Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of December 2017

Updated Detection Technique – CoinMiner

CoinMiner is commonly distributed in malvertising campaigns, such as fake web players or games, in which the user is invited to interact with an advertising banner (as a kind of phishing attack). After the user clicks, the exploit tries to download a package with different extension types to the machine. After the payload is successfully installed, it starts the mining routine and connects to a malicious control server to share gathered information and receive commands.

We have updated the following correlation rule to detect this activity:

  • System Compromise, Malware infection, CoinMiner

Updated Detection Technique – SpeedingUpMyPC

SpeedingUpMyPC is a Windows package that promises to speed up the execution of the operating system by changing configurations and reviewing partition segmentation. The package requires administrator permissions and is able to perform a large variety of tasks, as rootkits do. This package has been modified by real attackers to use SpeedingUpMyPC capabilities for malicious purposes. Users should check the hash of the package after downloading to verify it is not an altered version.

We have updated the following correlation rule to detect this activity:

  • System Compromise, Malware infection, SpeedingUpMyPC.Rootkit

Updated Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, URLzone SSL Certificate
  • System Compromise, C&C Communication, Ursnif SSL activity

Updated Detection Technique – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

 

  • System Compromise, Trojan infection, Crimson
  • System Compromise, Trojan infection, Dreamsmasher
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Tiny
  • System Compromise, Trojan infection, Unk

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, Malware contacting Dynamic Domain
  • System Compromise, Malware RAT, Xtrat
  • System Compromise, Suspicious Behaviour, Suspicious HTTP request