Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of May 2016

Emerging Threat - APT Fimlis

Fimlis is a Trojan that opens a backdoor on the compromised computer and downloads potentially malicious files. Fimlis has been used in attacks against financial institutions in South-East Asia and the SWIFT network. 

We've added IDS signatures and created the following correlation rule to detect Fimlis:

  • System Compromise, Targeted Malware, APT Fimlis

New Detection Technique - CVE-2016-5118 Exploit attempt

A vulnerability (CVE-2016-5118) in ImageMagick was recently disclosed which allows the execution of shell commands by using a pipe in the file open syntax. This vulnerability is being exploited in the wild; however, a patch has been released, and we recommend updating to the latest version of ImageMagick.

We've added IDS signatures and created the following correlation rule to detect CVE-2016-5118:

  • Exploitation & Installation, Vulnerable software, Possible CVE-2016-5118 Exploit attempt

New Detection Technique - Criptobit

Criptobit is a new variant of ransomware that is protected by a packer and distributed with the use of exploit kits that affect different web browsers. One unique feature of this ransomware is that it checks the keyboard's language and will not execute if the codes for Russian or Kazakh are identified.

 We've added IDS signatures and created the following correlation rule to detect Criptobit:

  • System Compromise, Ransomware infection, Criptobit

Last week we also updated some rules and added new IDS signatures to improve the detection of previously known ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - Fibot

Fibot is a backdoor that gives an attacker remote access to a compromised system. It uses code injection to make it harder to detect and can inject code into running processes. Fibot enables the attacker to download and execute files, log keystrokes, modify system settings, start and stop processes, upload and delete files, and spread the malware to other PCs.

We've added IDS signatures and created the following correlation rule to detect Fibot:

  • System Compromise, Trojan infection, Fibot

New Detection Technique - Helminth

Recently Palo Alto Networks observed targeted attacks focused on financial institutions and technology organizations within Saudi Arabia. These attacks are using spear-phishing emails and delivering a backdoor dubbed Helminth. Two variants of Helminth have been observed; one written in VBScript and Powershell, delivered with macros embedded within an Excel spreadsheet, and the other a Windows executable.

We've added IDS signatures and created the following correlation rule to detect Helminth:

  • System Compromise, Trojan infection, Helminth

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • Environmental Awareness, Desktop Software - Remote Desktop, Remote Access Tool - Remote Manipulator
  • Exploitation & Installation, Service Exploit, HP.SSF.WebService Exploit Attempt
  • Exploitation & Installation, Vulnerable software, Oracle ATS Arbitrary File Upload (CVE-2016-0491)
  • System Compromise, Trojan infection, Aspen
  • System Compromise, Trojan infection, Klez
  • System Compromise, Trojan infection, Paco
  • System Compromise, Trojan infection, Stealth Falcon
  • System Compromise, Trojan infection, Nystprac
  • System Compromise, Trojan infection, iTorrent
  • System Compromise, C&C Communication, Paco SSL activity
  • System Compromise, Ransomware infection, CryptON

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, KaiXin EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Neutrino EK
  • Updated Detection Technique - Remote Access Tools 

Typical attack patterns start by exploiting a vulnerability and then installing malware, the next step often includes installing a Remote Administration Toolkit (RAT).  The RAT is used to gain control of the compromised machine.

We have added IDS signatures and updated the following correlation rule to detect

  • System Compromise, Malware RAT, Luminosity Link RAT
  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Malware SSL Certificates

We added new IDS signatures to include the list of certificates identified by to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, AutoIt
  • System Compromise, Trojan infection, Generic PowerShell
  • System Compromise, Trojan infection, Cryptic
  • System Compromise, Trojan infection, Unknown PowerShell