• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

AlienVault Labs Threat Intelligence Update for USM Appliance: November 11 – November 17, 2018

jkisieliusjkisielius

AlienVault Employee
+11

New Detection Techniques - Mylobot

Mylobot is a very versatile downloader. It was first reported in June by Deep Instinct security research. It also contains anti-sandboxing features. For example, it remains idle after infection for 14 days, after which it starts contacting the CnC server. When it becomes active, it performs massive DNS queries for a set of domains included in a hardcoded list of 1404 domain names.

The main locations targeted by this malware include the Middle East (Iraq, Iran and Arabia Saudi), East Asia (Vietnam and China), and Argentina.

We've added NIDS signatures and the following correlation rule as a result of Mylobot activity:
  • System Compromise, Botnet infection, Mylobot
Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5bec53edbc977065131869ff

New Detection Techniques - GhostDNS JS DNSChanger

GhostDNS is a botnet infection spread through infected webpages. It is thought that this botnet has infected around 100,000 home router devices so far. It is unknown how long it has been active so far, but researchers estimate that initial campaigns are one year old.

The main module of GhostDNS is called DNSChanger. Its activity makes it similar to the malware with the same name. It tries to change the DNS server settings on the infected device, allowing an attacker to route the user traffic. DNSChanger includes three different modules, one of them written in JavaScript. It contains 10 different attack scripts designed to infect a total of 6 different router models.

Once the DNS table is corrupted, user traffic is routed to phishing websites where they might enter sensitive data such as credit card numerations.

We've added NIDS signatures and the following correlation rule as a result of additional recent malicious activity:
  • System Compromise, Malicious website, GhostDNS JS DNSChanger
Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5bb33e3b1106f56a6ce44632

New Detection Techniques - Urpage Stealer

Urpage is the name of an unidentified threat actor which may have some connections to Confucious, Patchwork, and Bahamut actors, according to TrendMicro security researchers. Samples share some links, domain names, and file hashes found in the CnC server.

Urpage targets Android devices. The behaviour is similar to the Confucious and Patchwork stealers. It will try to install several Android applications, including one that looks like a fake Threema, an end-to-end encrypted messaging application. After installation, it starts to gather data, such as SMS, contact lists, audio records, GPS location, system files, and MAC address. It also may install a backdoor module: a customized version of AndroRAT. The CnC traffic is base64 encoded.

Surprisingly, the same infected web pages serving the Urpage payload for Android devices were found delivering samples of Windows malware.

We've added NIDS signatures and the following correlation rule as a result of Urpage Stealer activity:
  • System Compromise, Trojan infection, Urpage Stealer
Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5b86c1af84048207fdac6338

New Detection Techniques - Trojan Infection

We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • System Compromise, Trojan infection, JunkMiner Downloader
  • System Compromise, Trojan infection, Operation Baby
  • System Compromise, Trojan infection, Win32.Metamorfo.Banker
  • System Compromise, Trojan infection, Win32/Snowman
  • System Compromise, Trojan infection, Zyro FTP Stealer

New Detection Techniques - Botnet Infection

We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • System Compromise, Botnet infection, PhanapikalBot
  • System Compromise, Botnet infection, TeleGbot

New Detection Techniques - C&C Communication

We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
  • System Compromise, C&C Communication, PredatorTheThief SSL
  • System Compromise, C&C Communication, SocGholish SSL

New Detection Techniques

We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Tenda Router Arbitrary Command Injection (CVE-2018-18728)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, WordPress GDPR Plugin Privilege Escalation
  • Exploitation & Installation, Service Exploit, jQuery-File-Upload Unauthenticated File Upload with Suspicious Format
  • System Compromise, Malicious website, Hadoop RCE
  • System Compromise, Malware RAT, HuadhServHelper RAT
  • System Compromise, Mobile trojan infection, AndroidOS.Ramha.a

Updated Detection Techniques - Trojan Infection

We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • System Compromise, Trojan infection, FIN7 Griffon
  • System Compromise, Trojan infection, JS/BrushaLoader CnC
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, Obfuscated PowerShell Inbound
  • System Compromise, Trojan infection, TinyNuke

Updated Detection Techniques - C&C Communication

We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
  • System Compromise, C&C Communication, PSEmpire SSL Activity
  • System Compromise, C&C Communication, Ursnif SSL activity

Updated Detection Techniques

We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Backdoor, Mocker
  • System Compromise, Botnet infection, ELF/Muhstik
  • System Compromise, Botnet infection, PhanapikalBot
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Mobile trojan infection, Android Rootnik-AI
  • System Compromise, Ransomware infection, Kraken Ransomware
  • System Compromise, Targeted Malware, APT32

Share post:

Sign In or Register to comment.