• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

AlienVault Labs Threat Intelligence Update for USM Anywhere: December 30 – January 5, 2019

jkisieliusjkisielius

AlienVault Employee
+11

New Detection Techniques - Zebrocy

The actor known as APT28 or Fancy Bear has rewritten some of their client-side arsenal in the Go programming language to evade antivirus detection. According to Palo Alto's Unit 42 group, previously-seen versions of the malware Zebrocy have been used and updated in the new language, but the capabilities remain the same. APT28 has been observed rewriting malware in several languages, including AutoIt, Delphi, VB.NET, C# and Visual C++, and Go.

The modus operandi of the latest attacks start with a spear phishing email with a Microsoft Word attachment and subject tailored to the victim. If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session. Once the system has been infected, the malware proceeds to collect data, exfiltrate the stolen data, and download and execute additional malware. All of the previous actions use similar command and control URLs to those seen in previous variants of the malware. 

We've added NIDS signatures and updated the following correlation rule as a result of Zebrocy activity:
  • System Compromise, Malware, Trojan Infection
Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5c1a0db5748dfd6fe2eb39dd

New Detection Techniques - Bitter RAT

The Bitter APT group, which became known in 2016 for performing targeted attacks against China and Pakistan, has been leveraging two main exploits recently:
  • CVE-2017-12824 vulnerability of InPage, a word processing software designed for Urdu speakers. The exploit performs an Out-of-bound Read that could lead to code execution. 
  • CVE-2018-0798 Microsoft Office vulnerability. 
The attacks are performed through spear phishing with a document containing the exploits for the above vulnerabilities in InPage and Word. After the exploits, a payload with a RAT or backdoor is downloaded and installed into the system with the usual capabilities, such as viewing a list of files, system information, processes, files, logs, etc. 

We've added NIDS signatures and updated the following correlation rule as a result of Bitter RAT activity:
  • System Compromise, Malware Infection, Remote Access Trojan Infection

New Detection Techniques - Trojan Infection

We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity:
  • System Compromise, Malware, Trojan Infection

New Detection Techniques

We've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity:
  • Exploitation & Installation, Exploit, Code Execution
  • Exploitation & Installation, Exploit, Information Disclosure
  • System Compromise, Malware, Suspicious SSL Certificate

Updated Detection Techniques - Mobile Trojan Infection

We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity:
  • System Compromise, Malware, Trojan Infection

Updated Detection Techniques - C&C Communication

We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
  • System Compromise, Malware, Suspicious SSL Certificate

Updated Detection Techniques

We've updated NIDS signatures and updated the following correlation rules as a result of recent malicious activity:
  • Delivery & Attack, Malware Infection, Phishing
  • System Compromise, Malware, Trojan Infection
kratos

Share post:

Sign In or Register to comment.