Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of September 2016

New Detection Technique - Libyan Scorpions

Libyan Scorpions is the name given to a group of attackers responsible for spreading malware targeting android operating systems in Libya. The group is using the Telegram messaging application as its main distribution method for phishing attacks. Once an account is compromised, it sends a malicious APK file to all of the user's contacts, pretending to be an important voicemail. Once the APK is opened, the mobile device gets infected, and the attackers have nearly full control of the device's applications.  

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Libyan Scorpions

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Loki Bot

Updated Detection Technique - Bolek

Bolek is a malware family discovered earlier this year that appears to be similar to Carberp. This banking trojan appears to be targeting Russian banks and bitcoin sites, but has advanced capabilities that could enable it to target a wider range of financial entities. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Bolek

Updated Detection Technique - Shifu

Shifu is an advanced banking trojan uncovered by IBM Security X-Force. The trojan borrows some of its features (such as evasion, obfuscation, and configuration files) from other well-known malware such as Gozi, Zeus, and Dridex. Shifu also has the ability to detect whether or not it has landed on a point-of-sale system, in which case it deploys a RAM-scraping plugin to extract "track 1" and "track 2" data from payment cards. Another advanced characteristic of this trojan is that it blocks the ability for other malware to be installed, and sends a copy of any attempted installations back to the command and control (C&C) server.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Shifu

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As we described in a blog post: "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and updated the following correlation rule to detect APT28 activity.

  • System Compromise, Trojan infection, APT28 EK

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Qadars SSL activity
  • System Compromise, C&C Communication, Ursnif SSL activity
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Delivery & Attack, Malicious website - Exploit Kit, Astrum EK
  • Exploitation & Installation, Malicious website - Exploit Kit, BleedingLife
  • Exploitation & Installation, Malicious website - Exploit Kit, Job314

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, Targeted Malware, Unknown APT
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Troldesh
  • System Compromise, Trojan infection, Fareit
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Pony