• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Anywhere: August 27 - September 2, 2017


Little green alien

New Detection Technique - CobianRAT

CobianRAT is a a new remote access Trojan (RAT) family. Cobian RAT has control panel and features are similar to that of njRAT and H-Worm, which can suggest that they share a common code base. It is noteworthy that the RAT builder contains an interesting fuction which acts as a backdoor, which retrieves the C&C information and allows the original author to control systems infected by the malware payloads generated from this backdoored kit. 

We've updated the 'Malware Infection – Trojan' correlation rule to detect CobianRAT activity.

New Detection Technique - .NET Serialization RCE over DCERPC

Due to a vulnerability in .NET serialization, a compromised WMI server over DCOM using System.Management classes or the Powershell Get-WmiObject Cmdlet can lead to the server running arbitrary code on the calling machine leading to RCE.

We've updated the 'Exploit – Code Execution' correlation rule to detect NET Serialization RCE activity.

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've updated the 'Malware Infection – Ransomware' correlation rule to detect new Ransomware activity from the Bitpaymer and Nm4 families, as well as to better detect ransomware from the Cerber family.

New Detection Techniques

We've updated 'Malware Infection – Trojan'  correlation rule to detect additional recent malicious activity, including MSIL/HookUp and StressHub.

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've updated the ‘Exploit Kit – EK Payload Delivered’ correlation rule to better detect this activity.

Updated Detection Technique - Malware SSL Certificates

We've updated the ‘Malware Infection - Malicious SSL Certificate’ correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. 

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We've updated the 'Malware Infection – Remote Access Trojan' correlation rule to better detect the exploit activity from remote access tools, including KONNI and NanoCore.

Updated Detection Technique - ISMAgent

ISMAgent is a variant of the ISMDoor Trojan that is related to the threat actors behind the OilRig Campaign, with a possible link to the threat group GreenBug. 

We've updated the 'Malware Infection – Trojan' correlation rule to detect ISMAgent activity.

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5979ed91a87db72373caeedb/

Updated Correlation Rules

Additional correlation rules were updated as a result of recent malicious activity.

Share post:

Sign In or Register to comment.