Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of July 2017

New Detection Technique - TDTESS

TDTESS is a backdoor that is used by CopyKittens. TDTESS provides a reverse shell with an option to download and execute files. It routinely calls CnC server for new instructions using basic authentication and commands are sent via a web page. TDTESS creates a stealth service, which will not show on the service manager or other tools that enumerate services from WINAPI or Windows Management Instrumentation.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Backdoor, TDTESS

New Detection Technique - Tick

Tick” group has been involved in cyber espionage attacks against organizations in the Republic of Korea and Japan for several years. The group primarily targets companies that have intellectual property or sensitive information like those in the Defense and High-Tech industries. The group is known to use custom malware called Daserf, but also employs multiple commodity and custom tools, exploit vulnerabilities, and social engineering techniques.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, Tick

New Detection Technique - Pelco Sarix/Spectra Cameras RCE

Pelco Sarix/Spectra IP cameras, which are used in security surveillance in a wide variety of commercial and industrial settings, are vulnerable to authenticated Remote Code Execution. The POST parameter 'enable_leds' located in the update() function called via the GeneralSetupController.php script is not properly sanitised before being used in writeLedConfig() function to enable led state to on or off.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Pelco Sarix/Spectra Cameras RCE

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malware RAT, Revcode
  • System Compromise, Trojan infection, Bancodor
  • System Compromise, Trojan infection, Donoff
  • System Compromise, Trojan infection, JS/Cryxos
  • System Compromise, Trojan infection, MSIL/Marker
  • System Compromise, Trojan infection, W32/Banpol

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - CopyKittens activity

Matryoshka is malware built by CopyKittens, an espionage group that has been attacking Israeli targets. Matryoshka is spread through spear phishing with a document attached to it. The document has either a malicious macro that the victim is asked to enable or an embedded executable the victim is asked to open. The malware uses DNS for command and control communication and data exfiltration.

We've added IDS signatures and updated the following correlation rules to detect the recent CopyKittens activity:

  • System Compromise, Trojan infection, Matryoshka

Updated Detection Technique - Cobalt Strike

Cobalt Strike describes itself as a "threat emulation software for red teams and penetration testers." Cobalt Strike comes with a post-exploitation agent in order to simulate APT actors. It has the ability to communicate over covert channels and emulate the C2 structure of various malware. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, CobaltStrike

Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and updated the following correlation rules to detect the ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Hidden-Tear
  • System Compromise, Ransomware infection, NoobCrypt
  • System Compromise, Ransomware infection, Shifr

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Vulnerable software, Java
  • System Compromise, Malware infection, Emotet
  • System Compromise, Trojan infection, Chthonic
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, Genome
  • System Compromise, Trojan infection, Imminent Monitor
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Zyklon