• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Appliance: August 27 - September 2, 2017

jkisieliusjkisielius

New Life Form
+2

New Detection Technique - CobianRAT

CobianRAT is a a new remote access Trojan (RAT) family. Cobian RAT has control panel and features are similar to that of njRAT and H-Worm, which can suggest that they share a common code base. It is noteworthy that the RAT builder contains an interesting fuction which acts as a backdoor, which retrieves the C&C information and allows the original author to control systems infected by the malware payloads generated from this backdoored kit. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Malware RAT, CobianRAT

New Detection Technique - .NET Serialization RCE over DCERPC

Due to a vulnerability in .NET serialization, a compromised WMI server over DCOM using System.Management classes or the Powershell Get-WmiObject Cmdlet can lead to the server running arbitrary code on the calling machine leading to RCE.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, .NET Serialization RCE over DCERPC

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, Bitpaymer
  • System Compromise, Ransomware infection, Generic Ransomware
  • System Compromise, Ransomware infection, Nm4

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, ASMAX AR 804 gu Web Management Console RCE
  • System Compromise, Backdoor, Ratenjay
  • System Compromise, Trojan infection, Taskdespy
  • System Compromise, Trojan infection, PhantomClicker
  • System Compromise, Trojan infection, Omnibus
  • System Compromise, Trojan infection, Gazer
  • System Compromise, Trojan infection, IDKEY/Ghoul Banker
  • System Compromise, Trojan infection, TorJok
  • System Compromise, Trojan infection, MSIL.WernikStealer
  • System Compromise, Trojan infection, PooLen Coinminer

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Delivery & Attack, Malicious website - Exploit Kit, Sundown EK

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, KONNI
  • System Compromise, Malware RAT, NanoCore

Updated Detection Technique - ISMAgent

ISMAgent is a variant of the ISMDoor Trojan that is related to the threat actors behind the OilRig Campaign, with a possible link to the threat group GreenBug. 

We've added IDS signatures and updated the following correlation rule to detect this activity:

  • System Compromise, Targeted Malware, ISMAgent

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5979ed91a87db72373caeedb/

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Bruteforce Authentication, Windows Login
  • Delivery & Attack, Malicious website, Phishing activity
  • Delivery & Attack, Malicious website, Social Engineering Toolkit
  • Delivery & Attack, WebServer Attack - SQL Injection, Attack Pattern Detection
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MSXMLHTTP Request
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Targeted Malware, APT.9002
  • System Compromise, Targeted Malware, Threebyte - DynCalc
  • System Compromise, Trojan infection, Banload
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Datper
  • System Compromise, Trojan infection, MSIL/Injector.MHV
  • System Compromise, Trojan infection, Win32/ASPC
  • System Compromise, Trojan infection, ZLoader
  • System Compromise, Worm infection, Internal Host scanning
SEDTIchozian-DTI

Share post:

Sign In or Register to comment.