Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of March 2016

Emerging Threat - Dripion

Dripion is a custom-built backdoor designed to steal information and has been deployed in a highly targeted cyber-espionage campaign. It is infecting organizations primarily located in Taiwan, as well as Brazil and the United States. The attackers behind Dripion are using domain names disguised as antivirus company websites for their command and control (C&C) servers.  Dripion has the functionally of a backdoor Trojan -- letting attackers upload, download, and steal predetermined information from the victim, and execute remote commands.

We added new IDS signatures and a correlation rule to detect Dripion activity:

  • System Compromise, Backdoor, Dripion

Emerging Threat - Ohagi

Ohagi malware is a new reconnaissance and cookie stealer malware.  Ohagi is a basic piece of code which provides its operator extensive information about the target machine -- possibly for optimizing future attacks and enhancing survivability of the malware in later stages of an assault on the victim's systems. Ohagi's core functionality includes six different functions, each in charge of collecting a different kind of intelligence. Captured data is exfiltrated by sending it in plaintext over HTTP POST requests to varying hard-coded domains.

We added new IDS signatures and a correlation rule to detect Ohagi activity:

  • System Compromise, Trojan infection, Ohagi

Emerging Threat - TreasureHunter

TreasureHunter is a Point-of-Sale malware that appears to have been custom-built for the operations of a particular “dump shop,” which sells stolen credit card data. TreasureHunter enumerates running processes, extracts payment card information from memory, and then transmits this information to a C&C server. It has references to an actor from an underground cybercrime forum dedicated to credit card fraud, indicating that TreasureHunter was developed exclusively for a specific cybercrime operation.

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/56f931a467db8c4b481bccda/

We added new IDS signatures and a correlation rule to detect TreasureHunter activity:

  • System Compromise, Trojan infection, TreasureHunter

New Detection Technique - Hidden-Tear Ransomware

Hidden-Tear is a piece of "educational" ransomware created by Turkish security group Otku Sen and was open-sourced in August 2015. Although the educational version is limited in capability, it has been modified to create more than two dozen variant spin-offs, according to researchers from Kaspersky Labs.

We added new IDS signatures and a correlation rule to detect Hidden-Tear activity:

  • System Compromise, Ransomware infection, Hidden-Tear

We also added new IDS signatures and correlation rules to detect other new ransomware:

  • System Compromise, Ransomware infection, Coverton
  • System Compromise, Ransomware infection, Ryzerlo
  • System Compromise, Ransomware infection, Salam
  • System Compromise, Ransomware infection, Unknown Ransomware

In addition to that, we updated some correlation rules and added new IDS signatures to improve the detection of previously known ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Locky

New Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, AlanD-RAT
  • System Compromise, Malware RAT, Ozone RAT

In addition to that we updated some correlation rules and added new IDS signatures to improve the detection of previously known remote access tool families:

  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Poison Ivy

New Detection Technique - Policy violation

The following correlation rules have been added to alert on activity violating corporate policy:

  • Environmental Awareness, Anonymous channel, Psiphon proxy
  • Environmental Awareness, Desktop Software - Remote Desktop, Online PC Support

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, FusionID HTTP Bot
  • System Compromise, Trojan infection, Godzilla
  • System Compromise, Trojan infection, Injector BUVU
  • System Compromise, Trojan infection, Neetog
  • System Compromise, Trojan infection, Suloc

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

Updated Detection Technique - Dridex

Dridex is a piece of malware designed to steal banking credentials and other personal information on a system to gain access to the financial records of a user. Dridex performs a technique called web injection into the HTML of banking websites and then sends the stolen data to a remote command and control (C&C) server.

We have added several IDS signatures and the following correlation rule that will alert when the system detects Dridex talking to a C&C server:

  • System Compromise, Malware infection, Dridex

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware use hidden services as a mechanism to communicate with a C&C server and usually use a predefined onion domain.

We have updated a correlation rule that groups together different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed trough the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Joomla
  • Delivery & Attack, WebServer Attack - CMS, Mambo
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, TrendMicro node.js HTTP RCE Exploit
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Backdoor, Nidiran
  • System Compromise, C&C Communication, PlugX DNS channel
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, PhilBot
  • System Compromise, Malware infection, Sekur
  • System Compromise, Trojan infection, Bergard
  • System Compromise, Trojan infection, Cyborg
  • System Compromise, Trojan infection, DiamondFox
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, KOVTER.B
  • System Compromise, Trojan infection, Nemucod
  • System Compromise, Trojan infection, Ruftar
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Zeus