Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of February 2016

New Detection Technique - Rover

Rover is a targeted attack, delivered via email primarily targeting an Indian diplomat and an Ambassador to Afghanistan. This trojan has the ability to steal files, key log, take screenshots and function as a backdoor. 

We added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Rover

New Detection Technique - Remote Access Tools

Last week we added the following correlation rules and IDS signatures to detect new remote access tool families:

  • System Compromise, Malware RAT, AeroRAT

In addition to that we updated some rules and added new IDS signatures to improve the detection of previously known remote access tool families:

  • System Compromise, Malware RAT, DarkComet
  • System Compromise, Malware RAT, Mobi Rat
  • System Compromise, Malware RAT, Poison Ivy

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Agent QN
  • System Compromise, Trojan infection, Aux Logger
  • System Compromise, Trojan infection, Datsup
  • System Compromise, Trojan infection, Peppy
  • System Compromise, Trojan infection, VB RZA
  • System Compromise, Trojan infection, ZeroHTTP
  • System Compromise, Trojan infection, jFect
  • System Compromise, Botnet infection, 3r0rXx

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We have updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Darkleech

Darkleech is malware that infects web servers and injects malicious IFrames. The malicious IFrame can contain content from exploit kits like Angler EK and infect victims with ransomware. Darkleech is constantly changing and has started to utilize more complex obfuscation techniques.

Related content on Open Threat Exchange: https://otx.alienvault.com/pulse/5678857567db8c3f8b46bb89/

We added IDS signatures and updated correlation rules to detect Darkleech activity.

  • System Compromise, Malware infection, Darkleech

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Ransomware infection, Radamant
  • System Compromise, Trojan infection, Aux Logger
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Diple
  • System Compromise, Trojan infection, Kaicone
  • System Compromise, Trojan infection, Unknown trojan
  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, File Download - Poor Reputation Host, Suspicious executable downloaded from a low reputation domain