Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of April 2016

Emerging Threat - TrueCrypter

TrueCrypter is a new piece of ransomware recently discovered by AVG. The ransomware encrypts the user’s data using AES-256 encryption and demands payment with Amazon gift cards or bitcoins. Decrypting the data seems trivial as the user only needs to click on the pay button in order to regain access to the files that were held for ransom.

We've added new IDS signatures and created the following correlation rule to detect TrueCrypter activity:

  • System Compromise, Ransomware infection, TrueCrypter

Emerging Threat - Fwits

BAE Systems has identified malware believed to be used in a February 2016 attack targeting the SWIFT payment system of a bank in Bangladesh that attempted to steal $951 million. The advanced malware is thought to be part of a wider attack toolkit used in the bank attack that aided in the cover up and evasion of detection. The tools uncovered are highly configurable and could be used for similar attacks against other financial institutions.

We've added new IDS signatures and created the following correlation rule to detect Fwits activity:

  • System Compromise, Targeted Malware, Fwits

New Detection Technique - Routersploit Framework

The Routersploit Framework is an open source exploitation tool dedicated to embedded devices. The intended use of the tool is to aid in penetration testing operations. It has several unique modules that can check for known vulnerabilities on a device, test credentials against network services, and attempt to take advantage of identified vulnerabilities.

We've added IDS signatures and created a correlation rule to detect Routersploit Framework activity:

  • Exploitation & Installation, Service Exploit, Routersploit framework

New Detection Technique - BrLock Screenlocker

BrLock is a newly discovered ransomware written in .NET that is targeting users in Russia. Once a machine is infected with the ransomware, a shutdown command is issued, and upon reboot, a browser window takes over the screen demanding a ransom be paid in order to access the system again. The task manager and explorer processes are also killed preventing the user from getting rid of the ransom screen.

We've added new IDS signatures and created a correlation rule to detect BrLock Screenlocker activity:

  • System Compromise, Ransomware infection, BrLock Screenlocker

In addition to that, we updated some correlation rules and added new IDS signatures to improve the detection of previously known Ransomware families:

  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Unknown Ransomware

New Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Mizzmo SSL activity
  • System Compromise, C&C Communication, Ursnif SSL activity

In addition to that, we updated correlation rules and added new IDS signatures to improve the detection of previously known Malicious SSL Certificates:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Gofarer
  • System Compromise, Trojan infection, Hancitor
  • System Compromise, Trojan infection, Jupiter Banker

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We've added new IDS signatures and the following correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, Gh0st
  • System Compromise, Malware RAT, PCRat
  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added new IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. Many ransomware schemes use these services to receive payments and conduct other malicious activities. 

We've created a new correlation rule that will detect when a system is accessing one of these services: 

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Correlation Rules

We've updated the following correlation rules due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Malware infection, Linksys Router exploit
  • System Compromise, Malware infection, Blackmoon
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, LockScreen
  • System Compromise, Trojan infection, PcClient
  • System Compromise, Trojan infection, Pony
  • System Compromise, Trojan infection, Rexpot
  • System Compromise, Trojan infection, Unk