Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of February 2016

New Detection Technique - Operation Blockbuster

Operation Blockbuster is an initiative led by Novetta that tracks and analyzes the threat actor known as the Lazarus Group. Several companies participated in this initiative – including AlienVault. AlienVault's write-up on Operation Blockbuster can be found here. The Lazarus Group has been active since at least 2009 (possibly as early as 2007) and is best known for their attacks against Sony Pictures Entertainment. Although best known for that attack, the Lazarus Group has been linked to a much broader body of work that includes multiple families of malware and several different target demographics.

We've added IDS signatures and created the following correlation rule to detect activity from the Lazarus Group:

  • System Compromise, Trojan infection, Blockbuster

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, C&C Communication, Response from a DGA Domain
  • System Compromise, Malware infection, Livate
  • System Compromise, Trojan infection, AGENT AHD
  • System Compromise, Trojan infection, Evotob
  • System Compromise, Trojan infection, MBot
  • System Compromise, Trojan infection, Yeegram
  • System Compromise, Trojan infection, YoungLotus

Updated Detection Technique - Qadars

Qadars is a banking trojan being used by an unknown threat actor. Qadars primarily has been seen targeting 6 countries: the Netherlands, France, Canada, India, Australia and Italy. Qadars uses a Man-in-the-Browser (MitB) scheme to perform financial fraud.

We added IDS signatures and updated the following correlation rule to detect Qadars activity:

  • System Compromise, C&C Communication, Qadars SSL activity

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, njRAT

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

  • System Compromise, Ransomware infection, PadCrypt
  • System Compromise, Ransomware infection, Cryptolocker

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Tepoyx SSL activity
  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Geodo SSL activity

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Nuclear EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

Updated Detection Technique - Jacksbot

Jacksbot is Java-based malware that allows an attacker to perform malicious actions such as stealing sensitive information, downloading files, and/or corrupting files. Jacksbot is often distributed as a Minecraft modification and has the capability to steal Minecraft credentials.

We have added IDS signatures and updated the following correlation rule to detect Jacksbot activity:

  • System Compromise, Backdoor, Jacksbot

Updated Detection Technique - Carbanak

Carbanak is an organized criminal group that has focused on compromising banks and electronic payment systems. The group is known to have targeted many different organizations and resulted in millions of dollars in losses.

We have added IDS signatures and updated a correlation rule to detect Carbanak activity:

  • System Compromise, Trojan infection, Carbanak

Updated Detection Technique - Point Of Sale Malware

Point of Sale (POS) Systems are a juicy target for cybercriminals. Large retailers process thousands of transactions daily using these systems, meaning they often contain large volumes of credit card information. There are several pieces of malware available in the black market that can be used to steal data from the memory of the Point Of Sale devices.

We have added IDS signatures and update correlation rules to detect the following POS malware:

  • System Compromise, C&C Communication, FrameworkPOS

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We have updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed trough the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, Kaicone
  • System Compromise, Trojan infection, Nymaim
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Venik