Cybersecurity Insight

Neovera Threat Intelligence Short Report – December 14th, 2015

14 Dec

Emerging Threat – CopyKittens APT activity

Matryoshka is malware built by CopyKittens, an espionage group that has been attacking Israeli targets. Matryoshka is spread through spear phishing with a document attached to it. The document has either a malicious macro that the victim is asked to enable or an embedded executable the victim is asked to open. The malware uses DNS for command and control communication and data ex-filtration.

We’ve added IDS signatures and a correlation rule to detect Matryoshka malware and CopyKittens activity:

  • System Compromise, Trojan infection, Matryoshka
  • System Compromise, C&C Communication, CopyKittens Activity

Emerging Threat – Kapahyku

Kapahyku is a hacking tool that disables anti-virus programs and firewalls to avoid its detection or removal. It can inject malicious code into registry editor and uses those keys to start automatically. It spreads through free third party programs, spam email attachments, suspicious websites, p2p file sharing and infected USB drives. It can steal personal information such as bank account details, credit card numbers, login IDs, usernames, passwords and send the captured information to a C&C server.

We’ve added an IDS signature and a correlation rule to detect Kapahyku activity:

  • System Compromise, Trojan infection, Kapahyku

New Detection Technique – Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine. We added IDS signatures and correlation rules to detect the following RAT activity.

  • System Compromise, Malware RAT, Hallaj PRO Rat
  • System Compromise, Malware RAT, MorphineRAT

New Detection Technique – Linux/ELF Malware

New malicious activity related to Linux/ELF malware has been spotted in the wild. We have added IDS rules and the following correlation rules to detect their malicious activity:

  • System Compromise, Trojan infection, Linux/KDefend
  • System Compromise, Trojan infection, Linux.Mayhem
  • System Compromise, Trojan infection, ELF/lizkebab
  • System Compromise, Trojan infection, ELF/STDbot

New Detection Technique – Malware

The following correlation rules have been added due to recent malicious activity:

  • System Compromise, Trojan infection, Bayrob
  • System Compromise, Trojan infection, TheBot
  • System Compromise, Trojan infection, PSWTool
  • System Compromise, Trojan infection, Bergard
  • System Compromise, Trojan infection, Qbot
  • System Compromise, Trojan infection, ClipBanker
  • System Compromise, Trojan infection, Steam Filestealer Extreme
  • System Compromise, Trojan infection, Prism
  • Exploitation & Installation, Suspicious Behaviour, Facebook password stealing inject

Updated Detection Technique – NetUSB Exploit

stack overflow in the NetUSB driver, widely used by embedded device manufacturers, can allow an attacker to remotely execute arbitrary code. Though exploitation typically occurs on a local network, it might be possible to exploit the vulnerability on some devices that expose port 200005 to the internet. Proof of concept exploit code has been released to the public, however, patches for devices are limited.

We added IDS rules and updated a correlation rule to detect exploitation activity.

  • Exploitation & Installation, Service Exploit, Netusb Exploit ROP Chain

Updated Detection Technique – Ransomware

Last week we added IDS signatures and updated correlation rules to detect several ransomware families.

  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Trojan infection, Bitcoin Miner

Updated Detection Technique – Exploit Kits

Exploit kits are used in what are called “Drive-by Downloads.” Undetectable by normal users these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection. This week we added IDS signatures and updated correlation rules to enhance exploit kit detection.

  • Delivery & Attack, Malicious website – Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website – Exploit Kit, Angler EK
  • Exploitation & Installation, Malicious website – Exploit Kit, Magnitude EK
  • Exploitation & Installation, Malicious website – Exploit Kit, Nuclear EK

Updated Detection Technique – Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

  • System Compromise, C&C Communication, Dridex SSL Certificate
  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit – Known Vulnerability, .NET XML DTD Information Disclosure (CVE-2015-6096)
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, Denisca
  • System Compromise, Malware infection, DownloadSponsor
  • System Compromise, Malware infection, Malicious TOR .onion domain
  • System Compromise, Malware infection, Remote Manipulator
  • System Compromise, Malware infection, Swrort.A
  • System Compromise, Malware infection, Ursnif
  • System Compromise, Suspicious Behaviour, Suspicious user-agent detected
  • System Compromise, Targeted Malware, Chopstick – Sofacy
  • System Compromise, Targeted Malware, Scieron
  • System Compromise, Trojan infection, Andromeda
  • System Compromise, Trojan infection, AutoIt
  • System Compromise, Trojan infection, Busadom
  • System Compromise, Trojan infection, Buzus
  • System Compromise, Trojan infection, Dapato
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, KOVTER.B
  • System Compromise, Trojan infection, Linux DDoS Bot
  • System Compromise, Trojan infection, Nemucod
  • System Compromise, Trojan infection, Nymaim
  • System Compromise, Trojan infection, PSEmpire
  • System Compromise, Trojan infection, Ponmocup
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Trojan infection, StartPage
  • System Compromise, Worm infection, DELF