Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of January 2016

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Backdoor, Jolob
  • System Compromise, Trojan infection, MSIL/Gurim
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Pincher
  • System Compromise, Trojan infection, VirdetDoor

New Detection Technique - Ransomware

Last week we added new IDS signatures and correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, 7ev3n
  • System Compromise, Ransomware infection, PadCrypt

We also updated correlation rules to detect several known ransomware families:

  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Ransomware infection, Poshcoder
  • System Compromise, Trojan infection, Cryptolocker
  • System Compromise, Trojan infection, LockScreen

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection. This week we added the following IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Nuclear EK

Updated Detection Technique - Malware SSL Certificates

We have added new IDS signatures to include the list of certificates identified by to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We have added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Unknown RAT
  • System Compromise, Malware RAT, DarkComet
  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, PCRat

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Suspicious Behavior, EXE file download from a Dynamic DNS host
  • Delivery & Attack, File Download - Poor Reputation Host, Suspicious executable downloaded from a low reputation domain
  • Environmental Awareness, Anonymous channel, Tor Onion Proxy
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Banbra
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Bebloh
  • System Compromise, Malware infection, Dexter POS Malware
  • System Compromise, Malware infection, Malware contacting Dynamic Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Targeted Malware, Superman
  • System Compromise, Trojan infection, Bergard
  • System Compromise, Trojan infection, Kivars
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Targeted Malware, OceanLotus
  • Delivery & Attack, Malicious website, Phishing activity