infection, SFG/Furtim
  • System Compromise, Malware RAT, PC Monitor
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MP4 Atom Parser Vulnerability Inbound (CVE-2017-11281)
  • System Compromise, Trojan infection, Win32/Aenjaris

Updated Detection Technique - APT Cmstar

Cmstar is a downloader that is similar to the Lurid and Enfal families of malware. Cmstar is typically delivered through phishing emails that contain malicious Microsoft documents and has recently been used to download BBSRAT. The group that utilizes Cmstar and BBSRAT appears to be targeting Russian victims and most recently have proxied their attacks via compromised systems in Mongolia. It is suspected that the threat group responsible for these attacks is operating out of China.

We've added IDS signatures and updated the following correlation rule to detect Cmstar activity:

  • System Compromise, Targeted Malware, APT Cmstar

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

 

  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, CoreBot SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Malware RAT, njRAT

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Suspicious Behaviour, Suspicious user-agent detected
  • System Compromise, Trojan infection, DarkVNC
  • System Compromise, Trojan infection, Nemucod
  • System Compromise, Trojan infection, PhantomClicker
  • System Compromise, Trojan infection, Unk