Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of November 2016

New Detection Technique - Proteus

Proteus is a new multi-functional botnet written in .NET that has a combination of features, including proxy server, coin miner, e-commerce merchant account checker, and keylogger. Proteus is also capable of downloading and executing files. In addition, all command and control (C&C) communication is encrypted with a symmetrical algorithm. With all of this functionality (and perhaps more) combined in one botnet, Proteus has the potential to be particularly harmful, as it could download almost anything and execute it on the infected host.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Proteus

New Detection Technique - Firefox Memory Corruption

A new zero-day vulnerability in Firefox has been discovered that is actively being used to deanonymize Tor Browser users. It is a "use-after-free" vulnerability that when exploited allows the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code. The exploit uses this capability to collect the IP and MAC address of the targeted system and report them back to a central server.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Firefox Memory Corruption

New Detection Technique - Ransomware

During the past week, we have seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect multiple new ransomware families:

  •     System Compromise, Ransomware infection, VindowsLocker

Last week, we also added IDS signatures and updated correlation rules to detect the following several ransomware families:

  •     System Compromise, Ransomware infection, Cerber
  •     System Compromise, Ransomware infection, DetoxCrypto
  •     System Compromise, Ransomware infection, Locky
  •     System Compromise, Ransomware infection, Princess

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Visbot

New Detection Technique - Exploit

The following correlation rules have been added due to recent exploit activity:

  • Exploitation & Installation, Service Exploit, Eir D1000 Modem CWMP Exploit RCE
  • Exploitation & Installation, Service Exploit, UCam247/Phylink/Titathink/YCam/Anbash/Trivision/Netvision Webcam RCE

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Sednit EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, FlokiBot SSL activity
  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Ursnif SSL activity
  • System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, Netwire
  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity
  • System Compromise, Trojan infection, IOS_XAGENT

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Joomla
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Internet Explorer Memory Corruption Vulnerability (CVE-2016-3210)
  • Exploitation & Installation, Trojan infection, Sharik
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Emotet
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Zbot
  • System Compromise, Trojan infection, AutoIt
  • System Compromise, Trojan infection, Carbanak
  • System Compromise, Trojan infection, Dapato
  • System Compromise, Trojan infection, DistTrack
  • System Compromise, Trojan infection, FlokiBot
  • System Compromise, Trojan infection, Helminth
  • System Compromise, Trojan infection, Unknown trojan