Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of September 2016

Emerging Threat - MySQL CVE-2016-6662

CVE-2016-662 is a critical vulnerability in MySQL that allows an attacker to create a MySQL configuration file without the privileges to do so. An attack can be carried out via an existing SQL injection vulnerability or utilizing the credentials of an authenticated user effectively elevating the privileges of the aforementioned user.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MySQL CVE-2016-6662 Attempt

New Detection Technique - Dreambot

Dreambot is one of the most active variants of the Ursnif trojan. This variant sets itself apart from the others by introducing Tor and P2P communication functionality. Dreambot is currently being spread through a variety of means including, but not limited to, exploit kits, malicious links, and email attachments.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Dreambot

New Detection Technique - Philadelphia

Philadelphia is a new piece of ransomware possibly created by the Stampado ransomware author. Philadelphia is distributed through phishing emails masquerading as an overdue payment notice. Once the link in the email is clicked, the ransomware is downloaded and executed. Upon execution it encrypts non system-critical files and demands a ransom.  Interestingly, Philadelphia appears to be an "innovator" in the the ransomware market, with features such as autodetecting when a payment has been made and then automatically decrypting, infecting USB drives, and infecting other computers over the network.

We've added IDS signatures and created the following correlation rule to detect this ransomware activity:

  • System Compromise, Ransomware infection, Philadelphia

New Detection Technique - DualToy

DualToy is a Windows trojan that has the ability to sideload malicious applications onto Android and iOS devices via a USB connection. Even though current mobile OSs have features to prevent sideloading, DualToy employs a novel technique of using an existing pair record as a way to get around such protections.  

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, DualToy

New Detection Technique - Remcos/Remvio

Remcos/Remvio is a new Remote Access Trojan (RAT) being sold on the hacker underground. In addition to common RAT features, Remcos/Remvio has the ability to create “automation” tasks, which gives the malicious actor the potential to exfiltrate data without having to login and do it manually.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Remcos/Remvio

In addition to that, we've updated the detection techniques for the following RATs:

  • System Compromise, Malware RAT, Luminosity Link RAT
  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Poison Ivy

Microsoft Patch Tuesday

This week's updates include Microsoft's Patch Tuesday content. Microsoft fixed vulnerabilities in their Edge Browser, Internet Explorer, and other components of Windows.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Browser Memory Corruption Vulnerability (CVE-2016-3247)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2016-3294)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge Memory Corruption Vulnerability (CVE-2016-3295)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2016-3297)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Session Object Elevation of Privilege Vulnerability Executable Inbound (CVE-2016-3306)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2016-3324
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k ValidateZorder Privesc Vulnerability (CVE-2016-3348)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Edge OOB Vulnerablity CVE-2016-3325)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer and Edge Information Disclosure Vulnerability (CVE-2016-3351)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Win32k-GDI Concurrency Vulnerability (CVE-2016-3355)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft PDF Remote Code Execution Vulnerability (CVE-2016-3370)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2016-3375)

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Oldbot
  • System Compromise, Trojan infection, Quant Loader
  • System Compromise, Trojan infection, Etirehni
  • System Compromise, Targeted Malware, APT29
  • System Compromise, Targeted Malware, APT29 SSL Activity
  • System Compromise, Trojan infection, Crugup
  • System Compromise, Trojan infection, Terdot
  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, FreePBX Unauthenticated RCE

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28. As we described in a blog post: We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

We have added IDS signatures and update correlation rules to detect APT28 activity.

  • System Compromise, Trojan infection, APT28 EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families including:

  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
  • Delivery & Attack, File Download - Poor Reputation Host, Suspicious executable downloaded from a low reputation domain

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, C&C Communication, Command output exfiltrated
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Suspicious Behaviour, Suspicious HTTP request
  • System Compromise, Targeted Malware, Unknown APT
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Gozi
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, Trojan with Autoit
  • System Compromise, Trojan infection, Unknown trojan