Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of October 2016

New Detection Technique - ShinoLocker

ShinoLocker is a ransomware simulator (or "educational" ransomware) developed by researcher Shota Shinogi as a way for people to test their security performance and utilities. According to the developer, the difference between ShinoLocker and real ramsomware is that ShinoLocker never asks for ransom and you don't have to pay money to get the decryption key. Though the researcher had good intentions in developing this ransomware builder, it could easily be abused by malicious attackers.

We've added IDS signatures and created the following correlation rules to detect this activity:

  • System Compromise, Ransomware infection, ShinoLocker
  • System Compromise, C&C Communication, ShinoLocker SSL activity

We've also added IDS signatures and created a correlation rule to detect other new ransomware activity:

  • System Compromise, Ransomware infection, Jackpot 

In addition to that, we've updated the detection techniques for the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, SDLocker
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - Joomla Add User Exploit

Two vulnerabilities (CVE-2016-8869 and CVE-2016-8870) affecting Joomla CMS versions 3.4.4 through 3.6.3 have recently been disclosed. The vulnerabilities exist because of inadequate checks allowing for users to register on a site when registration has been disabled, as well as incorrect usage of unfiltered data allowing users to register on a site with elevated privileges. These vulnerabilities have been patched and the updated version 3.6.4 has been released by Joomla.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • Delivery & Attack, WebServer Attack - CMS, Joomla Add User Exploit
  • Delivery & Attack, WebServer Attack - CMS, Joomla Add User Exploit With PrivEsc

New Detection Technique - Bitter RAT

Bitter is a remote access tool used by attackers in a targeted attack against Pakistani officials. The attack campaign was carried out using spear-phishing emails and predominantly using the older, relatively popular Microsoft Office exploit, CVE-2012-0158. Bitter used free dynamic DNS (DDNS) and dedicated server hosting services in order to set up their command and control (C&C) servers.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Bitter RAT

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • Delivery & Attack, File Download - Poor Reputation Host, Executable downloaded from suspicious TLD
  • Environmental Awareness, Covert channel, RalletsVPN
  • System Compromise, Targeted Malware, APT.Gabby
  • System Compromise, Trojan infection, Houdini
  • System Compromise, Trojan infection, Sarvdap
  • System Compromise, Trojan infection, TheMoon
  • System Compromise, Trojan infection, Xema C9990

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK
  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As we described in a blogpost: "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and updated the following correlation rule to detect APT28 activity.

  • System Compromise, Trojan infection, APT28 activity
  • System Compromise, Targeted Malware, SEDNIT
  • System Compromise, Mobile trojan infection, IOS_XAGENT
  • System Compromise, C&C Communication, APT28 SSL activity

Updated Detection Technique -  Linux.Mirai

Linux.Mirai is a malware designed to hijack busybox systems in order to perform DDoS attacks. It has been in the news the past few weeks as it is the bot that was used in the DDoS attack on Brian Kreb’s security blog.  Mirai is known for the ease with which it can victimize IoT devices. The widespread use of telnet, along with a list of factory default usernames and passwords, result in botnets with sizes that is beyond imagination.

The source code for Linux.Mirai bot was released a few weeks ago. According to Radware, the loader and bot are coded in C, while the scanListen and command and control (C&C) service are written in Go, effectively leveraging go-routines and channels in an efficient Communicating Sequential Processes (CSP) design pattern.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Linux.Mirai

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families including:

  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, C&C Communication, Qadars SSL activity
  • System Compromise, C&C Communication, Suspicious SSL certificate - malicious server
  • System Compromise, C&C Communication, Ursnif SSL activity
  • System Compromise, C&C Communication, Vawtrak SSL Certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, PlugX
  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network.

We've updated the correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Covert channel, RalletsVPN
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Suspicious Behaviour, Suspicious SSL cert from a low reputation server
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Expiro
  • System Compromise, Trojan infection, Unknown trojan