New Detection Technique – Adups Firmware

According to security researchers from Kryptowire, an unknown backdoor built into a specific Android firmware has enabled secret monitoring of popular mobile devices. The user and device information were collected automatically and transmitted periodically to a server in China without the users’ consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to the company that wrote the software, Shanghai Adups Technology.

We have added IDS signatures and added the following correlation rule to detect this activity:

– Environmental Awareness, Covert channel, Adups Firmware

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/582d7499ad98a723362854f5/

New Detection Technique – KeyBoy

A malware operation targeting members of the Tibetan Parliament took place between August and October of this year. The operation used known and patched exploits to deliver a custom backdoor known as “KeyBoy”. Analysis of multiple versions of KeyBoy revealed a development cycle focused on avoiding basic antivirus detection. KeyBoy is another example of a threat actor using “just enough” technical sophistication to exploit a target.

We have added IDS signatures and added the following correlation rule to detect this activity:

– System Compromise, Targeted Malware, KeyBoy

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/582e056ee26e8e7419ad5a4b/

New Detection Technique – ScanPOS

A new Point Of Sale (POS) malware family, ScanPOS, has been discovered. It is propagated through the Kronos phishing campaign and includes a document with an embedded malicious macro that downloads the Kronos banking malware. ScanPOS performs the same basic tasks that all other POS malware perform and is primarily a credit card dumper, yet interestingly it has a low detection rate.

We have added IDS signatures and added the following correlation rule to detect this activity:

– System Compromise, Trojan infection, ScanPOS

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/582b4421e26e8e03d3ad5a4b/

New Detection Technique – Ransomware

During the past week, we have seen an uptick in the ransomware activity in the wild. We have added IDS signatures and the following correlation rules to detect multiple new ransomware families:

– System Compromise, Ransomware infection, Alcatraz
– System Compromise, Ransomware infection, AutoLocky
– System Compromise, Ransomware infection, CerberTear
– System Compromise, Ransomware infection, CHIP
– System Compromise, Ransomware infection, Cryptus
– System Compromise, Ransomware infection, CuteRansomware
– System Compromise, Ransomware infection, HappyLocker
– System Compromise, Ransomware infection, KryptoLocker
– System Compromise, Ransomware infection, Magic
– System Compromise, Ransomware infection, MotoxLocker
– System Compromise, Ransomware infection, Princess
– System Compromise, Ransomware infection, Rahkni
– System Compromise, Ransomware infection, ScanPOS
– System Compromise, Ransomware infection, Shark
– System Compromise, Ransomware infection, XRatLocker
– System Compromise, Ransomware infection, YafunnLocker

Last week we have also added IDS signatures and updated correlation rules to detect the following several ransomware families:

– System Compromise, Ransomware infection, Cerber
– System Compromise, Ransomware infection, Cryptolocker
– System Compromise, Ransomware infection, Hidden-Tear
– System Compromise, Ransomware infection, Jigsaw
– System Compromise, Ransomware infection, Locky
– System Compromise, Ransomware infection, PadCrypt

New Detection Technique – Malware

The following correlation rules have been added due to recent malicious activity:

– Delivery & Attack, Denial of Service – Known vulnerability, Microsoft Windows LSASS Remote Memory Corruption
– Exploitation & Installation, Client Side Exploit – Known Vulnerability, Attempted SSH Key Overwrite
– Exploitation & Installation, Client Side Exploit – Known Vulnerability, Possible Apache Struts OGNL Expression Injection
– System Compromise, C&C Communication, Chthonic SSL activity
– System Compromise, Trojan infection, Neutron
– System Compromise, Trojan infection, Reincarna

Updated Detection Technique – Exploit Kits

Exploit kits are used in what are called “Drive-by Downloads.” Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We have added IDS signatures and updated the following correlation rules to improve exploit kit detection:

– Delivery & Attack, Malicious website – Exploit Kit, Magnitude EK
– Delivery & Attack, Malicious website – Exploit Kit, Malicious redirection
– Delivery & Attack, Malicious website – Exploit Kit, Sundown EK

Updated Detection Technique – Malware SSL Certificates

We’ve added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families including:

– System Compromise, C&C Communication, Gootkit SSL activity
– System Compromise, C&C Communication, Gozi SSL Activity
– System Compromise, C&C Communication, Known malicious SSL certificate
– System Compromise, C&C Communication, Panda Banker SSL activity
– System Compromise, C&C Communication, Vawtrak SSL Certificate
– System Compromise, C&C Communication, Zeus SSL Certificate

Updated Detection Technique – Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We’ve added IDS signatures and updated correlation rules to detect the following RAT activity:

– System Compromise, Malware RAT, NanoCore
– System Compromise, Malware RAT, Poison Ivy

Updated Detection Technique – Sofacy/Sednit/APT28

In October 2014, FireEye published a report about a threat actor that they named APT28. ATP28 continues to be active today. As we described in a blog post: “We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group’s objectives is gathering geopolitical intelligence.”

We’ve added IDS signatures and updated the following correlation rule to detect APT28 activity:

– System Compromise, Mobile trojan infection, IOS_XAGENT

Related content in Open Threat Exchange: https://otx.alienvault.com/browse/pulses/?q=apt28

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

– Delivery & Attack, Malicious website, Phishing activity
– Exploitation & Installation, Client Side Exploit – Known Vulnerability, Attempted SSH Key Overwrite
– Exploitation & Installation, Client Side Exploit – Known Vulnerability, Malicious Document
– Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
– System Compromise, Malware infection, CoinMiner
– System Compromise, Malware infection, Generic
– System Compromise, Malware infection, MrBlack
– System Compromise, Trojan infection, Bitcoin Miner
– System Compromise, Trojan infection, Keitaro TDS
– System Compromise, Trojan infection, Neutron