Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of May 2017

New Detection Technique - ROKRAT

ROKRAT is a remote access trojan that spreads via spear phishing and leverages a malicious Hangul Word Processor (HWP) document that contains an embedded Encapsulated PostScript (EPS) object.  The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download ROKRAT disguised as a .jpg file. ROKRAT uses legitimate websites as command and control (C&C) servers. The malware uses Twitter and the Yandex & Mediafire cloud platforms for both C&C communications and as exfiltration platforms.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, ROKRAT

New Detection Technique - MacSpy

MacSpy is a remote access trojan for the OSX platform currently being sold in underground forums. It acts as a spyware on the infected system, capturing screenshots, keystrokes, and clipboard data, and sending it to a C&C server. The C&C server can send commands to the RAT to perform additional malicious activity.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, MacSpy

New Detection Technique - Possible $MFT NTFS Device Access in HTTP Response

A vulnerability was reported in Windows NTFS that can cause a target system to crash. A remote user can create HTML containing a specially crafted file reference (to c:\$MFT\) that, when loaded by the target user via Internet Explorer (and possibly other browsers), will cause the target system to crash.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Possible $MFT NTFS Device Access in HTTP Response

New Detection Technique - Synology PhotoStation

Multiple vulnerabilities were discovered in PhotoStation, the picture management system enabled in most Synology DiskStation Manager (DSM) software. A command injection vulnerability can allow an attacker to log in as admin and perform remote code execution. A local file inclusion vulnerability also exists that can be exploited to download sensitive configuration files.

We've added IDS signatures and the following correlation rules to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Synology PhotoStation Local File Inclusion Attempt
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Synology PhotoStation RCE

New Detection Technique - KGUARD Digital Video Recorder Authentication ByPass

A deficiency in handling authentication and authorization has been found with Kguard Digital Video Recorders (104/108/v2 models). Though the ActiveX component uses password-based authentication to protect the login page, all the communication to the application server at port 9000 allows data to be communicated directly with insufficient or improper authorization.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Weak Configuration - Unauthenticated Access, KGUARD Digital Video Recorder Authentication ByPass

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, C&C Communication, CoreBot SSL activity
  • System Compromise, Trojan infection, Cyst

Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and updated the following correlation rules to detect the ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Cryptolocker
  • System Compromise, Ransomware infection, Hidden-Tear
  • System Compromise, Ransomware infection, Jaff

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, njRAT

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website - Exploit Kit, Terror EK
  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Joomla
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Potential ASUS RT router Information Disclosure
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Suspicious connections to a Dynamic DNS domain
  • System Compromise, Suspicious Behaviour, Request to a DDNS domain with low reputation
  • System Compromise, Trojan infection, Carbanak
  • System Compromise, Trojan infection, Chthonic
  • System Compromise, Trojan infection, Corebot
  • System Compromise, Trojan infection, ExtenBro
  • System Compromise, Trojan infection, Generic Keylogger