Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of August 2016

New Detection Technique - Pegasus

Pegasus is a sophisticated piece of mobile malware developed and sold by a secretive Israeli surveillance technology company called the NSO Group. This malware exploits three different vulnerabilities (CVE-2016-4655, CVE-2016-4656 and CVE-2016-4657) in Apple's iOS to gain a foothold on the target's device. Depending on which modules were purchased, upon installation the malware has access to everything from messages and calls to Facebook and Gmail, along with everything in between.

We've added IDS signatures and created the following correlation rule to detect Pegasus activity:

  • System Compromise, Trojan infection, Pegasus

New Detection Technique - Alma Ransomware

Alma is a new ransomware family that is being delivered via the RIG Exploit Kit. This new variant has several design flaws ranging from utilizing base64 encoding to encode the encryption keys, to a decryptor that can be manipulated into decrypting files without paying the ransom.

We've added IDS signatures and created the following correlation rule to detect Alma activity:

  • System Compromise, Ransomware infection, Alma

New Detection Technique - Alfa/Alpha Ransomware

Alfa/Alpha is a new variant of ransomware brought to you by the makers of Cerber. It is currently unknown how Alfa Ransomware is distributed, but upon execution it will scan and encrypt various files found on the host and append the ‘.bin’ extension to the encrypted file. The decryption site provided will allow the victim to decrypt only one file for free and then retrieve the decryptor by paying the ransom amount.

We've added IDS signatures and created the following correlation rule to detect Alfa/Alpha activity:

  • System Compromise, Ransomware infection, Alfa/Alpha Ransomware

New Detection Technique - Fantom Ransomware

Fantom is an EDA2 ransomware variant that poses as a Windows update to trick victims into downloading and executing the file. Upon execution, the ransomware will extract and execute another embedded program called WindowsUpdate.exe which displays the fake Windows Update screen that will overlay all active windows while it encrypts the victim’s files.

We've added IDS signatures and created the following correlation rule to detect Fantom activity:

  • System Compromise, Ransomware infection, Fantom

We've also added detection techniques for the following ransomware families:

  • System Compromise, Ransomware infection, Bart
  • System Compromise, Ransomware infection, CTB-Locker
  • System Compromise, Ransomware infection, MarsJoke

In addition to that, we've updated the detection techniques for the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, R980
  • System Compromise, Ransomware infection, Shade
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible nProtect Netizen ActiveX Drive-By
  • Exploitation & Installation, Vulnerable software, Navis WebAccess SQL Injection
  • System Compromise, Malware RAT, VanToM
  • System Compromise, Trojan infection, PNScan
  • System Compromise, Trojan infection, SteamStealerX
  • System Compromise, Trojan infection, ZeusPOS

Updated Detection Technique - Equation Group

Shadow Brokers is a group that has posted several files from the sophisticated Equation Group. The leaked files contain exploit code that can be used against Cisco ASA, Cisco PIX, and Cisco Firewall Services Modules. One of the exploits, called EXTRABACON, targets a buffer overflow vulnerability (CVE-2016-6366) in the SNMP code. Attackers can send specially crafted SNMP packets to the affected products, potentially giving the attackers full control of the system. In order for this exploit to be successful, SNMP must be configured on the interface that is receiving the packets and the community string has to be known. All supported versions of SNMP are vulnerable, along with all Cisco ASA software releases.

We've added IDS signatures and updated the following correlation rule to detect Equation Group exploiting activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, CISCO FIREWALL SNMP Buffer Overflow Extrabacon (CVE-2016-6366)

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a command and control (C&C) server and usually use a predefined onion domain.

We've updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, DarkComet
  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, njRAT

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Vawtrak SSL Certificate

Updated Detection Technique - PandaBanker

PandaBanker is a banking Trojan with roots tied to Zeus. It is distributed via email attachment targeted attacks and various exploit kits. It also has the functionality for various automated actions for numerous Australian and UK banks. 

We've added IDS signatures and updated the following correlation rule to detect PandaBanker activity:

  • System Compromise, C&C Communication, Panda Banker SSL activity

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Confidential Data - Password in Cleartext, HTTP
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, DDoS trojan Smoke Loader
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Godzilla
  • System Compromise, Trojan infection, Hawkeye Keylogger
  • System Compromise, Trojan infection, IRC Bot
  • System Compromise, Trojan infection, Jorik
  • System Compromise, Trojan infection, Killproc
  • System Compromise, Trojan infection, Sefnit
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Worm infection, Vonriamt