Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of November 2016

New Detection Technique - Cobalt Strike

Cobalt Strike describes itself as a "threat emulation software for red teams and penetration testers." Cobalt Strike comes with a post-exploitation agent in order to simulate APT actors and has the ability to communicate over covert channels and emulate the C2 structure of various malware. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, CobaltStrike

New Detection Technique - Data Exfiltration Toolkit (DET)

Data Exfiltration Toolkit (DET) is a framework designed to assist in exfiltrating data utilizing one or more different channels, ranging from the typical HTTP or ICMP to more "trusted" channels such as Twitter or Gmail.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Hacking tool, Data Exfiltration Toolkit (DET)

New Detection Technique - FlokiBot

FlokiBot is a variant of the Zeus bot based on the leaked Zeus source code. FlokiBot utilizes several novel customizations that enable it to stealthily inject into processes and evade detection. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, FlokiBot

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, C&C Communication, TrickBot SSL activity
  • System Compromise, Ransomware infection, Ranscrape
  • System Compromise, Trojan infection, Gentromal

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Astrum EK
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Ursnif SSL activity
  • System Compromise, C&C Communication, Vawtrak SSL Certificate
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As we described in a blog post: "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, IOS_XAGENT

Updated Detection Technique - ScanPOS

A new Point Of Sale (POS) malware family, ScanPOS, was recently discovered. It is propagated through the Kronos phishing campaign and includes a document with an embedded malicious macro that downloads the Kronos banking malware. ScanPOS performs the same basic tasks that all other POS malware perform and is primarily a credit card dumper, yet interestingly it has a low detection rate.

We've added IDS signatures and modified the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, ScanPOS

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Malware infection, Generic
  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Suspicious Behaviour, Suspicious user-agent detected
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Godzilla
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, Unknown trojan