Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of April 2018

New Detection Technique – Oracle WebLogic CVE-2018-2628

This Oracle Weblogic vulnerability was publicly announced on April 18. It affects versions 10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3 of Oracle WebLogic. The vulnerability allows Remote Code Execution via a corrupted Java object. An unauthenticated attacker may use this vulnerability to execute code on the vulnerable server.

The Python exploit is publicly available on GitHub and scanning for vulnerable Oracle servers has been observed, likely in preparation for real attacks. The issue has already been addressed by Oracle with a Critical Patch Update.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Oracle WebLogic Proxy Version Check (CVE-2018-2628)

New Detection Technique – RadRAT

RadRAT was first observed in February 2018 by the company Bitdefender, although it has likely been operating since 2015, undocumented by the research community.

This tool offers control over seized computers. Its remote access capabilities include unfettered control of the compromised computer, advanced lateral movements, and detection evasion mechanisms. It has been used primarily in targeted attacks aimed at exfiltrating information or monitoring victims in large organization networks.

RadRAT’s current command set supports 92 instructions, some of which are only available to one of the two main components, wrpcs.dll or ntmgr2.dll. The attacker has the ability to read any file, list the shares of machines on the network, obtain a list of files inside a directory, or get their sizes. Some advanced commands operate on chunks of larger files.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, RadRAT

New Detection Technique – RedDrop

The mobile security company Wandera discovered RedDrop from a link displayed on the Chinese search engine Baidu. Since then, a total of 53 new malicious applications have so far been discovered to be harbouring this malware variant. It targets Android devices, in which it is installed as an App.

Its capabilities include spyware-like components, data exfiltration, and sensitive data harvesting, including passively recording the device’s audio, photos, contacts, and files. It also automatically sends SMS to premium services when interacting with the apps.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Mobile trojan infection, Android/RedDrop

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/Bosleo
  • System Compromise, Trojan infection, MSIL/Eredel Stealer
  • System Compromise, Trojan infection, MSIL/ParaWire
  • System Compromise, Trojan infection, PY.StalkerRAT
  • System Compromise, Trojan infection, Win32/Foniad
  • System Compromise, Trojan infection, Win32/SocStealer

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Suspicious Behaviour, Certutil Retrieving EXE
  • System Compromise, Botnet infection, MSIL/MariaBot
  • System Compromise, Mobile trojan infection, Android TeleRAT
  • System Compromise, Mobile trojan infection, Android/Agent.AGK
  • System Compromise, Mobile trojan infection, Android/Iop.DL
  • System Compromise, Mobile trojan infection, Android/RedDrop

Updated Detection Technique – Hawkeye

Hawkeye keylogger continues to be distributed via malspam in new campaigns. A very high proportion are being targeted at small and medium sized businesses.

It simulates the appearance of a bank account notification email (HSBC in recent campaigns) containing a zip attachment. The malicious attachments normally have a password-stealing component, with the aim of stealing your bank, PayPal, or other financial details along with your email or FTP login credentials.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Hawkeye Keylogger

Updated Detection Technique - Remote Access Tools

This attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Gh0st
  • System Compromise, Malware RAT, njRAT
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Malware RAT, Xtrat

Updated Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, AgentTesla
  • System Compromise, Trojan infection, ExtenBro
  • System Compromise, Trojan infection, Invader
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, NSIS/CoinMiner.Downloader
  • System Compromise, Trojan infection, Volt Logger
  • System Compromise, Trojan infection, Win32/Foniad
  • System Compromise, Trojan infection, Win32/Tiggre

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Drupal
  • System Compromise, C&C Communication, Cobalt Group SSL
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, C&C Communication, Revcode SSL activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Mobile trojan infection, SLocker.PN
  • System Compromise, Mobile trojan infection, Triada.dm
  • System Compromise, Mobile trojan infection, TrojanDropper.Agent.BHH
  • System Compromise, Ransomware infection, GandCrab
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Suspicious Behavior, Suspicious user-agent detected