Cybersecurity Insight

Neovera Threat Intelligence Short Report – December 23rd, 2015

23 Dec

New Detection Technique – Joomla RCE

A deserialization vulnerability in Joomla can lead to remote code execution (RCE). Exploitation of the vulnerability had been observed prior to the release of the official patch from the Joomla team. Since the patch release there has been widespread scanning activity looking to exploit the vulnerability.

We added IDS signatures and a correlation rule to detect exploitation activity.

  • Exploitation & Installation, Client Side Exploit – Known Vulnerability, Joomla RCE (JDatabaseDriverMysqli)

New Detection Technique – Darkleech

Darkleech is malware that infects web servers and injects malicious IFrames. The malicious IFrame can contain content from exploit kits like Angler EK and infect victims with ransomware. Darkleech is constantly changing and has started to utilize more complex obfuscation techniques.

We added an IDS signature and correlation rule to detect Darkleech activity.

  • System Compromise, Malware infection, Darkleech

New Detection Technique – Point Of Sale Malware

Point of Sale (POS) Systems are a juicy target for Cybercriminals. Large retailers process thousands of transactions daily using these systems, meaning they often contain large volumes of credit card information. There are several pieces of malware available in the black market that can be used to steal data from the memory of the Point Of Sale devices.

We added a new IDS signature and new correlation rule to detect the following POS malware:

  • System Compromise, Trojan infection, ProPoS

We also added and updated correlation rules to detect the following POS malware:

  • System Compromise, Trojan infection, BlackPOS
  • System Compromise, Trojan infection, Chewbacca
  • System Compromise, Trojan infection, vSkimmer
  • System Compromise, Malware Infection, Alina POS Malware
  • System Compromise, Malware infection, POSCardStealer
  • System Compromise, C&C Communication, JackPOS
  • System Compromise, Malware infection, Alina POS Malware

New Detection Technique – Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Beendoor
  • System Compromise, Trojan infection, CryptRedol
  • System Compromise, Trojan infection, Generic Keylogger
  • System Compromise, Trojan infection, Jaik
  • System Compromise, Trojan infection, MSIL/Spammer
  • System Compromise, Trojan infection, Stimilik

Updated Detection Technique – Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique – Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

  • System Compromise, Ransomware infection, Teslacrypt
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Ransomware infection, Alphacrypt

Updated Detection Technique – Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Gootkit SSL activity
  • System Compromise, C&C Communication, Upatre SSL activity
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Gozi SSL Activity

Updated Detection Technique – Exploit Kits

Exploit kits are used in what are called “Drive-by Downloads.” Undetectable by normal users these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection. This week we added IDS signatures and updated correlation rules to enhance exploit kit detection.

  • Exploitation & Installation, Malicious website – Exploit Kit, Angler EK

Updated Detection Technique – FAKBEN

FAKBEN is a ransomware-as-a-service CryptoLocker. The service allows users to send the ransomware to a specific victim to ask for ransom money. The CryptoLocker service exploits the Tor Network to host a Hidden Service. When a victim pays the ransom Team FAKBEN will take a 10% cut, and forward the rest to the cybercriminals wallet. This service enables cybercriminals without technical knowledge to embark on their own ransomware campaign.

We’ve added an IDS signature and updated a correlation rule to detect FAKBEN activity.

  • System Compromise, Ransomware infection, FAKBEN

Updated Detection Technique – Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28. We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group’s objectives is gathering geopolitical intelligence.

We have added IDS signatures and update correlation rules to detect Sofacy activity.

  • System Compromise, Targeted Malware, Chopstick – Sofacy

Updated Detection Technique – Sakula

Sakula is targeted malware derived from the Derusbi family of malware. This family of malware is designed to steal information and take control of an infected machine. Sakula is most notable for its use in the 2015 hack of Anthem and is suspected to have Chinese origins.

  • System Compromise, Targeted Malware, Sakula

Updated Detection Technique – Derusbi

Derusbi is a trojan that has typical trojan features (e.g. remote access, file management, credential stealing) and comes in both server and client variants. Other trojans that are derived from Derusbi include Sakula and Kakfum. Derusbi uses a custom network handshake to establish communication between server and client and applies basic encryption to the communication channel.

  • System Compromise, Targeted Malware, Derusbi

Updated Detection Technique – Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware are starting to use hidden services as a mechanism to communicate with a CC server and usually use a predefined onion domain. We have updated a correlation rule that groups different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • System Compromise, Malware infection, Nivdort
  • System Compromise, Malware infection, Zbot
  • System Compromise, Trojan infection, Tesla Keylogger
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Trojan infection, Generic Python malware
  • System Compromise, Trojan infection, LockScreen
  • System Compromise, Worm infection, DELF
  • System Compromise, Trojan infection, Trojan with Autoit
  • Exploitation & Installation, Client Side Exploit – Known Vulnerability, Malicious Document
  • System Compromise, Trojan infection, Habbo
  • System Compromise, Trojan infection, Qbot
  • System Compromise, Trojan infection, Votwup
  • System Compromise, Trojan infection, Unknown trojan