Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of March 2018

New Detection Technique – Comnie

Comnie, previously called Sophos, is a backdoor trojan first observed in the wild in 2013. Initial campaigns focused on South Korea and Taiwan, but more recent campaigns have targeted a wider set of nations in South East Asia. Comnie is well known for leveraging online blogs and third-party services to perform command and control, such as github.com or tumblr.com.

This malware is normally distributed via email attachments that contain malicious macros. Once executed, it loads an embedded bitmap file and decrypts the data with RC4. The key is stored in a BMP file. To deter any security software working on the machine, it moves itself to the system temporary folder and deletes the original file. It also contains logic to evade possible antivirus software installed on the machine.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Comnie

New Detection Technique – Ladon

Ladon ransomware, discovered in the wild in March 2018, uses AES encryption and demands ransom of $200 - 300 in BTC. After execution on a Windows machine, it corrupts system files with the extension .ladon, and replaces the desktop background image with the instructions for the payment. 

In addition, the machine is provided with a CONTACTID number to be used during the payment. This could be a mechanism to make the victim believe that their files will be recovered.

It has been observed spreading itself by breaking RDP configurations and using spam email with malicious attachments. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Win32/Ladon

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

 

  • System Compromise, Trojan infection, MSIL/Aliba
  • System Compromise, Trojan infection, MSIL/FasTofu Miner
  • System Compromise, Trojan infection, MSIL/PCsinfect Stealer
  • System Compromise, Trojan infection, MsraMiner
  • System Compromise, Trojan infection, Sdbmine Monero Miner
  • System Compromise, Trojan infection, W32/Pedido.BR Dropper
  • System Compromise, Trojan infection, Win32/Agent.xxxyeb
  • System Compromise, Trojan infection, Win32/Escad Variant
  • System Compromise, Trojan infection, Win32/FileTour.Downloader
  • System Compromise, Trojan infection, Win32/Prilex

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, C&C Communication, Cobalt Group
  • System Compromise, C&C Communication, URLZone
  • System Compromise, Mobile trojan infection, Android/Inmobi.D
  • System Compromise, Mobile trojan infection, Android/LockScreen.Jisut.AP
  • System Compromise, Mobile trojan infection, Android/TrojanDropper.Shedun.V
  • System Compromise, Mobile trojan infection, TrojanDropper.Agent.BHH

Updated Detection Technique – Unlock92

Unlock92, fist discovered in mid-2017, has been used in new ransom campaigns in Europe and North Asia. It adds ".block," ".kukaracha," ".blocked," ".CRRRT," and ".CCCRRRPPP" extensions to the encrypted files.

The message with the instructions urges the user to send the file key.bin (which is placed in every system folder with encrypted files) to the address unlock92@india[.]com or unlckr@protonmail[.]com), in order to receiver further payment instructions.

The ransomware uses the RSA-2048 asymmetric algorithm to encrypt files with common extensions, and, thus, public and private keys are generated during the process. The private key is later stored on remote C&C servers. To optimize encryption time, Unlock92 only encrypts the first 0x300 bytes of each file.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Ransomware infection, Unlock92

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website - Exploit Kit, GrandSoft
  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL Activity
  • System Compromise, C&C Communication, Sofacy
  • System Compromise, C&C Communication, URLzone SSL Certificate
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Malware RAT, QRat
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Ransomware infection, WannaCry
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, PS/CoinMiner
  • System Compromise, Trojan infection, Trickbot