Anomali Weekly Threat Intelligence Briefing - January 2, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<h2>Trending Threats</h2>This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity" target="_blank">US-CERT: GRIZZLY STEPPE – Russian Malicious Cyber Activity</a> (December 29, 2016) US-CERT released technical indicators related to recent Russian Intelligence Services cyber operations. The report includes a mix of IoCs ranging from Tor Exit nodes, Russian APT C2s, openly-available malware and webshells, and crimeware. These threats appear to be from multiple different cyber operator groups. The report insinuates that the different groups are working at the behest of the Russian government. The US-CERT report also include a well thought out set of general security recommendations that all organizations should implement to improve their security posture. Recommendation: Search your logs for these IoCs, and perform a full forensic analysis of any host found to be communicating with them. Tags: Fancy Bear, Sofacy, Grizzly Steppe<a href="https://www.whitehouse.gov/the-press-office/2016/12/29/fact-sheet-actions-response-russian-malicious-cyber-activity-and" target="_blank">Whitehouse: FACT SHEET: Actions in Response to Russian Malicious Cyber Activity and Harassment</a> (December 29, 2016) The United States of America's Whitehouse issued a press release summarizing sanctions against Russia for the harrassment of diplomatic personnel and cyber operations surrounding the US 2016 Election. The sanctions are focused on officer personnel of the GRU. Included in the release are sanctions against two unrelated cybercriminals that reside in the Black Sea region of Russia. Tags: Fancy Bear, Sofacy, Grizzly Steppe<a href="https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" target="_blank">Switcher: Android joins the 'attack-the-router' club</a> (December 28, 2016) The Switcher trojan compromises Android OS hosts in order to ultimately compromise the local wifi network that Android OS host is using. The Switcher trojan is focused on modifying the DNS settings of the local area network, in order to hijack traffic for malicious purposes. The local area network's routers are compromised via weak default passwords in a known dictionary. This allows the malicious actors to redirect all traffic from all hosts using that local area network's DNS settings. Recommendation: Change the default passwords of your local area network routers, and check the DNS settings of hosts fror the related IOCS Tags: Switcher, APK, Android<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploit-kit-uses-steganography/" target="_blank">Sundown Exploit Kit Adds Steganography to Playbook</a> (December 29, 2016) In an interesting turn of events, Trend Micro recently observed Sundown using a cryptographic technique known as steganography - the inclusion of data hidden in image files. The PNG files weren’t just used to store harvested information; the malware designers now used steganography to hide their exploit code. This was largely unexpected as the Sundown Exploit Kit (EK) has been rather lazy - copying techniques from existing EKs, and forgoing sophisticated evasion tactics. Recommendation: implement an organization wide patch update program for Flash player, or remove the Flash player software. Tags: Sundown, Exploit-Kit, Steganography<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/" target="_blank">Surge in ransomware targeting Germany - GoldenEye, Cerber, Locky</a> (December 29, 2016) In December, GoldenEye ransomware was observed by Trend Micro targeting German-speaking usersand human resource (HR) departments. GoldenEye, just a relabeled hybrid of the Petya and Mischa ransomwares, not only kept to the James Bond theme of its earlier iteration, but also its attack vector. Apart from GoldenEye, Trend Micro also saw spam runs and observed a surge in detections of Cerber, Petya, and Locky in Germany. The social lures of these malware may be German, but the risks and impact are the same for everyone Recommendation: Using a network sandbox based IDS can enable early detection of the malicious PDFs and Office Macros used to retreive much malware. Tags: Ransomware, GoldenEye, Cerber, Petya, Locky, Germany<a href="http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/" target="_blank">Campaign Evolution: pseudo-Darkleech in 2016</a> (December 30, 2016) The Darkleech campaigns have evolved since 2012 to become the Psuedo-Darkleech campaigns. These campaigns have used many exploit kits including the AnglerEK, NeutrinoEK, and RigEK. The psuedo-Darkleech campaigns are currently delivering ransomware, including Cerber most recently. Recommendation: disable javascript in browsers when possible, ensure browsers are patched. Tags: psuedo-darkleech, cerber, rigEK, Neutrino EK, Angler EK<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.<a href="https://ui.threatstream.com/tip/6699" target="_blank">NJRat Tool TIP</a> NJrat is a widely available Remote Access Tool. The tool was originally developed in 2013 by a freelance coder with the alias of `njq8`. NJRat is commonly used as general spyware and to facilitate computer intrusions. NJRAT is often delivered via drive-by downloads and phishing emails. NJRat is most commonly used to target organizations in the middle east. Tags: njrat, Remote Access Tool, RAT