• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Anywhere: December 31, 2017 - January 6, 2018

jkisieliusjkisielius

AlienVault Employee
+11

New Detection Technique – Known Vulnerability, Weblogic XMLDecoder RCE (CVE-2017-10271)

This is a known vulnerability of Oracle Fusion Middleware; specifically in the Oracle WebLogic Server module. A successful attacker can compromise the Oracle WebLogic Server.

The vulnerability allows remote code execution in the WSAT endpoint thanks to a flaw in the deserialization of encoded Java objects. The payload will contain a crafted Java object with arbitrary code.

We've updated the 'Exploit – Code Execution' correlation rule to detect CVE-2017-10271 activity.

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5a4e1c4993199b299f90a212

New Detection Technique – MedusaHTTP

MedusaHTTP is the name of a bot network appearing in early 2017, written in .NET and designed to perform DDoS attacks. It is an evolution of an IRC based botnet called MedusaIRC. The botnet uses HTTP communications for command and control and is typically delivered via the Rig Exploit Kit.

The initial connection of MedusaHTTP is a POST request with a static user agent sent to C&C server. It contains information about the infected machine and waits for instructions. It is a capable DDoS bot and includes TCP and UDP flooding methods.

We've updated the 'Malware Infection – Trojan' correlation rule to detect MedusaHTTP activity.

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5a3dd57e0faf50552e9f9223

New Detection Techniques – Trojan Infection

We've also updated the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from the following families: Cybergate/Rebhip/Spyrat/Win32.Poison, iSpy Keylogger, MSIL/Bancos, NepaCollector, Oilrig, Python Monero, Qasar Variant, Sharik/Smoke, Win32/ChaseBrute, Win32/CoinMining, and Xtrat/XtremRAT.

Updated Detection Technique – Kazy

The Kazy name refers to a number of related malware downloaders. It is usually delivered in GIF images and executable packages. It first appeared in 2010, and today most of its versions are easily detectable by any antivirus. Often, the final payload is used to send spam email targeting online bank accounts. It is a dropper trojan containing malware such as spyware, remote access tools and keyloggers.

The best way to prevent this trojan from infecting a machine is to follow safe browsing practices such as downloading installable files only from legitimate sources, and not opening attatchments from unkown senders.

We've updated the 'Malware Infection – Trojan' correlation rule to detect Win32.Kazy activity.

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5a56019b49cace55f8249929

Updated Detection Technique – Trojan Infection

We've also updated the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from Crimson, Xtrat/XtremRAT, Babylon and CoinMiner trojan families.

Updated Correlation Rules

Additional correlation rules were updated as a result of recent malicious activity.

kratos

Share post:

Sign In or Register to comment.