Emerging Threat – KilerRAT
KilerRAT is a remote access trojan (RAT) that can be classified as a variant of the well known Njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods. However, where Njrat left off, KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.
This RAT has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physical devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network.
We’ve added an IDS signature and a correlation rule to detect KilerRAT activity.
- System Compromise, Trojan infection, KilerRAT
Emerging Threat – Serialized Java Object Calling Common Collection Function
A vulnerability in the commons-collections Java library can allow attackers to execute arbitrary code. The vulnerability can be used to exploit a wide range of vulnerable products including WebShere, JBoss, Jenkins, WebLogic and OpenNMS.
We added an IDS signature and correlation rule to detect exploitation attempts.
- Exploitation & Installation, Client Side Exploit – Known Vulnerability, Serialized Java Object Calling Common Collection Function
New Detection Technique – Ransomware
The following correlation rules have been added to detect new ransomware families:
- System Compromise, Ransomware infection, Poshcoder
- System Compromise, Ransomware infection, CryptoBrazzer
We have also updated the following correlation rules of previously detected families:
- System Compromise, Malware infection, CoinMiner
- System Compromise, Ransomware infection, Chimera
- System Compromise, Ransomware infection, Ransom
New Detection Technique – Malware
The following correlation rules have been added due to recent malicious activity:
- System Compromise, Trojan infection, Linux.IptabLex
- System Compromise, Trojan infection, Bookworm
- System Compromise, Trojan infection, Sosinf
- System Compromise, Trojan infection, Pifagor
- System Compromise, Trojan infection, Limitless Logger
- System Compromise, Trojan infection, Ferret DDOS
- System Compromise, Trojan infection, HideWindows
- System Compromise, Trojan infection, PerfectBN
Updated Detection Technique – Exploit Kits
Exploit kits are used in what are called “Drive-by Downloads.” Undetectable by normal users these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.
Cybercriminals constantly change the patterns they use within their code to evade detection. This week we added IDS signatures and updated correlation rules to enhance exploit kit detection.
- Delivery & Attack, Malicious website – Exploit Kit, Malicious redirection
- Exploitation & Installation, Malicious website – Exploit Kit, Magnitude EK
- Exploitation & Installation, Malicious website – Exploit Kit, Nuclear EK
Updated Detection Technique – Remote Access Tools
The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.
- System Compromise, Malware RAT, Poison Ivy
- System Compromise, Malware RAT, njRAT
Updated Detection Technique – Malicious TOR .onion domain
.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware are starting to use hidden services as a mechanism to communicate with a CC server and usually use a predefined onion domain. We have updated a correlation rule that groups different IDS signatures that detect when a system is trying to resolve a malicious onion domain:
- System Compromise, Malware infection, Malicious TOR .onion domain