Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of October 2016

New Detection Technique - PassCV

PassCV is a very active and successful malware family that leverages a wide array of stolen authenticode-signing certificates. PassCV relies heavily on obfuscated and signed versions of older RATs (such as ZxShell and Ghost RAT) to provide backdoor functionality to affected systems via phony resumes and curricula vitae (CVs).

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, C&C Communication, PassCV

New Detection Technique - CryPy

CryPy is a new ransomware variant currently active in the wild that is written in the Python language. The name CryPy is derived from combination of the words 'crypt' and 'Python'. CryPy is different from other ransomware families due to the fact it encrypts each file with its own unique key, instead of using one encryption key for all files. This unique behavior makes decryption of the files more difficult.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, CryPy

We've also added IDS signatures and created a correlation rule to detect other new ransomware activity:

  • System Compromise, Ransomware infection, Exotic

In addition to that, we've updated the detection techniques for the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Asus WRT LAN Command Execution (CVE-2014-9583)
  • System Compromise, Trojan infection, ApolloHTTP
  • System Compromise, Trojan infection, DNtoolz0.BR
  • System Compromise, Trojan infection, Nagram

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As we described in a blog post: "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and updated the following correlation rule to detect APT28 activity.

  • System Compromise, Trojan infection, APT28 activity
  • System Compromise, Targeted Malware, SEDNIT

Updated Detection Technique - TheTrick

TheTrick, sometimes known as TrickBot, is a new malware bot that is believed to have a connection to the well-known banking trojan Dyre. TheTrick has been observed utilizing webinjects to target banks in Australia.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, TheTrick

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Vawtrak SSL Certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Gh0st
  • System Compromise, Malware RAT, njRAT

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, C&C Communication, PlugX DNS channel
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Dexter POS Malware
  • System Compromise, Trojan infection, AgentTesla
  • System Compromise, Trojan infection, DiamondFox
  • System Compromise, Trojan infection, Htbot
  • System Compromise, Trojan infection, Unknown trojan