Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of June 2017

New Detection Technique - Idicaf

Idicaf is a malware family found be used alongside PlugX malware. It uses interesting techniques with respect to Resolution of an initial C2 address, combining PlugX with open source tools to initially load the malware and avoid detection on disk.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Idicaf

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, ViACrypt

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Executioner
  • System Compromise, Ransomware infection, Locky

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Formbook
  • System Compromise, Trojan infection, Naoinstalad
  • System Compromise, Trojan infection, SprRapty

Updated Detection Technique - Equation Group Leaks

Shadow Brokers has leaked more of the Equation Group's hacking tools stolen from the NSA. The four-year-old exploits attempt to hijack critical Microsoft Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8. The leaked files range from Windows exploits to tools for monitoring SWIFT interbank payments.

We've added IDS signatures and the following correlation rules to detect the exploit activity from these tools:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible MS17-010

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

Updated Detection Technique - OceanLotus

The OS X version of OceanLotus malware pretends to be an Adobe Flash update, and has been used in spear phishing attacks related to Chinese infrastructure.

We've added IDS signatures and updated the following correlation rule to detect OceanLotus activity:

  • System Compromise, Targeted Malware, OceanLotus

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Hidden-Tear SSL activity

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft Outlook Remote Code Execution Vulnerability Inbound (CVE-2017-0199)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)
  • System Compromise, Adware infection, InstallCore
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Trojan infection, AgentTesla
  • System Compromise, Trojan infection, Alureon
  • System Compromise, Trojan infection, FlyStudio
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Unknown PowerShell
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, Win32.Androm