Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of April 2018

New Detection Technique – WannaMine

WannaMine was first reported by Panda Security in October 2017 and continues to spread. This trojan mines the Monero cryptocurrency. Some victims have reported the miner completely draining the system's processing power. It can be a particular problem in virtualised environments where it can saturate processing power. 

WannaMine is written in Powershell and combines credential dumping with the EternalBlue exploit to spread laterally within infected networks.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, WannaMine

New Detection Technique – StressPaint

StressPaint malware, which was first reported in April by Radware, was created by a group trying to collect users' Facebook credentials. The attack spread quickly, targeting users who own Facebook pages and users with stored payment methods.

The campaign is distributed via phishing emails as well as directly within Facebook. Targets are sent to a 'unicode' copy of real software update domains. When the program is executed by the user from the desktop using the application icon it will send the browser cookies and login data files in an encrypted form to the C&C. The malware gains persistence and is executed every time the computer restarts.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Win32/StressPaint

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, BlackCarat
  • System Compromise, Trojan infection, MSIL/TBR
  • System Compromise, Trojan infection, OBC syschk
  • System Compromise, Trojan infection, W32/Pterodo.CL
  • System Compromise, Trojan infection, Win32/Agent.ZKU
  • System Compromise, Trojan infection, Win32/DSPI0.Bootkit
  • System Compromise, Trojan infection, Win32/POWERSTATS

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Cisco Smart Install
  • System Compromise, Backdoor, WEB_SERVER PHP/WSO.WebShell Access
  • System Compromise, Backdoor, MSIL/Opprysr Backdoor
  • System Compromise, Malicious Download, class-wip.txt Download with Python Agent
  • System Compromise, Malware infection, MSIL/NewWave Miner
  • System Compromise, Malware infection, W32/BitvoteMiner
  • System Compromise, Malware RAT, MSIL/G1 Stealer/GravityRAT

Updated Detection Technique – InnaputRAT

InnaputRAT is distributed via phishing campaigns, and targets commercial manufacturing in the US and Europe.

It continues to spread, with the intention of exfiltrating company documents.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Win32/InnaputRAT

Updated Detection Technique - Remote Access Tools

This attack starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Blackshades
  • System Compromise, Malware RAT, Gh0st
  • System Compromise, Malware RAT, Remcos/Remvio

Updated Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Cerbu
  • System Compromise, Trojan infection, Nymaim
  • System Compromise, Trojan infection, Skygofree
  • System Compromise, Trojan infection, Trojan.JS.Agent.dwz

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website - Exploit Kit, GrandSoft EK
  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Drupal
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Oracle WebLogic Proxy Version Check (CVE-2018-2628)
  • System Compromise, C&C Communication, Cobalt Group
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Ransomware infection, Satan