It looks like you're new here. If you want to get involved, click one of these buttons!
CobianRAT is a a new remote access Trojan (RAT) family. Cobian RAT has control panel and features are similar to that of njRAT and H-Worm, which can suggest that they share a common code base. It is noteworthy that the RAT builder contains an interesting fuction which acts as a backdoor, which retrieves the C&C information and allows the original author to control systems infected by the malware payloads generated from this backdoored kit.
We've updated the 'Malware Infection – Trojan' correlation rule to detect CobianRAT activity.
Due to a vulnerability in .NET serialization, a compromised WMI server over DCOM using System.Management classes or the Powershell Get-WmiObject Cmdlet can lead to the server running arbitrary code on the calling machine leading to RCE.
We've updated the 'Exploit – Code Execution' correlation rule to detect NET Serialization RCE activity.
In the past week, we've seen an uptick in ransomware activity in the wild. We've updated the 'Malware Infection – Ransomware' correlation rule to detect new Ransomware activity from the Bitpaymer and Nm4 families, as well as to better detect ransomware from the Cerber family.
We've updated 'Malware Infection – Trojan' correlation rule to detect additional recent malicious activity, including MSIL/HookUp and StressHub.
Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.
We've updated the ‘Exploit Kit – EK Payload Delivered’ correlation rule to better detect this activity.
We've updated the ‘Malware Infection - Malicious SSL Certificate’ correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.
The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.
We've updated the 'Malware Infection – Remote Access Trojan' correlation rule to better detect the exploit activity from remote access tools, including KONNI and NanoCore.
ISMAgent is a variant of the ISMDoor Trojan that is related to the threat actors behind the OilRig Campaign, with a possible link to the threat group GreenBug.
We've updated the 'Malware Infection – Trojan' correlation rule to detect ISMAgent activity.
Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5979ed91a87db72373caeedb/
Additional correlation rules were updated as a result of recent malicious activity.