Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of May 2018

New Detection Technique - VPNFilter

VPNFilter is a botnet infection that targets routers from a variety of manufacturers; currently, the list of known affected vendors includes Linksys, MikroTik, Netgear, and TP-Link, and QNAP. The FBI has taken control of a domain used to control the malware, though many routers will remain infected. 

The malware is capable of supporting both intelligence gathering and destructive cyberattack operations. Its activity involves three stages. The first stage ensures persistency and enables the deployment of the stage 2 malware. 

The second stage presents the capabilities of a intelligence-collection platform, such as file collection, command execution, data exfiltration, and device management, along with self-destruct capabilities that overwrite critical portions of the device's firmware. The third stage includes a traffic sniffer and a Tor communication plugin, with a high likelihood that there are additional modules that have not yet been discovered. 

Talos claims that VPNFilter has infected at least 500,000 networking devices, though the number may be lower due to the way dynamic IP addresses are recorded.

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Trojan infection, Unix/VPNFilter

New Detection Technique - DKMC

DKMC (Don't Kill My Cat) is an evasion tool publicly available on GitHub. It generates obfuscated shellcode stored inside images. The main idea behind this technique is to avoid sandbox analysis since it looks like a simple legitimate image. The tool embeds a PowerShell payload inside of BMP image files.

The default image provided by the tool is a cat-photo in BMP format, which provides the name of the tool. The authors intend to support further file formats (and shellcode scripts) in the future.

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Attack Tool detected, DKMC Evasion Tool

New Detection Techniques - Mobile Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Mobile trojan infection, Monitor.AndroidOS.Agent.cr
  • System Compromise, Mobile trojan infection, RiskTool.AndroidOS.SMSreg.pf
  • System Compromise, Mobile trojan infection, Trojan-Banker.AndroidOS.Wroba.al
  • System Compromise, Mobile trojan infection, Trojan.Android.CracApp
  • System Compromise, Mobile trojan infection, Trojan.AndroidOS.Boogr.gsh

New Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Bateleur
  • System Compromise, Trojan infection, MSIL/DomainX PWS
  • System Compromise, Trojan infection, MSIL/Supreme Miner
  • System Compromise, Trojan infection, MSIL/u24 Keylogger
  • System Compromise, Trojan infection, Win32/Nocturnal
  • System Compromise, Trojan infection, Win32/Vibem.C

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Delivery & Attack, Malicious website, Coinhive
  • Delivery & Attack, Malware infection, JS WebSocket Miner
  • Delivery & Attack, Trojan infection, Win32/Wakuang
  • System Compromise, Botnet infection, Win32/VBbot.M

Updated Detection Technique - SocketPlayer

SocketPlayer is a remote access tool that appeared on the scene earlier this year. Recently, the website for the Indian Border Security Force was compromised and used to distribute the malware. 

The malware is distributed into two packets: SocketPlayer Main and Loader. Apart from RAT capabilities, the malware has been used to send fake emails pretending to be from Mumbai’s United Services Club. It can access the victim’s contact list through a mail client such as Outlook.

We've added IDS signatures and the following correlation rule to detect this activity: 

  • System Compromise, Malware RAT, MSIL/SocketPlayer RAT

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Bateleur SSL activity
  • System Compromise, C&C Communication, Cobalt Group SSL
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity

Updated Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Comisproc
  • System Compromise, Trojan infection, LokiBot
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, Trickbot

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, VOIP Service - Hacking Tool, Tech Support Phone Scam
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware RAT, Remcos/Remvio
  • System Compromise, Mobile trojan infection, Anubis Android Loader
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Targeted Malware, StrongPity