0861 00 JTWO (5896)

J2 CSC August 14th Weekly Briefing

This week @J2CS:

This week, a number of detection and correlation rule updates to our Threat Intelligence for our Cybersecurity Platform –Be Vigilant, Be Informed and Be Safe!

New Detection Technique - ISMAgent

ISMAgent is a variant of the ISMDoor Trojan that is related to the threat actors behind the OilRig Campaign, with a possible link to the threat group GreenBug

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, ISMAgent

#ISMAgent #ISMDoor #GreenBug


New Detection Technique - Foudre

Foudre is very similar to the original Infy Trojan used for a number a years in numerous targeted attacks. 

It includes a keylogger, and captures clipboard contents on a ten-second cycle.

It collates system information including process list, installed antivirus, cookies, and other browser data.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Foudre

 #Foundre #Infy


New Detection Technique - FruitFly2

FruitFly2 is the second known variant of FruitFly.

This malware has been in circulation for roughly 5 to 10 years and had successfully avoided detection while infecting several hundred users. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan, OSX/FruitFly2

#FruitFly #OSX/FruitFly2


New Detection Technique - SMBLoris NBSS Length Mem Exhaustion Attempt

SMBLoris is a remote denial of service attack against Microsoft Windows caused by a vulnerability in the SMB network protocol.

This vulnerability not only effects all three versions of SMBv1-3 but also Samba on Linux systems

The vulnerability allows an unauthenticated attacker to open a connection to a remote computer via the SMB protocol and instruct that computer to allocate RAM to handle the connection, which can result in memory exhaustion. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • Delivery & Attack, Denial of Service - Known vulnerability, SMBLoris NBSS Length Mem Exhaustion Attempt

#SMBLoris NBSS Length Mem Exhaustion Attempt


New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild.

We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, GlobeImposter

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Hidden-Tear

#GlobeImposter #Cerber #Hidden-Tear


New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/Murlox
  • System Compromise, Trojan infection, Monero Miner
  • System Compromise, Trojan infection, FriendlyBot
  • System Compromise, Trojan infection, MSIL/TbhBot
  • System Compromise, Trojan infection, Decocohost

#MSIL/Murlox #Monero Miner #FriendlyBot #MSIL/TbhBot #Decocohost


Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers.

When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.

This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK

#Exploit Kit, RIG EK


Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.

The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Orcus RAT SSL activity

#Known malicious SSL certificate #Orcus RAT SSL activity


Updated Detection Technique - Remote Access Tools

The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine. 

We've added IDS signatures and updated the following correlation rules to detect new RAT activity:

  • System Compromise, Malware RAT, NanoCore
  • System Compromise, Malware RAT, Unknown RAT

#NanoCore #Unknown RAT


Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Suspicious Behavior, Suspicious user-agent detected
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, Nemucod
  • System Compromise, Trojan infection, Ovidiy
  • System Compromise, Trojan infection, Unknown trojan

#Phishing activity #Query to a DGA Domain #CoinMiner #Suspicious user-agent detected #Generic trojan dropper #Ovidiy #Unknown trojan