Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of March 2016

Emerging Threat - SamSam Ransomware

Cisco Talos has been monitoring a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user-focused attack vectors, such as phishing campaigns and exploit kits. This particular family of ransomware seems to be distributed by compromising servers and then using them as a foothold to move laterally through the network to compromise additional machines, which are then held for ransom. Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam. A particular focus appears to have been placed on the healthcare industry.

We have added IDS signatures and created the following correlation rule to detect SamSam activity:

  • System Compromise, Ransomware infection, SamSam 

Emerging Threat - Maktub Ransomware

Maktub Locker is a ransomware that comes with a well designed GUI and a few interesting features, such as encrypting and compressing files. In addition, the ransomware comes packed in a crypter, and upon execution, it has many benign-looking API calls used to deceive any tools in place to detect malicious behavior, and then it re-writes itself. Maktub's name originates from the Arabic word maktub, which roughly translates to “this is written” or “this is fate”. 

We've added IDS signatures and created the following correlation rule to detect Maktub activity:

  • System Compromise, Ransomware infection, Maktub

New Detection Technique - Browlock Ransomware

Browlock ransomware is a very simple version of ransomware that is currently active. Unlike other ransomware families, it does not encrypt files. This ransomware is simply a webpage with javascript that prevents a user from closing the page. It determines the user’s local country and then makes threats, for example claiming that the user has broken the law by accessing pornography websites and then demanding that they pay a fine to the local police.

We added IDS signatures and created the following correlation rule to detect Browlock activity: 

  • System Compromise, Ransomware infection, Browlock

Last week we also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cryptolocker
  • System Compromise, Ransomware infection, HydraCrypt
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Teslacrypt
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - TDrop2

Palo Alto Networks recently identified a new campaign targeting the transportation sector in Europe with ties to the Dark Seoul and Operation Troy campaigns that took place in 2013. This new campaign used updated instances of the Tdrop malware family discovered in the Operation Troy campaign. (Dark Seoul was the name given to a major cyber attack on South Korea in March 2013 affecting tens of thousands of computer systems in the financial and broadcasting industries. The attack was initially thought to be attributed to North Korea, by way of a Chinese IP found during the attack, but no other strong evidence of North Korea’s involvement has been produced since then. In June 2013, McAfee (pdf warning) published a report detailing the chronology and variance of the Dark Seoul campaign, but renamed it ‘Operation Troy’. The report analyzed the entirety of the purported attack campaign, beginning in 2009 using a family of tools dubbed ‘Troy’.)

In this new attack, attackers embedded the TDrop2 malware inside a legitimate video software package hosted on the software distributor’s website. By doing this, they were able to target organizations that relied on the distributor’s security camera solution and infect their systems with malware.

We've added IDS signatures and created the following correlation rule to detect TDrop2 activity:

  • System Compromise, Targeted Malware, TDrop2

New Detection Technique - FixMe.IT/Techinline

Techinline is a company that provides a remote desktop application called FixMe.IT. While having legitimate uses, it can be leveraged by malicious actors to remotely control computer systems. The following correlation rule has been added to detect that activity:

  • Environmental Awareness, Desktop Software - Remote Desktop, Remote Access Tool - FixMe.IT/Techinline

New Detection Technique - Malware/Suspicious Behavior

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Pawder
  • System Compromise, Malware infection, SpeedBit
  • System Compromise, Trojan infection, ArchBot
  • System Compromise, Trojan infection, Rexpot
  • Environmental Awareness, Suspicious Behaviour, DNS Query to a .ngrok domain

Updated Detection Technique - NetTraveler

NetTraveler (A.K.A. TravNet) is an old piece of malware that has been used by nation state threat actors for over a decade. Most recently it has been used in a spear phishing campaign against Uzbekistan diplomats. Newer versions of NetTraveler use the DLL side-loading technique to load its malicious code. NetTraveler will wait for commands from a command and control (C&C) server and is able to download and execute additional files.

We've added IDS signatures and created the following correlation rule to detect NetTraveler activity:

  • System Compromise, Targeted Malware, NetTraveler

Updated Detection Technique - Dridex

Dridex is a piece of malware designed to steal banking credentials and other personal information on a system to gain access to the financial records of a user. Dridex performs a technique called web injection into the HTML of banking websites and then sends the stolen data to a remote command and control (C&C) server.

We have added several IDS signatures and the following correlation rule that will alert when the system detects Dridex talking to a command and control server:

  • System Compromise, Malware infection, Dridex

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed trough the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We have added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, njRAT
  • System Compromise, Malware RAT, Unknown RAT
  • System Compromise, Malware RAT, NanoCore

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Genome
  • System Compromise, Trojan infection, Neshta
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Trojan infection, Nurjax
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Neutrino
  • System Compromise, Trojan infection, Dishigy
  • System Compromise, Trojan infection, AbaddonPOS
  • System Compromise, Trojan infection, MSIL/IRCBot
  • Delivery & Attack, Malicious website, Phishing activity

This week we also added a couple of IDS signatures that enhance our capability to detect the download of Window executables. This resulted in us updating an additional 472 correlation rules.