Cybersecurity Insight

Neovera Threat Intelligence Short Report – November 27th, 2015

27 Nov

Emerging Threat – CherryPicker PoS

CherryPicker PoS is a point-of-sale malware that researchers at Trustwave say is unique because it uses configuration files, encryption, obfuscation and command line arguments to avoid detection. Researchers identified the malware being used to target the food industry and said it can target virtually any POS software to steal credit card information as well as privileged credentials to remotely access a customer’s network.

We’ve added an IDS signature and a correlation rule to detect CherryPicker POS activity.

  • System Compromise, Trojan infection, CherryPicker POS

New Detection Technique – FAKBEN

FAKBEN is a ransomeware-as-a-service CryptoLocker. The service allows users to send the ransomware to a specific victim to ask for ransom money. The CryptoLocker service exploits the Tor Network to host a Hidden Service. When a victim pays the ransom Team FAKBEN will take a 10% cut, and forward the rest to the cybercriminals wallet. This service enables cybercriminals without technical knowledge to embark on their own ransomware campaign.

We’ve added an IDS signature and a correlation rule to detect CherryPicker POS activity.

  • System Compromise, Ransomware infection, FAKBEN

New Detection Technique – Liudoor

Liudoor is a simple backdoor similar to the common Portless Backdoor found running as a service on at least five Terracotta VPN victim servers, that RSA Research has dubbed Liudoor. It creates a thread and pipes data back and forth to the Windows command shell process, cmd.exe.

We’ve added an IDS signature and a correlation rule to detect Liudoor activity.

  • System Compromise, Trojan infection, Liudoor

New Detection Technique – Screenleap

The following correlation rules have been added due to recent  activity:

  • Environmental Awareness, Desktop Software – Remote Desktop, Screenleap

New Detection Technique – Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Fsysna
  • System Compromise, Trojan infection, InstallCube
  • System Compromise, Trojan infection, Spy.VB.OBX
  • System Compromise, Trojan infection, Ziploader
  • System Compromise, Worm infection, Vonriamt
  • System Compromise, Trojan infection, Kraken Stresser

Updated Detection Technique – Exploit Kits

Exploit kits are used in what are called “Drive-by Downloads.” Undetectable by normal users these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection. This week we added IDS signatures and updated correlation rules to enhance exploit kit detection.

  • Exploitation & Installation, Malicious website – Exploit Kit, Angler EK
  • Exploitation & Installation, Malicious website – Exploit Kit, Blackhole
  • Exploitation & Installation, Malicious website – Exploit Kit, Nuclear EK
  • Delivery & Attack, Malicious website – Exploit Kit, Neutrino EK
  • Delivery & Attack, Malicious website – Exploit Kit, Malicious redirection

Updated Detection Technique – Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

  • System Compromise, Malware RAT, Poison Ivy
  • System Compromise, Malware RAT, njRAT

Updated Detection Technique – Malicious TOR .onion domain

.onion is a top level domain suffix that is used for hidden services inside the Tor network. Several families of malware are starting to use hidden services as a mechanism to communicate with a CC server and usually use a predefined onion domain. We have updated a correlation rule that groups different IDS signatures that detect when a system is trying to resolve a malicious onion domain:

  • System Compromise, Malware infection, Malicious TOR .onion domain

Updated Detection Technique – Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

  • Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit – Known Vulnerability, Serialized Java Object Calling Common Collection Function
  • System Compromise, Trojan infection, Sharik
  • System Compromise, C&C Communication, Dyre SSL Certificate
  • System Compromise, C&C Communication, Gootkit
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Sofacy Activity
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, PhilBot
  • System Compromise, Malware infection, Zbot
  • System Compromise, Ransomware infection, Poshcoder
  • System Compromise, Suspicious Behaviour, Suspicious user-agent detected
  • System Compromise, Targeted Malware, Derusbi
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Barys
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, DDoS trojan Kryptik
  • System Compromise, Trojan infection, FlyStudio
  • System Compromise, Trojan infection, FrauDrop
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, Nymaim
  • System Compromise, Trojan infection, Redyms
  • System Compromise, Trojan infection, Scar
  • System Compromise, Trojan infection, TinyLoader
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Trojan infection, r0_bot