• Support
  • Forums
  • Blogs

AlienVault Labs Threat Intelligence Update for USM Appliance: November 25 – December 1, 2018

jkisieliusjkisielius

AlienVault Employee
+11

New Detection Techniques - DNSpionage

DNSpionage is the name of an HTTP/DNS espionage campaign targeting several Middle East countries and companies. This campaign uses fake job posting websites to deliver malicious RTF documents to the applicants.

The infection occurs when the user tries to open one of the malicious files, which contains an application form bundled with an obfuscated macro script. This macro acts as a dropper for an encoded executable file. It also creates a scheduled task to execute the malware every minute.

The malware then gathers system information and files, and will try to leak it using either HTTP or DNS tunneling. It can also act as an agent, interpreting a set of commands sent by the server to perform actions such as downloading additional scripts and utilites into the machine. The HTTP mode generates traffic to the domain 0ffice36o[.]com. Since the encoded commands are embedded in the domain name prefix, the DNS channel can be also used to send and receive the CnC.

We've added NIDS signatures and the following correlation rule as a result of DNSpionage activity:
  • System Compromise, Trojan infection, DNSpionage Inbound
  • System Compromise, Trojan infection, DNSpionage Outbound
Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5c02eefdd2d9ca140a3c959e

New Detection Techniques - Responder.py

SpiderLabs Responder is a project freely available on GitHub that contains the logic to launch a rogue authentication server compatible with several Microsoft network protocols such as NTLM. It can be use to poison LLMNR, NetBios Name Service, and MDNS packets.

This NBT-NS/LLMNR Responder has been open for four years. During this time, it has extended its functionality, so it can act as a great variety of MS-oriented network nodes. This includes SMB/MSSQL/HTTPS/LDAP/FTP Authentication servers, DNS server, WPAD Proxy server, ICMP redirector, rogue DHCP and network analyzer.

We've added NIDS signatures and the following correlation rule as a result of NTLM Responder activity:
  • Exploitation & Installation, Attack Tool detected, Responder NTLM Authentication HTTP Response

New Detection Techniques - C&C Communication

We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
  • System Compromise, Trojan infection, POWERSTATS SSL Certificate
  • System Compromise, Trojan infection, Zebrocy SSL Certificate
  • System Compromise, C&C Communication, BrushaLoader SSL
  • System Compromise, C&C Communication, MalDoc
  • System Compromise, C&C Communication, StrongPity SSL activity
  • System Compromise, C&C Communication, Ursnif SSL activity

New Detection Techniques

We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • System Compromise, Trojan infection, Apoxas Stealer Outbound
  • System Compromise, Trojan infection, Neozhvnc
  • System Compromise, Trojan infection, PowerShell/BlasterEgg
  • System Compromise, Trojan infection, SYSCON Inbound
  • System Compromise, Trojan infection, SYSCON Outbound
  • System Compromise, Trojan infection, Trojan/Kiaja.a Outbound
  • System Compromise, Trojan infection, W32.Sarwent Outbound
  • System Compromise, Trojan infection, Win32/Phorpiex Payload Inbound

Updated Detection Techniques - Trojan Infection

We've updated NIDS signatures and the following correlation rule as a result of additional recent malicious activity:
  • System Compromise, Trojan infection, Banker IcedID
  • System Compromise, Trojan infection, CobaltStrike
  • System Compromise, Trojan infection, MalDoc
  • System Compromise, Trojan infection, MSIL/Lordix
  • System Compromise, Trojan infection, MuddyWater APT
  • System Compromise, Trojan infection, Obfuscated PowerShell Inbound
  • System Compromise, Trojan infection, Qbot
  • System Compromise, Trojan infection, Zebrocy

Updated Detection Techniques

We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
  • Delivery & Attack, Malicious website, Phishing activity
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Generic
  • System Compromise, Malware infection, Symmi
  • System Compromise, Mobile trojan infection, Asacub.a Banker
  • System Compromise, Worm infection, Phorpiex

Share post:

Sign In or Register to comment.