Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of February 2018

New Detection Technique – Jenkins 0 Day

This vulnerability impacts Jenkins versions 2.56 / 2.46.1 LTS and earlier. It allows an attacker unauthenticated remote code execution. Specifically, an attacker can transfer serialized objects to the Jenkins CLI, bypassing the existing blacklist-based protection mechanism.

To exploit the vulnerability, the attacker needs to send two HTTP requests. The first request creates valid Jenkins CLI sessions, enabling communication with Jenkins server. The second request delivers the malicious serialized object.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Jenkins CLI RCE (CVE-2017-1000353)

New Detection Technique – Coldroot RAT

Coldroot RAT is a multi-platform remote administration trojan, with source code freely available on GitHub. Coldroot started as a project for MacOS, but expanded to work on Linux and Windows operating systems. It is poorly detected by anti-virus vendors.

Once a machine is compromised, Coldroot executes a payload written in Pascal. The malware can then spawn new remote desktop sessions, take screen captures, and start and kill processes on the target system. It can also exfiltrate files.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Coldroot RAT 

New Detection Technique – KovCoreG

KovCoreG is the group behind Kovter, first appearing in 2011 but still popular with malvertising campaigns in 2018. During these campaigns, social engineering is used to distribute the Kovter ad fraud malware.

Before Kovter, KovCoreG distributed other known malware projects, such as Zaccess/SecurityShield, Redkit EK, and Sakura EK.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, KovCoreG

New Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, KovCoreG SSL Certificate
  • System Compromise, C&C Communication, Kovter SSL Certificate

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Agent.PHK
  • System Compromise, Trojan infection, AridViper
  • System Compromise, Trojan infection, AvIsDead
  • System Compromise, Trojan infection, Banker IcedID 
  • System Compromise, Trojan infection, CrabbMiner 
  • System Compromise, Trojan infection, CTUA.Miner 
  • System Compromise, Trojan infection, Downloader.GEJ 
  • System Compromise, Trojan infection, Downloader.Nurevil 
  • System Compromise, Trojan infection, Jjurpip 
  • System Compromise, Trojan infection, Know Malicious Redirector 
  • System Compromise, Trojan infection, Kykysh.ITW 
  • System Compromise, Trojan infection, MSIL/PSK Stealer
  • System Compromise, Trojan infection, Namiligo.A
  • System Compromise, Trojan infection, PS/CoinMiner 
  • System Compromise, Trojan infection, Reyptson Ransomware
  • System Compromise, Trojan infection, SmsThief.jz
  • System Compromise, Trojan infection, Threadkit
  • System Compromise, Trojan infection, USR-KL Downloader 

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Configuration Changed, D-Link WesternDigital NAS Backdoor account usage
  • Exploitation & Installation, Configuration Changed, Loftek Nexus Suspicious User Modification
  • Exploitation & Installation, Malicious website - Exploit Kit, OceanLotus Exploit Kit
  • Exploitation & Installation, Targeted Malware, Backdoor.Spoofrand 
  • Exploitation & Installation, Targeted Malware, Flash CVE-2018-4871
  • Exploitation & Installation, Targeted Malware, RGDOOR 
  • System Compromise, Adware infection, Adware.Temonde 
  • System Compromise, Adware infection, Linkury Toolbar
  • System Compromise, Backdoor, Backdoor Small[.]ao
  • System Compromise, Botnet infection, AfraidBeefcake IRC
  • System Compromise, Malware RAT, APT37 ZUMKONG
  • System Compromise, Mobile trojan infection, Android Rootnik-AI 
  • System Compromise, Mobile trojan infection, Android/Agent.ATW
  • System Compromise, Mobile trojan infection, Android/Coinminer.V 
  • System Compromise, Mobile trojan infection, Anubis Android Loader
  • System Compromise, Mobile trojan infection, Brazilian Whatsapp Trojan 

Updated Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Evrial
  • System Compromise, Trojan infection, MuddyWater APT
  • System Compromise, Trojan infection, Win32/FileTour Variant
  • System Compromise, Trojan infection, Win32/Leviwa

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, C&C Communication, Bateleur SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Ransomware infection, Shifr
  • System Compromise, Ransomware infection, Shurl0cker