Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of August 2016

New Detection Technique - ColdFusion XXE Exploit

A vulnerability, CVE-2016-4264, in ColdFusion version 11 and below allows attackers to perform XXE injection with maliciously crafted XML documents. This vulnerability can allow attackers to read arbitrary files, list directories,  launch SSRF attacks, perform SMB attacks and upload files.

We've added IDS signatures and added the following correlation rule to detect ColdFusion XXE exploit activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, ColdFusion XXE Exploit CVE-2016-4264 Malicious XML Inbound

New Detection Technique - WebNMS Framework Server Arbitrary File Upload

A vulnerability has been discovered for WEBNMS Framework Server 5.2 that allows an unauthenticated user to upload arbitrary files and perform remote code execution utilizing an attack against FileUploadServlet servlet.

We've added IDS signatures and added the following correlation rule to detect WebNMS Framework Server Arbitrary File Upload activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, WebNMS Framework Server Arbitrary File Upload

New Detection Technique - DetoxCrypto

DetoxCrypto is a new ransomware family, which is trying to take advantage of the popularity of Pokemon Go by masquerading as a Pokemon Go related executable. After execution, the ransomware will encrypt the files on the victim’s computer, display the pokemon lock screen and play music. 

We've added IDS signatures and added the following correlation rule to detect DetoxCrypto activity:

  • System Compromise, Ransomware infection, DetoxCrypto

New Detection Technique - Fsociety

Fsociety ransomware is a variant of the EDA2 family. It was dubbed ‘Fsociety’ in part because of the popularity of the TV series, Mr. Robot, and because the wallpaper displayed after encrypting the victim's files is the logo for the hacking group ‘Fsociety’ from the TV series. One can assume this malware is still in development as there are no ransom notes or a way to contact the malware authors. 

We've added IDS signatures and added the following correlation rule to detect Fsociety activity:

  • System Compromise, Ransomware infection, Fsociety

In addition to that, we've updated the detection techniques for the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Bunitu
  • System Compromise, Trojan infection, OmegaNET
  • System Compromise, Trojan infection, Ranos
  • System Compromise, Trojan infection, Sbidith
  • System Compromise, Trojan infection, Tardar
  • System Compromise, Targeted Malware, Unknown APT

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a command and control (C&C) server and usually use a predefined onion domain.

We've updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, Unknown RAT

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Internet Explorer - CVE-2014-6332
  • System Compromise, Backdoor, Cadelspy
  • System Compromise, Backdoor, Webshell
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Trojan infection, AgentTesla
  • System Compromise, Trojan infection, Crimson
  • System Compromise, Trojan infection, Galaxy Keylogger
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, IRC Bot
  • System Compromise, Trojan infection, MSILPerseus
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Zlader