Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 5th week of month

Week of January 29, 2017

AlienVault Labs Threat Intelligence Update

New Detection Technique - KopiLuwak

KopiLuwak is a malicious JavaScript payload created by the Turla group to launch cyberespionage operations. Turla is a Russian APT group that has been known to be leveraging many different families of malware, satellite-based command and control (C&C) servers, and malware for non-Windows operating systems. The KopiLuwak malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim. It also allows the actors to run arbitrary commands via Wscript.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, KopiLuwak

New Detection Technique - Windows SMB Excessive Tree Connect Response - DoS Attempt (CVE-2017-0016)

The US Computer Emergency Readiness Team (US-CERT) has released an advisory about a memory corruption bug in the Windows operating system.  The vulnerability was found in the handling of Server Message Block (SMB) traffic affecting Windows 10, 8.1, Server 2012, and Server 2016 which allows a remote, unauthenticated attacker to cause a denial of service on a vulnerable system. Windows fails to properly handle specially-crafted SMB server responses following the structure defined in the SMB2 TREE_CONNECT request packet structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, Windows SMB Excessive Tree Connect Response - DoS Attem

New Detection Technique - NETGEAR WNR2000 Authentication Bypass

A stack buffer overflow vulnerability in the NETGEAR WNR2000 router allows an administrator to perform a number of sensitive functions in the web interface through a CGI script 'apply.cgi'. This script is invoked when changing internet settings and WLAN settings, restoring to factory defaults, rebooting the router, etc. It was found that NETGEAR WNR2000 also allows an unauthenticated user to perform the same sensitive admin functions if apply_noauth.cgi is invoked instead.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, NETGEAR WNR2000 Authentication Bypass

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, CryptoShield
  • System Compromise, Ransomware infection, Kaandsona
  • System Compromise, Ransomware infection, Shaffft
  • System Compromise, Ransomware infection, SureRansom

We also added IDS signatures and updated correlation rules to detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Satan

New Detection Techniques

We've added the following correlation rules as a result of recent malicious and exploit activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, SunOS 5.11 ICMP Kernel Weakness DoS
  • Delivery & Attack, Malicious website, NilePhish
  • Environmental Awareness, Covert channel, LabTech Remote Control
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, NETGEAR N150 WNR1000v3 Password Reset Exploit Attempt
  • System Compromise, Trojan infection, Aimbot
  • System Compromise, Trojan infection, CoreImpact
  • System Compromise, Trojan infection, Dorma
  • System Compromise, Trojan infection, GearInformer
  • System Compromise, Trojan infection, Retefe
  • System Compromise, Trojan infection, WebToos

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Exploitation & Installation, Malicious website - Exploit Kit, Unknown

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Mobile trojan infection, IOS_XAGENT

Updated Detection Technique - DustySky

DustySky is a malware composed of multiple pieces: a dropper, keylogger and backdoor. It attempts to avoid running in a virtual machine and checks for the presence of anti-virus software. DustySky is known to be used by the Molerats attacker group.

We've added IDS signatures and updated correlation rules to detect DustySky activity:

  • System Compromise, Trojan infection, DustySky

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families, including:

  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Panda Banker SSL activity

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We've added IDS signatures and updated correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, njRAT
  • System Compromise, Malware RAT, Poison Ivy

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, Microsoft Windows LSASS Remote Memory Corruption
  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, WebServer Attack - CMS, Wordpress
  • Exploitation & Installation, Service Exploit, Netgear R7000 Command Injection Exploit
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Malicious TOR .onion domain
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Trojan infection, Downeks
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, Nagram
  • System Compromise, Trojan infection, Parite
  • System Compromise, Trojan infection, Retefe
  • System Compromise, Trojan infection, Unknown trojan