Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of November 2017

New Detection Technique – Android.Backdoor Lazarus

A new threat in the wild has been discovered by McAfee research team, affecting Android platform. The malware contains a backdoor file and is in executable and linkable format (ELF). The malware masquerades itself as a legitimate Google Play Application for reading Bible in Korean. According to the research team, the tactics used by the malware similar to that of the Lazarus group and this could very well be Lazarus group's entry into the mobile malware world.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Android.Backdoor Lazarus

New Detection Technique – Tizen

A trojan has been discovered that affects Tizen OS. Tizen is an Operating System that runs on Family Hub IoT devices including common household appliance such as refrigerators, ovens, or vacuum cleaners. The malware focuses on activity related to network recognition and data harvesting. Variants of this malware can also target Android devices.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Tizen

New Detection Technique – MSIL/Agent.ATK

This trojan is a variant of MSIL.DIZTAKUN.ATK. It typically targets Windows installations. It collects sensitive system information such as OS version, antivirus installed, username, screenshots, etc. On the other hand, it also has the ability to log keystrokes and works as a password stealer. It has the capability to transmit the collected information via FTP and/or SMTP. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, MSIL/Agent.ATK

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malware RAT, MSIL/Agent.NJ

Updated Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, TrickBot SSL Activity

Updated Detection Technique – Beaugrit

Beaugrit is a trojan infection that targets Windows systems. It interrupts the system behavior with multiple pop-up messages, or even blue screen crashes. It also provokes fake security alert messages repeatedly asking for money or inviting users to download executable files. It has also been found to act as part of an entire rootkit mechanism. This is commonly installed through bad web advertising messages and promotional emails.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Beaugrit

Updated Correlation Rules

We've also updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Trojan infection, Gootkit