• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

AlienVault Labs Threat Intelligence Update for USM Anywhere: November 18 – November 24, 2018

jkisieliusjkisielius

AlienVault Employee
+11

New Detection Techniques - DarkGate

DarkGate is a new malware family, initially targeting Spain and Portugal. The malware has multiple payload capabilities, including Cryptocurrency mining, Cryptocurrency stealing, Ransomware infection, keylogging, and remote access. During exploitation, it attempts to obtain as many credentials as possible by leveraging known credential stealer applications: Mail PassView, WebBrowserPassView, ChromeCookiesView, IECookiesView, MZCookiesView, BrowsingHistoryView, and SkypeLogView. Afterwards, it communicates those credentials to the Command & Control, along with other common data fields such as username, computer name, processor type, etc.

Additionally, the malware has anti-detection capabilities. First, it will not run if the system doesn't have enough resources, since it automatically assumes it is in a VM under forensic investigation. Second, if it detects certain antivirus software, it will try to turn them off, or only execute certain capabilities not detected by that antivirus.

We've added NIDS signatures and updated the following correlation rule as a result of DarkGate activity:
  • System Compromise, Malware, Trojan Infection

New Detection Techniques - PHPCMS 2008 (CVE-2018-19127)

The Remote Code Execution vulnerability CVE-2018-19127 leverages a code injection vulnerability in /type.php in PHPCMS 2008. Attackers can send crafted requests to the vulnerable CMS. A lack of filtering in the source code allows all kind of templates to go through and inject code into the system. Despite PHPCMS 2008 not being the latest version available, it is still a very common one. 

We've added NIDS signatures and updated the following correlation rule as a result of this activity:
  • Exploitation & Installation, Exploit, Code Execution

New Detection Techniques - Mobile Trojan Infection

We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Android/Agent.BAA, Android/Locker.PN, and Trojan-SMS.AndroidOS.Agent.uf:
  • System Compromise, Malware, Trojan Infection

New Detection Techniques

We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity:
  • Exploitation & Installation, Exploit, Code Execution
  • System Compromise, Malware Infection, Ransomware
  • System Compromise, Malware, Suspicious SSL Certificate
  • System Compromise, Malware Infection, Trojan

Updated Detection Techniques - Mobile Trojan Infection

We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Android.Monitor.Puma:
  • System Compromise, Malware, Trojan Infection

Updated Detection Techniques - C&C Communication

We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
  • System Compromise, Malware, Suspicious SSL Certificate

Updated Detection Techniques

We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including phishing activity, CoinMiner, Kraken Ransomware, APT29, APT29 SSL Activity, OceanLotus, BR.Banker, and Banload Downloader:
  • Delivery & Attack, Malware Infection, Phishing
  • System Compromise, Malware Infection, Trojan
  • System Compromise, Malware Infection, Ransomware

Share post:

Sign In or Register to comment.