Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 5th week of July 2017

New Detection Technique - ISMAgent

ISMAgent is a variant of the ISMDoor Trojan that is related to the threat actors behind the OilRig Campaign, with a possible link to the threat group GreenBug. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, ISMAgent

New Detection Technique - Foudre

Foudre is very similar to the original Infy Trojan used for a number a years in numerous targeted attacks. It includes a keylogger, and captures clipboard contents on a ten-second cycle. It collates system information including process list, installed antivirus, cookies, and other browser data.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Foudre

New Detection Technique - FruitFly2

FruitFly2 is the second known variant of FruitFly. This malware has been in circulation for roughly 5 to 10 years and had successfully avoided detection while infecting several hundred users. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan, OSX/FruitFly2

New Detection Technique - SMBLoris NBSS Length Mem Exhaustion Attempt

SMBLoris is a remote denial of service attack against Microsoft Windows caused by a vulnerability in the SMB network protocol. This vulnerability not only effects all three versions of SMBv1-3 but also Samba on Linux systems. The vulnerability allows an unauthenticated attacker to open a connection to a remote computer via the SMB protocol and instruct that computer to allocate RAM to handle the connection, which can result in memory exhaustion. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, SMBLoris NBSS Length Mem Exhaustion Attempt

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, GlobeImposter

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Hidden-Tear

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/Murlox
  • System Compromise, Trojan infection, Monero Miner
  • System Compromise, Trojan infection, FriendlyBot
  • System Compromise, Trojan infection, MSIL/TbhBot
  • System Compromise, Trojan infection, Decocohost

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Orcus RAT SSL activity

Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine. We've added IDS signatures and updated the following correlation rules to detect new RAT activity:

  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Unknown RAT

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Suspicious Behavior, Suspicious user-agent detected
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, Nemucod
  • System Compromise, Trojan infection, Ovidiy
  • System Compromise, Trojan infection, Unknown trojan