Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of March

New Detection Technique - DragonOK

First discovered in 2014, DragonOK is a targeted attack campaign that has been recently observed targeting political parties in Cambodia. DragonOK has been known to target organizations from Taiwan, Japan, Tibet, and Russia with spear-phishing emails containing malicious attachments. The latest dropper used by the campaign is disguised as an Adobe Reader installer and installs a new custom remote access tool (RAT). This new RAT has been named “KHRAT” based on one of the command and control (C&C) servers used, with "kh" pertaining to Cambodia’s country code.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Backdoor, DragonOK

New Detection Technique - Dimnie

Originally dating back to early 2014, the Dimnie malware has resurfaced in a recent phishing campaign targeting open-source developers and owners of Github repositories. The campaign follows the same formula as many “traditional” malware campaigns: starting with an e-mail lure, then a malicious attachment, macro, & PowerShell downloader, and finally a binary payload. Dimnie serves as a downloader and has a modular design encompassing various information-stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. And its stealthy command and control methods, combined with a previously Russian-focused target base, has allowed Dimnie to fly under the radar up until this most recent campaign.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Dimnie

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, HappyDayzz
  • System Compromise, Ransomware infection, Theresa

We also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, CrypMic
  • System Compromise, Ransomware infection, Filecoder
  • System Compromise, Ransomware infection, Teslacrypt
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Unknown Ransomware

 New Detection Techniques

We've added the following correlation rules as a result of recent malicious and exploit activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, IIS 6.0 CVE-2017-7269 Attempt
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, JexBoss Common URI struct
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, SysGauge Buffer Overflow Attempt from SMTP
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, TP-Link IP camera Command Injection
  • Reconnaissance & Probing, Web vulnerability scanning, Qualys
  • System Compromise, Backdoor, Yebot
  • System Compromise, Trojan infection, HAKOPS

 Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Astrum EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

 Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate

 Updated Detection Technique - CopyKittens activity

Matryoshka is malware built by CopyKittens, an espionage group that has been attacking Israeli targets. Matryoshka is spread through spear phishing with a document attached to it. The document has either a malicious macro that the victim is asked to enable or an embedded executable the victim is asked to open. The malware uses DNS for command and control communication and data exfiltration.

We've added IDS signatures and updated the following correlation rules to detect the recent CopyKittens activity:

  • System Compromise, Trojan infection, Matryoshka
  • System Compromise, C&C Communication, CopyKittens Activity

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Mobile trojan infection, IOS_XAGENT
  • System Compromise, Trojan infection, APT28 activity

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Netwire
  • System Compromise, Malware RAT, Remcos/Remvi

 Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Anonymous channel, Tor Onion Proxy
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, C&C Communication, Zeus DGA
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Symmi
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Tilon
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Unknown trojan