Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of January 2018

New Detection Technique – MuddyWater APT

Attackers known as MuddyWater are behind attacks primarily targeting organisations in the Middle East that were spread during 2017. The attacks continue, and often involve a PowerShell-based first stage backdoor, called POWERSTATS, for which we have added new detection signatures recently.

POWERSTATS evolved recently to include new infection payloads. The initial trojan infection is generally dropped directly from macros in malicious Microsoft Word documents. The macro drops a PowerShell script and a VBS script onto the system, which upon execution, access a malicious IP server via HTTP GET requests, allowing the attacker backdoor access to the victim's machine. Other recent changes include additional code obfuscation, anti-sandbox, and anti-analysis features.

Patterns shared among versions of this attack include PowerShell backdoors, shared attributes of the malicious documents used, shared C&C infrastructure, and shared attributes as to how documents are delivered.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, MuddyWater APT

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Agent.ZGL
  • System Compromise, Trojan infection, Axtrit.BR
  • System Compromise, Trojan infection, Derkziel
  • System Compromise, Trojan infection, Fake Twitch
  • System Compromise, Trojan infection, Kuriyama
  • System Compromise, Trojan infection, Mishkaio
  • System Compromise, Trojan infection, POWERSTATS
  • System Compromise, Trojan infection, SchwSonne

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Environmental Awareness, Suspicious Behaviour, External IP Address Lookup - apinotes .com
  • System Compromise, Malware RAT, Vermin RAT
  • System Compromise, Ransomware infection, GandCrab
  • System Compromise, Ransomware infection, LockeR Payment

Updated Detection Technique – Evrial

Evrial is a trojan designed to steal cryptocurrency information by changing payment addresses copied from the Windows clipboard. It was found in the wild in early 2018. It is available for sale from criminal forums on the dark web.

Evrial searches for certain types of strings, corresponding to crypto wallet information and online payments, and replaces them with other values configured by the attacker. This allows attackers to reroute cryptocurrency payments to the address under their control. The trojan also connects to a malicious PHP server where it sends the stolen cryptocurrency. It can be configured to alter Bitcoin, Litecoin, Monero, WebMoney, and Qiwi addresses.

Apart from this, it can also perform regular trojan activities, such as steal stored password from browsers, cookies, documents, or take a screenshot of the active window.

We've updated the ‘Malware Infection – Trojan’ correlation rule to better detect this activity.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • System Compromise, Trojan infection, Evrial

Updated Detection Technique – GlobeImposter

GlobeImposter is a ransomware that emulates the Globe ransomware variant. It was discovered in the wild in mid-2017. It has recently been observed in new campaigns of cryptocurrency payments redirection, together with malicious Tor proxies.

The attack consists of altering the payment wallet identificator shown to the victim during the ransomware payment process. Ransomware victims often access the ransomware payment pages using a Tor proxy instead of the Tor Browser, since not all of them have this browser installed. Tor proxies are regular websites that translate Tor traffic into normal web traffic, so it can be displayed in a regular browser. The malware infects Tor proxies to detect typical crypto wallets used for ransomware payments, and replaces the identificator with another provided by the attacker. When the same site is opened using the Tor Browser instead of Tor proxies, the correct Bitcoin payment address appears. GlobeImposter urges users to apply for Tor Browser during ransomware payment, so the amount is not diverged.

Attackers have successfully diverted an amount of 1.97 BTC so far, identified by tracking the known crypto wallet addresses.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • System Compromise, Ransomware infection, GlobeImposter

Updated Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, DelfInject
  • System Compromise, Trojan infection, Dreamsmasher
  • System Compromise, Trojan infection, MSIL/IRCBot
  • System Compromise, Trojan infection, Nitol

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Suspicious Behaviour, External IP Address Lookup - apinotes .com
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Malicious Download, LaZagne
  • System Compromise, C&C Communication, CobaltStrike SSL activity
  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Ransomware infection, GandCrab
  • System Compromise, Targeted Malware, Elise