Cybersecurity Insight

Neovera Threat Intelligence Short Report – November 18th, 2015

19 Nov

Emerging Threat – KilerRAT

KilerRAT is a remote access trojan (RAT) that can be classified as a variant of the well known Njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods. However, where Njrat left off, KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.

This RAT has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physical devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network.

We’ve added an IDS signature and a correlation rule to detect KilerRAT activity.

  • System Compromise, Trojan infection, KilerRAT

Emerging Threat – Serialized Java Object Calling Common Collection Function

vulnerability in the commons-collections Java library can allow attackers to execute arbitrary code. The vulnerability can be used to exploit a wide range of vulnerable products including WebShere, JBoss, Jenkins, WebLogic and OpenNMS.

We added an IDS signature and correlation rule to detect exploitation attempts.

  • Exploitation & Installation, Client Side Exploit – Known Vulnerability, Serialized Java Object Calling Common Collection Function

New Detection Technique – Ransomware

The following correlation rules have been added to detect new ransomware families:

  • System Compromise, Ransomware infection, Poshcoder
  • System Compromise, Ransomware infection, CryptoBrazzer

We have also updated the following correlation rules of previously detected families:

  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Ransomware infection, Chimera
  • System Compromise, Ransomware infection, Ransom

New Detection Technique – Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Linux.IptabLex
  • System Compromise, Trojan infection, Bookworm
  • System Compromise, Trojan infection, Sosinf
  • System Compromise, Trojan infection, Pifagor
  • System Compromise, Trojan infection, Limitless Logger
  • System Compromise, Trojan infection, Ferret DDOS
  • System Compromise, Trojan infection, HideWindows
  • System Compromise, Trojan infection, PerfectBN

Updated Detection Technique – Exploit Kits

Exploit kits are used in what are called “Drive-by Downloads.” Undetectable by normal users these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection. This week we added IDS signatures and updated correlation rules to enhance exploit kit detection.

  • Delivery & Attack, Malicious website – Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website – Exploit Kit, Magnitude EK
  • Exploitation & Installation, Malicious website – Exploit Kit, Nuclear EK

Updated Detection Technique – Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, njRAT

Updated Detection Technique – Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware are starting to use hidden services as a mechanism to communicate with a CC server and usually use a predefined onion domain. We have updated a correlation rule that groups different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain