It looks like you're new here. If you want to get involved, click one of these buttons!
Goldeneye is a new ransomware family which spreads via email, utilizing a novel technique by attaching both a 'clean' and a malicious file in an attempt to lull the victim into a false sense of security. Goldeneye is also unique in that, after encrypting a user's files, it then runs a modified variant of the Petya ransomware to encrypt the Master File Table (MFT) of the victim's hard drive.
We've added IDS signatures and created the following correlation rule to detect this activity:
Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/58506bbbb3228a06556d0496/
Last week, we also added IDS signatures and updated correlation rules to detect the following ransomware families:
A backdoor was recently discovered in Sony IPELA Engine IP Cameras. The backdoor could allow attackers to execute commands as an administrative user.
The following correlation rule has been added due to this exploit activity:Exploitation & Installation, Client Side Exploit - Known Vulnerability, Sony IPELA Engine IP Camera telnet enable
The following correlation rules have been added due to recent malicious activity:
Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.
We've added IDS signatures and updated the following correlation rules to improve exploit kit detection:
We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The updated correlation rules use this information to detect C&C communications related to several malware families including:
The typical attack pattern starts by exploiting a vulnerability and then installation of malware, which often includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.
We've added IDS signatures and updated correlation rules to detect the following RAT activity:System Compromise, Malware RAT, Quasar RAT
Qadars is a banking trojan being used by an unknown threat actor. Qadars primarily has been seen targeting 6 countries: the Netherlands, France, Canada, India, Australia and Italy. Qadars uses a Man-in-the-Browser (MitB) scheme to perform financial fraud.
We've added IDS signatures and updated the following correlation rule to detect Qadars activity:
In October 2014, FireEye published a report about a threat actor that they named APT28. ATP28 continues to be active today. As described in a blog post, "We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents, as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions, and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence."
We've added IDS signatures and modified the following correlation rule to detect APT28 activity:
Related content in Open Threat Exchange: https://otx.alienvault.com/browse/pulses/?q=apt28
Dreambot is one of the most active variants of the Ursnif trojan. This variant sets itself apart from the others by introducing Tor and P2P communication functionality. Dreambot is currently being spread through a variety of means including, but not limited to, exploit kits, malicious links, and email attachments.
We've added IDS signatures and updated the following correlation rule to detect this activity:
Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/57c050421bae720146308781/
The following correlation rules have been updated due to recent malicious activity: