• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

AlienVault Labs Threat Intelligence Update for USM Appliance: November 18 – November 24, 2018

jkisieliusjkisielius

AlienVault Employee
+11

New Detection Techniques - DarkGate

DarkGate is a new malware family, initially targeting Spain and Portugal. The malware has multiple payload capabilities, including Cryptocurrency mining, Cryptocurrency stealing, Ransomware infection, keylogging, and remote access. During exploitation, it attempts to obtain as many credentials as possible by leveraging known credential stealer applications: Mail PassView, WebBrowserPassView, ChromeCookiesView, IECookiesView, MZCookiesView, BrowsingHistoryView, and SkypeLogView. Afterwards, it communicates those credentials to the Command & Control, along with other common data fields such as username, computer name, processor type, etc.

Additionally, the malware has anti-detection capabilities. First, it will not run if the system doesn't have enough resources, since it automatically assumes it is in a VM under forensic investigation. Second, if it detects certain antivirus software, it will try to turn them off, or only execute certain capabilities not detected by that antivirus.

We've added NIDS signatures and the following correlation rule as a result of DarkGate activity:
  • System Compromise, Trojan infection, DarkGate

New Detection Techniques - PHPCMS 2008 (CVE-2018-19127)

The Remote Code Execution vulnerability CVE-2018-19127 leverages a code injection vulnerability in /type.php in PHPCMS 2008. Attackers can send crafted requests to the vulnerable CMS. A lack of filtering in the source code allows all kind of templates to go through and inject code into the system. Despite PHPCMS 2008 not being the latest version available, it is still a very common one. 

We've added NIDS signatures and the following correlation rules as a result of this activity:
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, PHPCMS 2008 (CVE-2018-19127)

New Detection Techniques - Mobile Trojan Infection

We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • System Compromise, Mobile trojan infection, Android/Agent.BAA
  • System Compromise, Mobile trojan infection, Android/Locker.PN
  • System Compromise, Mobile trojan infection, Trojan-SMS.AndroidOS.Agent.uf

New Detection Techniques

We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Acrobat (CVE-2018-15979)
  • Exploitation & Installation, Hacking tool, JS Downloader Using Wscript.Shell
  • System Compromise, C&C Communication, HuadhServHelper SSL
  • System Compromise, C&C Communication, JS.InfectedMikrotik
  • System Compromise, Malware infection, JS.InfectedMikrotik
  • System Compromise, Trojan infection, Esone CnC Beacon
  • System Compromise, Trojan infection, ExtremeDownloader
  • System Compromise, Trojan infection, Hades APT Downloader
  • System Compromise, Trojan infection, Win32/InstallMonster

Updated Detection Techniques - Mobile Trojan Infection

We've updated NIDS signatures and the following correlation rule as a result of additional recent malicious activity:
  • System Compromise, Mobile trojan infection, Android.Monitor.Puma

Updated Detection Techniques - C&C Communication

We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
  • System Compromise, C&C Communication, BrushaLoader SSL

Updated Detection Techniques

We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Ransomware infection, Kraken Ransomware
  • System Compromise, Targeted Malware, APT29
  • System Compromise, Targeted Malware, APT29 SSL Activity
  • System Compromise, Targeted Malware, OceanLotus
  • System Compromise, Trojan infection, BR.Banker
  • System Compromise, Trojan infection, Banload Downloader

Share post:

Sign In or Register to comment.