Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 4th week of September 2016

New Detection Technique - Unlock92

Unlock92 is a new ransomware variant that is currently targeting Russian speaking users and appears to be under active development. The first known variants of Unlock92 used weak encryption methods, while new variants are proving to more default to defeat.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Unlock92

In addition to that, we've updated the detection techniques for the following Ransomware Families:

  • System Compromise, Ransomware infection, MarsJoke
  • System Compromise, Ransomware infection, Shade
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - Komplex

Complex is a new Mac OS Trojan that has been used against Western military and political targets in the aerospace industry.  It has been alleged that it was created by the same APT group behind the DNC hacks. The Trojan is spread via phishing emails with a malicious PDF attachments. Once executed, the malware is capable of downloading additional payloads, executing files, deleting files, and performing various system manipulation.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Komplex

New Detection Technique - CONFUCIUS_B

CONFUCIUS_B is a new Trojan family. Most malware utilize communication with a CnC through hard coded IP/domain or dynamic domain name generation algorithms (DGA). Instead,  CONFUCIUS_B makes connections to well-known sites like Yahoo and Quora, and then looks for specific strings on the pages.

We've added IDS signatures and created the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, CONFUCIUS_B

New Detection Technique - Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Backdoor, Anuna PHP Backdoor
  • System Compromise, Trojan infection, ShopBot
  • System Compromise, Trojan infection, Caretni
  • System Compromise, Trojan infection, Bazidow

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Astrum EK
  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Magnitude EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Gozi SSL Activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Poison Ivy 

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Trojan infection, Sharik
  • System Compromise, Trojan infection, ARIK Keylogger
  • System Compromise, Trojan infection, Dreambot
  • System Compromise, Trojan infection, Gozi
  • System Compromise, Trojan infection, Panda Banker
  • System Compromise, Trojan infection, Pony
  • System Compromise, Trojan infection, Steam password stealer