Skip to main content

J2 CSC August 8th Weekly Briefing

This week @J2CS:

This week we cover a number of detection and correlation rule updates to our Threat Intelligence for our Cybersecurity Platform – Let us Be Vigilant and Keep You Safe!

New Detection Technique - TDTESS

  • TDTESS is a backdoor that is used by CopyKittens.
  • TDTESS provides a reverse shell with an option to download and execute files.
  • It routinely calls a Command and Control server for new instructions using basic authentication and commands are sent via a web page.
  • TDTESS creates a stealth service, which will not show on the service manager or other tools that enumerate services from WINAPI or Windows Management Instrumentation.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Backdoor, TDTESS

#TDTESS #CopyKittens


New Detection Technique - Tick

The “Tick” group has been involved in cyber espionage attacks against organizations in the Republic of Korea and Japan for several years.
The group primarily targets companies that have intellectual property or sensitive information like those in the Defence and High-Tech industries.
The group is known to use custom malware called Daserf, but also employs multiple commodity and custom tools, exploit vulnerabilities, and social engineering techniques.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, Tick

#Tick #Daserf


New Detection Technique - Pelco Sarix/Spectra Cameras RCE

Pelco Sarix/Spectra IP cameras, which are used in security surveillance in a wide variety of commercial and industrial settings, are vulnerable to authenticated Remote Code Execution (RCE).

The POST parameter 'enable_leds' located in the update() function called via the GeneralSetupController.php script is not properly sanitised before being used in writeLedConfig() function to enable led state to on or off.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Pelco Sarix/Spectra Cameras RCE

#Pelco Sarix/Spectra IP #RCE (Remote Code Execution)


New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Malware RAT, Revcode
  • System Compromise, Trojan infection, Bancodor
  • System Compromise, Trojan infection, Donoff
  • System Compromise, Trojan infection, JS/Cryxos
  • System Compromise, Trojan infection, MSIL/Marker
  • System Compromise, Trojan infection, W32/Banpo

#RAT Revcode #Trojan Bancodor #Trojan Donoff #Trojan JS/Cryxos #Trojan MSIL/Marker #Trojan W32/Banpo


Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers.
When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.
This approach is a common attack vector and a major source of infections for end users.
Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK

#Exploit Kit # EITest EK


Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.
The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

#C&C Communication #Known malicious SSL certificate


Updated Detection Technique - CopyKittens activity

Matryoshka is malware built by CopyKittens, an espionage group that has been attacking Israeli targets.
Matryoshka is spread through spear phishing with a document attached to it.
The document has either a malicious macro that the victim is asked to enable or an embedded executable the victim is asked to open.
The malware uses DNS for command and control communication and data exfiltration.

We've added IDS signatures and updated the following correlation rules to detect the recent CopyKittens activity:

  • System Compromise, Trojan infection, Matryoshka

#DNS C&C Communication #Known malicious SSL certificate


Updated Detection Technique - Cobalt Strike

Cobalt Strike describes itself as a "threat emulation software for red teams and penetration testers."
Cobalt Strike comes with a post-exploitation agent in order to simulate APT actors.
It has the ability to communicate over covert channels and emulate the Command and Control (C&C) structure of various malware.

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, CobaltStrike

#Cobalt Strike


Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild.

We've added IDS signatures and updated the following correlation rules to detect the ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Hidden-Tear
  • System Compromise, Ransomware infection, NoobCrypt
  • System Compromise, Ransomware infection, Shifr

#Cerber #Hidden-Tear # NoobCrypt #Shifr


Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Environmental Awareness, Vulnerable software, Java
  • System Compromise, Malware infection, Emotet
  • System Compromise, Trojan infection, Chthonic
  • System Compromise, Trojan infection, Generic trojan dropper
  • System Compromise, Trojan infection, Genome
  • System Compromise, Trojan infection, Imminent Monitor
  • System Compromise, Trojan infection, Keitaro TDS
  • System Compromise, Trojan infection, Unk
  • System Compromise, Trojan infection, Zyklon

#Emotet #Chthonic #Banload #Generic trojan dropper #Genome # Imminent Monitor #Keitaro TDS #Unk #Zyklon

  • Hits: 1152