0861 00 JTWO (5896)

J2 CSC August 21st Weekly Briefing

This week’s threat Intelligence Update for our Cybersecurity Platform – Be Vigilant, Be Informed and Be Safe!

New Detection Technique - OSX/Mughthesec

OS/XMughthesec is an adware attack that targets Mac users.

It is a modified strain of the known OperatorMac adware attack. OS/XMughthesec uses a legitimate Apple developer certificate (which has since been revoked by Apple) to bypass Apple's built-in security systems and install.

To the victim, the adware attack appears as an Adobe Flash installer (a common disguise for malware).

If the victim agrees to install the illegitimate Flash update, the adware executes a number of applications on the victim's device. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Mughthesec/SafeFinder/OperatorMac

#OS/XMughthesec  #OperatorMac #SafeFinder


New Detection Technique - Veil

Veil is a tool designed to generate Metasploit payloads that bypass common anti-virus solutions.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Veil

#Veil #Metasploit


New Detection Technique - Fynloski

Fynloski, a repackaged version of a remote access tool (RAT), uses code injection to make it harder to detect and remove.

Fynloski allows backdoor access and control to let a malicious hacker remotely access the infected machine and perform a number of malicious activities: capture video from the webcam, download and run files, control the mouse, record keystrokes, and much more.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Fynloski

#Fynloski #RAT


Microsoft/Adobe Patch Tuesday

This week's updates include Microsoft / Adobe's Patch Tuesday content. Adobe and Microsoft fixed multiple vulnerabilities in their products.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe EMF File Heap Overflow Vulnerability Inbound (CVE-2017-3121)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe EMF File Memory Corruption Vulnerability Inbound (CVE-2017-11241)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Type Confusion (CVE-2017-3106)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Information Disclosure (CVE-2017-3115)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Memory Corruption (CVE-2017-3122)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Security Bypass (CVE-2017-3118)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Use After Free CVE-2017-3113
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft JET Database Engine RCE Inbound (CVE-2017-2050)

#Adobe #Patch Tuesday


New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/Agent.ATS
  • System Compromise, Trojan infection, MSIL/CoalaBot
  • System Compromise, Trojan infection, Ukodus

#MSIL #Agent.ATS #CoalaBot #Ukodus


Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers.

When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.

This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

#Exploit #Magnitude EK


Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.

The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Gozi SSL Activity

#Malicious #SSL Certificate #Gozi #SSL Activity


Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild.

We've added IDS signatures and updated the following correlation rules to detect the ransomware families:

  • System Compromise, Ransomware infection, GlobeImposter
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Nemesis

#GlobeImposter #Locky #Nemesis


Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, HTA File containing Wscript.Shell Call
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Upatre
  • System Compromise, Malware RAT, njRAT
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Meciv
  • System Compromise, Trojan infection, Unknown PowerShell
  • System Compromise, Trojan infection, Winnti
  • System Compromise, Trojan infection, Zyklon

#Phishing activity #HTA File containing Wscript.Shell Call #Public IP lookup after download #Query to a DGA Domain #CoinMiner #Upatre #njRAT #Banker #Bitcoin Miner #Meciv #Uknown PowerShell # Winnti #Zyklon