Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of January.

New Detection Technique - GhostAdmin

GhostAdmin is a new malicious bot that works by infecting computers, gaining boot persistence, and establishing a communications channel with its command and control (C&C) server via an IRC channel. It has the ability to collect data from the infected computer and silently send it to a remote server. Once the communication channel is established, GhostAdmin can execute many commands, including interacting with the victim's filesystem, browsing to specific URLs, downloading and executing new files, taking screenshots, recording audio, enabling remote desktop connections, exfiltrating data, deleting log files, interacting with local databases, wiping browsing history, and more.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, GhostAdmin

New Detection Technique - Winfender

Winfender is a backdoor that targets the Windows platform. The malware contacts a remote server to send out system information and obtain commands. Winfender also supports commands that would allow it to download and upload files, delete files, open URLs, execute files, log keystrokes, add registry entries, shut down systems, execute shell commands, and more.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Winfender

New Detection Technique - Invoke-TheHash Invoke-SMBExec

Invoke-TheHash is a PowerShell tool that can be used to perform NTLMv2 pass the hash WMI (Windows Management Instrumentation) and SMB (Server Message Block) command execution. WMI and SMB services are accessed through .NET TCPClient connections, and authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Hacking tool, Invoke-TheHash Invoke-SMBExec

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rule to detect a new ransomware family:

  • System Compromise, Ransomware infection, Evil

Last week, we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, PadCrypt
  • System Compromise, Ransomware infection, Philadelphia

New Detection Technique - Malware

We've added the following correlation rules as a result of recent malicious activity:

  • System Compromise, C&C Communication, Madness SSL activity

New Detection Technique - Exploit

We've added the following correlation rules as a result of recent exploit activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Grandstream IP Phone Password Disclosure

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today. We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, StrongPity SSL activity

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Client Side Exploit - Known Vulnerability, Suspicious image downloaded
  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Suspicious Behaviour, Suspicious user-agent detected
  • System Compromise, Targeted Malware, RocketKitten
  • System Compromise, Trojan infection, Dooptroop
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, Hancitor
  • System Compromise, Trojan infection, Menti
  • System Compromise, Trojan infection, Nanobot
  • System Compromise, Trojan infection, Unknown trojan