Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of July 2016

New Detection Technique - OnionDog

OnionDog is a hacker group that has been infiltrating and stealing information from Energy and Transportation industry targets, primarily in Korean-speaking countries. OnionDog malware takes advantage of a vulnerability found in the Korean-language Hangul office software and infects network-isolated targets using a USB worm. The main distribution of the malware is through spear-phishing emails that carry a malicious file and, once opened, will trigger the download and activate the trojan.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, OnionDog

New Detection Technique - ChromePass

ChromePass is a small password recovery tool that allows you to view the user names and passwords stored in the Google Chrome browser. This utility has many uses for legitimate system administrators, but unauthorized use could be a sign of malicious activity.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Hacking tool, ChromePass

New Detection Technique - Malware

We've added the following correlation rules due to recent malicious activity:

  • System Compromise, Trojan infection, Pislik
  • System Compromise, Trojan infection, Monero Miner
  • System Compromise, Ransomware infection, VenusLocker

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website, Phishing activity

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, njRAT

Updated Detection Tec2hnique - Malware SSL Certificates

We've added new IDS signatures which include certificates identified by associated with botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We've updated a correlation rule that groups different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Unknown Ransomware

Updated Correlation Rules

We've updated the following correlation rules due to recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • Exploitation & Installation, Trojan infection, Sharik
  • System Compromise, Adware infection, InstallCore
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, Backdoor, Webshell
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, WaterTiger
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Generic PowerShell
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Nemucod