Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of April 2017

New Detection Technique - Equation Group Leaks

Shadow Brokers has leaked more of the Equation Group's hacking tools stolen from the NSA.  Included in the dump was DANDERSPRITZ, a java-based remote access tool (RAT) which can be used to control implants such as PeddleCheap and ExpandingPulley.

We've added IDS signatures and the following correlation rule to detect the activity from these tools:

  • System Compromise, Malware RAT, DANDERSPRITZ

New Detection Technique - Hajime

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm first discovered in October of 2016 that has amassed a P2P botnet with over 300,000 devices. Hajime is under constant development, and has received many updates since it was first seen in 2016. 

We've added IDS signatures and the following correlation rules to detect the exploit activity from these tools:

  • System Compromise, Trojan infection, Hajime

New Detection Technique - Linux Shishiga

Linux Shishiga is a new family of malware written completely in Lua. It communicates utilizing several different protocols, including SSH, Telnet, HTTP, and BitTorrent. Linux Shishiga spreads by brute forcing common passwords specified in a list. 

We've added IDS signatures and the following correlation rule to detect the exploit activity from these tools:

  • System Compromise, Trojan infection, Linux.Shishiga

New Detection Techniques

We've added the following correlation rules as a result of recent exploit and malicious activity:

  • Environmental Awareness, Desktop Software - Remote Desktop, DeskShare
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible Edge SOP Bypass UXSS

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Astrum EK
  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, CobaltStrike SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, njRAT

Updated Detection Technique - Ransomware

In the past week, we've seen increasing ransomware activity in the wild. We've added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, CrypMic
  • System Compromise, Ransomware infection, Karmen
  • System Compromise, Ransomware infection, Sage

Updated Detection Technique - Cobalt Strike

Cobalt Strike describes itself as a "threat emulation software for red teams and penetration testers." Cobalt Strike comes with a post-exploitation agent in order to simulate APT actors and has the ability to communicate over covert channels and emulate the C2 structure of various malware. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, CobaltStrike

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

 

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Desktop Software - Remote Desktop, Screenleap
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Tenable Appliance < 4.5 - Unauthenticated Root Remote Code Execution (CVE-2017-8051)
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Dridex
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, ClipBanker
  • System Compromise, Trojan infection, Loadmoney
  • System Compromise, Trojan infection, SpyAgent
  • System Compromise, Trojan infection, Unknown trojan