New Detection Technique – NoobCrypt

NoobCrypt is a new ransomware family which earns its name due to the taunting messages that the victims receive when they enter an incorrect decryption password. However, the developer behind NoobCrypt made a mistake in which all files for all victims are encrypted with the same encryption key embedded in the ransomware. This enables for easy decryption of the encrypted files.

We’ve added IDS signatures and created the following correlation rule to detect this activity:
-System Compromise, Trojan infection, NoobCrypt

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/57d7ca45aa954c1a0e6898d6/

New Detection Technique – CryptoRoger

CryptoRoger is a new ransomware family that encrypts files utilizing AES encryption and then appends the .crptrgr extension to encrypted filenames, demanding a ransom payment of 0.5 bitcoins. The ransomware also creates a .VBS file in the Windows Startup folder in order to run each time the victim logs in to Windows and then encrypt any new files since it last ran.

We’ve added IDS signatures and created the following correlation rule to detect this activity:
-System Compromise, Ransomware infection, CryptoRoger

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/576b1fc673eaea0134332201/

In addition to that, we’ve updated the detection techniques for the following ransomware families:
– System Compromise, Ransomware infection, Cerber
– System Compromise, Ransomware infection, HadesLocker
– System Compromise, Ransomware infection, Locky
– System Compromise, Ransomware infection, Torrentlocker

New Detection Techniques

The following correlation rules have been added due to recent malicious activity:
-System Compromise, Trojan infection, CainCleaner
-Exploitation & Installation, Client Side Exploit – Known Vulnerability, D-Link DSL-2740R Remote DNS Change Attempt
-Exploitation & Installation, Client Side Exploit – Known Vulnerability, COMTREND ADSL Router CT-5367 Remote DNS Change Attempt
-Exploitation & Installation, Client Side Exploit – Known Vulnerability, Unknown Router Remote DNS Change Attempt

Updated Detection Technique – Exploit Kits

Exploit kits are used in what are called “Drive-by Downloads.” Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:
-Delivery & Attack, Malicious website – Exploit Kit, Astrum EK
-Delivery & Attack, Malicious website – Exploit Kit, DNSChanger EK
-Delivery & Attack, Malicious website – Exploit Kit, EITest EK
-Delivery & Attack, Malicious website – Exploit Kit, Malicious redirection
-Delivery & Attack, Malicious website – Exploit Kit, Sundown EK
-Exploitation & Installation, Malicious website – Exploit Kit, RIG EK
-Exploitation & Installation, Malicious website – Exploit Kit, Sednit EK

Updated Detection Technique – Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28. ATP28 continues to be active today. As we described in a blog post: “We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group’s objectives is gathering geopolitical intelligence.”

We’ve added IDS signatures and updated the following correlation rule to detect APT28 activity:
-System Compromise, Trojan infection, APT28 activity
-System Compromise, C&C Communication, Sofacy Activity
-System Compromise, Mobile trojan infection, IOS_XAGENT
-System Compromise, C&C Communication, APT28 SSL activity

Related content in Open Threat Exchange: https://otx.alienvault.com/browse/pulses/?q=apt28

Updated Detection Technique – Malware SSL Certificates

We’ve added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families including:
-System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique – Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We’ve added IDS signatures and updated correlation rules to detect the following RAT activity:
-System Compromise, Malware RAT, NanoCore
-System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique – Emissary
A targeted attack in November 2015 was directed at a French Diplomat working for the French Ministry of Foreign Affairs. The attack attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept (POC) code to install a trojan called Emissary, which is related to the Operation Lotus Blossom campaign.

We’ve added IDS signatures and updated the following correlation rule to detect Emissary:
-System Compromise, Targeted Malware, Emissary

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:
-Delivery & Attack, Malicious website, Phishing activity
-Exploitation & Installation, Client Side Exploit – Known Vulnerability, Malicious Document
-Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
-System Compromise, Malware infection, CoinMiner
-System Compromise, Malware infection, Generic
-System Compromise, Malware infection, Ursnif
-System Compromise, Trojan infection, Banker
-System Compromise, Trojan infection, BestaFera
-System Compromise, Trojan infection, Bitcoin Miner
-System Compromise, Trojan infection, Dreambot
-System Compromise, Trojan infection, Generic Keylogger
-System Compromise, Trojan infection, Keitaro TDS
-System Compromise, Trojan infection, Razy
-System Compromise, Trojan infection, Rebhip
-System Compromise, Trojan infection, Unknown trojan