Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of May 2016

Emerging Threat - Adobe Flash Uncompressed Possible (CVE-2016-4117)

A critical vulnerability, CVE-2016-4117, exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Chrome OS. If an attacker successfully exploits this vulnerability, they could crash the system, or potentially take control. Adobe has released an update to patch this vulnerability.

We've added IDS signatures and created the following correlation rule to detect CVE-2016-4117:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Uncompressed Possible (CVE-2016-4117)

New Detection Technique - Floxif

Floxif is a family of viruses that infect Windows executable and DLL files to download and install other malware onto your computer. This virus spreads by infecting files that are currently loaded into memory, and searches for all executable files on the connected drives and then infects them.

We've added IDS signatures and created the following correlation rule to detect Floxif:

  • System Compromise, Trojan infection, Floxif

New Detection Technique - Cidox

Cidox is a Trojan that modifies the NTFS boot sector's Initial Program Loader (IPL) in order to load the threat directly from the hard disk. Then a malicious driver component is written after the master boot record (MBR). Next it deletes the above files, restarts the computer, and loads the malicious driver into memory. Once loaded, the Trojan then monitors several processes (including svchost.exe, iexplore.exe, firefox.exe) and injects DLL components into them in order to display its own potentially malicious HTML.

We've added IDS signatures and created the following correlation rule to detect Cidox:

  • System Compromise, Trojan infection, Cidox

New Detection Technique - DMA Locker

DMA Locker is a ransomware variant that surfaced earlier this year that seems to have only affected users on a small scale. One unique component of this variant is that it comes with a decrypting feature built-in and is available within the GUI. This variant, however, was poorly written and crashes often, sometimes before letting the infected user know what happened or how to they can go about decrypting their files.

We've added IDS signatures and created the following correlation rule to detect DMA Locker:

  • System Compromise, Ransomware infection, DMA Locker

Last week we also updated some rules and added new IDS signatures to improve the detection of previously known ransomware families:

  • System Compromise, Ransomware infection, Hidden-Tear
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, NOVO_G0LP3
  • System Compromise, Malware infection, Taplika
  • System Compromise, Trojan infection, Adkor

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Hunter EK
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Malicious website - Exploit Kit, Malicious Javascript

Updated Detection Technique - Malware SSL Certificates

We added new IDS signatures to include the list of certificates identified by to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Remote Access Tools

Typical attack patterns starts by exploiting a vulnerability and then installing malware, the next step often includes installing a Remote Administration Toolkit (RAT).  The RAT is used to gain control of the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, Netwire
  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, Unknown RAT

Updated Detection Technique - Derusbi

Derusbi is a trojan that has typical trojan features (e.g. remote access, file management, credential stealing) and comes in both server and client variants. Other trojans that are derived from Derusbi include Sakula and Kakfum. Derusbi uses a custom network handshake to establish communication between server and client and applies basic encryption to the communication channel.

We have added IDS signatures and updated the following correlation rule to detect Derusbi activity:

  • System Compromise, Targeted Malware, Derusbi

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We have updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, WebServer Attack - SQL Injection, Attack Pattern Detection
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Service Exploit, Cisco ASA IKE - CVE-2016-1287
  • System Compromise, Adware infection, InstallCore
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Spyware infection, OpenCandy
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Bayrob
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, Gozi
  • System Compromise, Trojan infection, Kbot
  • System Compromise, Trojan infection, Unknown trojan