• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Anywhere: November 25 – December 1, 2018

jkisieliusjkisielius

AlienVault Employee
+11

New Detection Techniques - DNSpionage

DNSpionage is the name of an HTTP/DNS espionage campaign targeting several Middle East countries and companies. This campaign uses fake job posting websites to deliver malicious RTF documents to the applicants.

The infection occurs when the user tries to open one of the malicious files, which contains an application form bundled with an obfuscated macro script. This macro acts as a dropper for an encoded executable file. It also creates a scheduled task to execute the malware every minute.

The malware then gathers system information and files, and will try to leak it using either HTTP or DNS tunneling. It can also act as an agent, interpreting a set of commands sent by the server to perform actions such as downloading additional scripts and utilites into the machine. The HTTP mode generates traffic to the domain 0ffice36o[.]com. Since the encoded commands are embedded in the domain name prefix, the DNS channel can be also used to send and receive the CnC.

We've added NIDS signatures and updated the following correlation rule as a result of DNSpionage activity:
  • System Compromise, Malware, Trojan Infection
Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5c02eefdd2d9ca140a3c959e

New Detection Techniques - Responder.py

SpiderLabs Responder is a project freely available on GitHub that contains the logic to launch a rogue authentication server compatible with several Microsoft network protocols such as NTLM. It can be use to poison LLMNR, NetBios Name Service, and MDNS packets.

This NBT-NS/LLMNR Responder has been open for four years. During this time, it has extended its functionality, so it can act as a great variety of MS-oriented network nodes. This includes SMB/MSSQL/HTTPS/LDAP/FTP Authentication servers, DNS server, WPAD Proxy server, ICMP redirector, rogue DHCP and network analyzer.

We've added NIDS signatures and updated the following correlation rule as a result of NTLM Responder activity:
  • Exploitation & Installation, Malware Infection, Hacking Tool

New Detection Techniques - C&C Communication

We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
  • System Compromise, Malware, Suspicious SSL Certificate

New Detection Techniques

We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Apoxas Stealer, Neozhvnc, PowerShell/BlasterEgg, SYSCON, Trojan/Kiaja.a, W32.Sarwent, and Win32/Phorpiex:
  • System Compromise, Malware Infection, Spyware
  • System Compromise, Malware Infection, Trojan
  • System Compromise, Malware Infection, Worm

Updated Detection Techniques - Trojan Infection

We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Banker IcedID, CobalStrike, MalDoc, MSIL/Lordix, MuddyWater, Obfuscated PowerShell Inbound, Qbot, and Zebrocy:
  • System Compromise, Malware, Trojan Infection

Updated Detection Techniques

We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including phishing activity, CoinMiner, Symmi, Asacub.a Banker, and Phorpiex:
  • Delivery & Attack, Malware Infection, Phishing
  • System Compromise, Malware Infection, Trojan
  • System Compromise, Malware Infection, Ransomware

Share post:

Sign In or Register to comment.