J2 CSC August 14th Weekly Briefing
This week @J2CS:
This week, a number of detection and correlation rule updates to our Threat Intelligence for our Cybersecurity Platform –Be Vigilant, Be Informed and Be Safe!
New Detection Technique - ISMAgent
ISMAgent is a variant of the ISMDoor Trojan that is related to the threat actors behind the OilRig Campaign, with a possible link to the threat group GreenBug.
We've added IDS signatures and the following correlation rule to detect this activity:
- System Compromise, Targeted Malware, ISMAgent
#ISMAgent #ISMDoor #GreenBug
New Detection Technique - Foudre
Foudre is very similar to the original Infy Trojan used for a number a years in numerous targeted attacks.
It includes a keylogger, and captures clipboard contents on a ten-second cycle.
It collates system information including process list, installed antivirus, cookies, and other browser data.
We've added IDS signatures and the following correlation rule to detect this activity:
- System Compromise, Trojan infection, Foudre
#Foundre #Infy
New Detection Technique - FruitFly2
FruitFly2 is the second known variant of FruitFly.
This malware has been in circulation for roughly 5 to 10 years and had successfully avoided detection while infecting several hundred users.
We've added IDS signatures and the following correlation rule to detect this activity:
- System Compromise, Trojan, OSX/FruitFly2
#FruitFly #OSX/FruitFly2
New Detection Technique - SMBLoris NBSS Length Mem Exhaustion Attempt
SMBLoris is a remote denial of service attack against Microsoft Windows caused by a vulnerability in the SMB network protocol.
This vulnerability not only effects all three versions of SMBv1-3 but also Samba on Linux systems.
The vulnerability allows an unauthenticated attacker to open a connection to a remote computer via the SMB protocol and instruct that computer to allocate RAM to handle the connection, which can result in memory exhaustion.
We've added IDS signatures and the following correlation rule to detect this activity:
- Delivery & Attack, Denial of Service - Known vulnerability, SMBLoris NBSS Length Mem Exhaustion Attempt
#SMBLoris NBSS Length Mem Exhaustion Attempt
New Detection Technique - Ransomware
In the past week, we've seen an uptick in ransomware activity in the wild.
We've added IDS signatures and the following correlation rules to detect new ransomware families:
- System Compromise, Ransomware infection, GlobeImposter
We also added IDS signatures and updated correlation rules to better detect the following ransomware families:
- System Compromise, Ransomware infection, Cerber
- System Compromise, Ransomware infection, Hidden-Tear
#GlobeImposter #Cerber #Hidden-Tear
New Detection Techniques
We've added the following correlation rules as a result of additional recent malicious activity:
- System Compromise, Trojan infection, MSIL/Murlox
- System Compromise, Trojan infection, Monero Miner
- System Compromise, Trojan infection, FriendlyBot
- System Compromise, Trojan infection, MSIL/TbhBot
- System Compromise, Trojan infection, Decocohost
#MSIL/Murlox #Monero Miner #FriendlyBot #MSIL/TbhBot #Decocohost
Updated Detection Technique - Exploit Kits
Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers.
When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.
This approach is a common attack vector and a major source of infections for end users.
Cybercriminals constantly change the patterns they use within their code to evade detection.
We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:
- Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
#Exploit Kit, RIG EK
Updated Detection Technique - Malware SSL Certificates
We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.
The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
- System Compromise, C&C Communication, Known malicious SSL certificate
- System Compromise, C&C Communication, Orcus RAT SSL activity
#Known malicious SSL certificate #Orcus RAT SSL activity
Updated Detection Technique - Remote Access Tools
The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.
We've added IDS signatures and updated the following correlation rules to detect new RAT activity:
- System Compromise, Malware RAT, NanoCore
- System Compromise, Malware RAT, Unknown RAT
#NanoCore #Unknown RAT
Updated Correlation Rules
We've updated the following correlation rules as a result of recent malicious activity:
- Delivery & Attack, Malicious website, Phishing activity
- System Compromise, C&C Communication, Query to a DGA Domain
- System Compromise, Malware infection, CoinMiner
- System Compromise, Suspicious Behavior, Suspicious user-agent detected
- System Compromise, Trojan infection, Generic trojan dropper
- System Compromise, Trojan infection, Nemucod
- System Compromise, Trojan infection, Ovidiy
- System Compromise, Trojan infection, Unknown trojan
#Phishing activity #Query to a DGA Domain #CoinMiner #Suspicious user-agent detected #Generic trojan dropper #Ovidiy #Unknown trojan
- Hits: 1084