Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of February

New Detection Technique - Matrix

Matrix is a new family of ransomware that appears to still be in active development.  Matrix utilizes GnuPG to encrypt files, and depending on the variant, after the file encryption is complete, it will drop an RTF file in Russian with decryption instructions or a Word file with instructions in English and Russian. 

We've added IDS signatures and the following correlation rule to detect this activity:

  •  System Compromise, Ransomware infection, Matrix

New Detection Technique - Contopee

Contopee is a backdoor that can execute remote commands and send detailed system information from the compromised system to a remote location. The information gathered may include OS version, lists of processes, and BIOS manufacturer & product name. The backdoor also has ties to the Lazarus group, who has been observed using the same malware. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Cantopee

New Detection Techniques

We've added the following correlation rules as a result of recent malicious and exploit activity:

  • System Compromise, Trojan infection, Joao
  • System Compromise, Trojan infection, Loda

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  •  Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity

Updated Detection Technique - Ransomware

In the past week, we've seen an increase in ransomware activity in the wild. We've added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, JobCrypter
  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Crypton
  • System Compromise, Ransomware infection, VenusLocker
  • System Compromise, Ransomware infection, Spora

 

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, FakeM RAT
  • System Compromise, Malware RAT, njRAT

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network, called hidden services. Some websites allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that detects when a system accesses one of these hidden services. Many ransomware schemes use these services to receive payments and to conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Trojan with Autoit
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, PSEmpire
  • System Compromise, Trojan infection, CMSBrute
  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document