Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of June 2016

New Detection Technique - CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow

CVE-2016-2209 is one of multiple vulnerabilities in Symantec's Antivirus products that were discovered by Google Project Zero researcher Tavis Ormandy. The vulnerabilities were all related to the decomposer component of the Symantec Antivirus Engine, which is responsible for unpacking archive files. Since the decomposer runs with escalated permissions and affects the default configuration, it does not require any action by the user. Symantec has since patched these vulnerabilities.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • Exploitation & Installation, Vulnerable software, Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow

New Detection Technique - Satana

Satana is a new ransomware discovered by Malwarebytes. One unique feature of this ransomware is that, in addition to encrypting files, it will also install a bootlocker that prevents the user from logging into the Windows host. There is currently no known method to decrypt the files without paying the 0.5 bitcoin ransom.

We've added IDS signatures and created the following correlation rule to detect Satana activity:

  • System Compromise, Ransomware infection, Satana

New Detection Technique - TowerWeb

The TowerWeb ransomware is being distributed via phishing emails that uses legal terminology to trick the user into thinking the email is from a reliable source. Once the victim has been infected, the ransomware performs several annoying activities including switching the mouse buttons and repeatedly restarting the computer.

We've added IDS signatures and created the following correlation rule to detect TowerWeb activity:

  • System Compromise, Ransomware infection, TowerWeb

In addition to the above, we added a new IDS signature and created a correlation rule to detect WildFire Locker activity:

  • System Compromise, Ransomware infection, WildFire Locker

We also updated rules and added new IDS signatures to improve the detection of the following ransomware families:

  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Unknown Ransomware

New Detection Technique - SBDH Toolkit

Over the past year, ESET has been analyzing several instances of a new malware called SBDH Toolkit, which is being used in targeted espionage campaigns. The operators of the toolkit have been targeting selected files for exfiltration from government and public institutions focused on economic growth in Central and Eastern Europe.

We've added IDS signatures and created the following correlation rule to detect SBDH Toolkit activity:

  • System Compromise, Trojan infection, SBDH Toolkit

New Detection Technique - Malware

We've added the following correlation rules due to recent malicious activity:

  • Exploitation & Installation, Vulnerable software, Possible Symantec Malicious MIME Doc Name Overflow (EICAR)

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Sednit EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Operation Daybreak
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
  • Exploitation & Installation, Malware infection - Exploit kit

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We have added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, DarkComet
  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Malware SSL Certificates

We added new Intrusion Detection System signatures which include certificates identified by Abuse.ch associated with botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Correlation Rules

We've updated the following correlation rules due to recent malicious activity:

  • Exploitation & Installation, Service Exploit, OpenSSL HeartBeat
  • Exploitation & Installation, Service Exploit, Schannel - CVE-2014-6321
  • Exploitation & Installation, Suspicious Behaviour, Facebook password stealing inject
  • Exploitation & Installation, Targeted Malware, Hacking Team Flash Exploit
  • Exploitation & Installation, Trojan infection, File download via LNK
  • System Compromise, Backdoor, Possible Custom Content Type Manager WP Backdoor Access
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, Malware contacting Dynamic Domain
  • System Compromise, Malware infection, Zbot
  • System Compromise, Suspicious Behaviour, EXE file download from a Dynamic DNS host
  • System Compromise, Trojan infection, IndigoRose
  • System Compromise, Trojan infection, QQpass
  • System Compromise, Trojan infection, Unknown trojan

Last week we also added a few new IDS signatures which enhance our capability to detect the download of Window executables. As a result, we updated an additional 355 correlation rules.