Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of February 2018

New Detection Technique – Memcrashed

Cybercriminals used Memcached servers in a campaign called Memcrashed. The purpose is to execute DDoS attacks over 51,000 times more powerful than their original strength, which could knock down major websites and Internet infrastructure. The Memcrashed amplification attack works by sending a forged request to the targeted server (vulnerable UDP server) on port 11211 using a spoofed IP address that matches the victim's IP.

The easiest way to prevent a Memcached server from being used as a reflector is blocking UDP on port 11211. Internet service providers (ISPs) can also help to mitigate these and other types of amplification attacks by fixing vulnerable protocols and trying to prevent IP spoofing.

We've added IDS signatures and the following correlation rules to detect this activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, Memcached DDoS Amplification
  • Delivery & Attack, Denial of Service - Known vulnerability, Memcached DDoS Amplification Outbound

New Detection Technique – Chafer

Chafer is a trojan first exposed by Symantec in early 2015. It is now supported by new campaigns targeting the Middle East. Its activity is focused on information-gathering and creating backdoors, targeting important software services in the region such as airlines, telecom companies, engineering, etc. Some countries affected by these campaigns are Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. 

The infection vector is an Office Excel document spread by email. When opened, it downloads a malicious VBS file that in turn runs a PowerShell script. Some hours later, a dropper appears on the compromised computer. The dropper installs three files on the computer: an information stealer, a screen capture utility, and an empty executable.

Some tools added to Chafer include Remcom, Non-sucking Service Manager (NSSM), SMB hacking tools, and a custom screenshot/clipboard capture tool, among others.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Chafer

New Detection Technique – Cannibal RAT

Cannibal RAT is a new remote administration tool, written entirely in Python, that was exposed by Talos group in February 2018. Samples of two versions of this malware (3.0 and 4.0) were detected, both sharing most of the same packages and behaviors; however, version 4.0 uses obfuscation techniques to avoid detection. Recent campaigns target Brazil, specifically the INESAP (Instituto Nacional Escola Superior da Administração Pública).

The malware is distributed in py2exe format, with the python27.dll and the python bytecode attached as a PE resource. The C&C uses the DNS technique Fast Flux, allowing the hosts to quickly change their resolution. The C&C is linked to four hostnames which always point to IP addresses hosted within the same ASN.

Version 4.0 of the RAT was hosted at inesapconcurso[.]webredirect[.]org and filebin[.]net. After installation, the malware creates a PDF file with HTML code embedded, mimicking an official document from the INESAP. Afterwards, it will start Chrome to open the created PDF.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, Cannibal RAT

New Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Lazarus CVE-2018-4878 Retrieving Payload SSL Certificate
  • System Compromise, C&C Communication, SteamStealer SSL Certificate
  • System Compromise, C&C Communication, Unk Downloader SSL Certificate

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Icefog
  • System Compromise, Trojan infection, Know Malicious Redirector
  • System Compromise, Trojan infection, Sality.AE
  • System Compromise, Trojan infection, SteamStealer
  • System Compromise, Trojan infection, W32/Kutaki

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader docID RCE CVE-2018-4901
  • System Compromise, Backdoor, Flawed Grace
  • System Compromise, Botnet infection, Win32/Onliner Spam Bot
  • System Compromise, Malware RAT, QRat.Java.RAT
  • System Compromise, Mobile trojan infection, AndroidOS.Egat.d

Updated Detection Technique – Asacub

The trojan Asacub, discovered in 2015, is considered an evolution of the CoreBot trojan. Distributed for Android devices, it was first classified as spyware, although it was later found to share connectivity with C&C servers used by Windows banker trojans.

The malware's banking functionality is based on displaying a bank phishing window, enabling call forwarding, and running specified Unstructured Supplementary Service Data (USSD) requests. In the last several years, it has mutated at least three times, adding capabilities such as GPS tracking and taking snapshots.

Recent campaigns started during December 2017, with a high traffic rate, infecting thousands of devices in Russia. The SMS spam campaigns infected more than 6,500 unique users in this country.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Mobile trojan infection, Asacub.a Banker

Updated Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

 

  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, KovCoreG
  • System Compromise, Trojan infection, Linux.Mirai
  • System Compromise, Trojan infection, LokiBot
  • System Compromise, Trojan infection, Nitol
  • System Compromise, Trojan infection, Oilrig
  • System Compromise, Trojan infection, SmokeLoader
  • System Compromise, Trojan infection, SmsThief.jz

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Trojan infection, Sharik
  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, KovCoreG SSL Certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Worm infection, DELF