Emerging Threat – CopyKittens APT activity
Matryoshka is malware built by CopyKittens, an espionage group that has been attacking Israeli targets. Matryoshka is spread through spear phishing with a document attached to it. The document has either a malicious macro that the victim is asked to enable or an embedded executable the victim is asked to open. The malware uses DNS for command and control communication and data ex-filtration.
We’ve added IDS signatures and a correlation rule to detect Matryoshka malware and CopyKittens activity:
- System Compromise, Trojan infection, Matryoshka
- System Compromise, C&C Communication, CopyKittens Activity
Emerging Threat – Kapahyku
Kapahyku is a hacking tool that disables anti-virus programs and firewalls to avoid its detection or removal. It can inject malicious code into registry editor and uses those keys to start automatically. It spreads through free third party programs, spam email attachments, suspicious websites, p2p file sharing and infected USB drives. It can steal personal information such as bank account details, credit card numbers, login IDs, usernames, passwords and send the captured information to a C&C server.
We’ve added an IDS signature and a correlation rule to detect Kapahyku activity:
- System Compromise, Trojan infection, Kapahyku
New Detection Technique – Remote Access Tools
The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine. We added IDS signatures and correlation rules to detect the following RAT activity.
- System Compromise, Malware RAT, Hallaj PRO Rat
- System Compromise, Malware RAT, MorphineRAT
New Detection Technique – Linux/ELF Malware
New malicious activity related to Linux/ELF malware has been spotted in the wild. We have added IDS rules and the following correlation rules to detect their malicious activity:
- System Compromise, Trojan infection, Linux/KDefend
- System Compromise, Trojan infection, Linux.Mayhem
- System Compromise, Trojan infection, ELF/lizkebab
- System Compromise, Trojan infection, ELF/STDbot
New Detection Technique – Malware
The following correlation rules have been added due to recent malicious activity:
- System Compromise, Trojan infection, Bayrob
- System Compromise, Trojan infection, TheBot
- System Compromise, Trojan infection, PSWTool
- System Compromise, Trojan infection, Bergard
- System Compromise, Trojan infection, Qbot
- System Compromise, Trojan infection, ClipBanker
- System Compromise, Trojan infection, Steam Filestealer Extreme
- System Compromise, Trojan infection, Prism
- Exploitation & Installation, Suspicious Behaviour, Facebook password stealing inject
Updated Detection Technique – NetUSB Exploit
A stack overflow in the NetUSB driver, widely used by embedded device manufacturers, can allow an attacker to remotely execute arbitrary code. Though exploitation typically occurs on a local network, it might be possible to exploit the vulnerability on some devices that expose port 200005 to the internet. Proof of concept exploit code has been released to the public, however, patches for devices are limited.
We added IDS rules and updated a correlation rule to detect exploitation activity.
- Exploitation & Installation, Service Exploit, Netusb Exploit ROP Chain
Updated Detection Technique – Ransomware
Last week we added IDS signatures and updated correlation rules to detect several ransomware families.
- System Compromise, Malware infection, CoinMiner
- System Compromise, Trojan infection, Bitcoin Miner
Updated Detection Technique – Exploit Kits
Exploit kits are used in what are called “Drive-by Downloads.” Undetectable by normal users these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.
Cybercriminals constantly change the patterns they use within their code to evade detection. This week we added IDS signatures and updated correlation rules to enhance exploit kit detection.
- Delivery & Attack, Malicious website – Exploit Kit, Malicious redirection
- Exploitation & Installation, Malicious website – Exploit Kit, Angler EK
- Exploitation & Installation, Malicious website – Exploit Kit, Magnitude EK
- Exploitation & Installation, Malicious website – Exploit Kit, Nuclear EK
Updated Detection Technique – Malware SSL Certificates
We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:
- System Compromise, C&C Communication, Dridex SSL Certificate
- System Compromise, C&C Communication, Known malicious SSL certificate
Updated Correlation Rules
The following correlation rules have been updated due to recent malicious activity:
- Delivery & Attack, Malicious website, Phishing activity
- Exploitation & Installation, Client Side Exploit – Known Vulnerability, .NET XML DTD Information Disclosure (CVE-2015-6096)
- System Compromise, C&C Communication, Query to a DGA Domain
- System Compromise, Malware infection, Denisca
- System Compromise, Malware infection, DownloadSponsor
- System Compromise, Malware infection, Malicious TOR .onion domain
- System Compromise, Malware infection, Remote Manipulator
- System Compromise, Malware infection, Swrort.A
- System Compromise, Malware infection, Ursnif
- System Compromise, Suspicious Behaviour, Suspicious user-agent detected
- System Compromise, Targeted Malware, Chopstick – Sofacy
- System Compromise, Targeted Malware, Scieron
- System Compromise, Trojan infection, Andromeda
- System Compromise, Trojan infection, AutoIt
- System Compromise, Trojan infection, Busadom
- System Compromise, Trojan infection, Buzus
- System Compromise, Trojan infection, Dapato
- System Compromise, Trojan infection, Generic trojan dropper
- System Compromise, Trojan infection, KOVTER.B
- System Compromise, Trojan infection, Linux DDoS Bot
- System Compromise, Trojan infection, Nemucod
- System Compromise, Trojan infection, Nymaim
- System Compromise, Trojan infection, PSEmpire
- System Compromise, Trojan infection, Ponmocup
- System Compromise, Trojan infection, SpyBanker
- System Compromise, Trojan infection, StartPage
- System Compromise, Worm infection, DELF