Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 5th week of April 2017

New Detection Technique - Kazuar

Kazuar is a Trojan written using the .NET Framework and obfuscated using the open source packer ConfuserEx. Kazuar was used in an espionage campaign by the Turla group and it includes a highly functional command set with the ability to remotely load additional plugins to increase the Trojan’s capabilities.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Backdoor, Kazuar

New Detection Technique - KONNI

KONNI is a recently discovered Remote Administration Tool (RAT) that is believed to have been in use for over 3 years. During this period, KONNI has managed to avoid scrutiny by the security community. The current version of KONNI allows the operator to steal files & keystrokes, perform screenshots, and execute arbitrary code on the infected host.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, KONNI

New Detection Technique - OSX/Snake

Snake is a relatively complex malware framework being used for targeted attacks. A new version of Snake has been identified targeting Mac OS X. Compared to other high profile malware, Snake’s code is significantly more sophisticated, its infrastructure more intricate, and its targets more carefully selected. Snake's framework has been used to steal sensitive information, targeting government and military institutions and large corporations in Europe.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, OSX/Snake

New Detection Technique - Intel AMT

Last week, Intel disclosed an escalation of privilege vulnerabilityin Intel Active Management Technology (AMT) that can allow an unprivileged attacker to gain control of the manageability features in AMT.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Environmental Awareness, Vulnerable software, Vulnerable Intel AMT Version Detected Outbound

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, OzazaLocker

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Hidden-Tear
  • System Compromise, Ransomware infection, Sage
  • System Compromise, Ransomware infection, Torrentlocker

New Detection Techniques

We've added the following correlation rules as a result of recent exploit and malicious activity:

  • System Compromise, Malware RAT, SuperCMD
  • System Compromise, Trojan infection, Casper/LEAD

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Astrum EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, ZLoader SSL activity

Updated Detection Technique - Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28.  ATP28 continues to be active today.  As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."

We've added IDS signatures and modified the following correlation rule to detect APT28 activity:

  • System Compromise, Trojan infection, APT28 activity

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, CVE-2016-10033 PHPMailer RCE Attempt
  • System Compromise, Malware infection, Emotet
  • System Compromise, Malware infection, Neurevt
  • System Compromise, Targeted Malware, Greenbug Ismdoor
  • System Compromise, Targeted Malware, Snake
  • System Compromise, Trojan infection, Carbanak
  • System Compromise, Trojan infection, ChChes
  • System Compromise, Trojan infection, CobaltStrike
  • System Compromise, Trojan infection, Generic Stealer
  • System Compromise, Trojan infection, Linux.Shishiga
  • System Compromise, Trojan infection, RedLeaves
  • System Compromise, Trojan infection, Trojan with Autoit
  • System Compromise, Trojan infection, Unknown PowerShell
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Worm infection, DELF