You might have heard about Crypto Defense ransomware family - if not please refer to the this.
This morning I gave a shot with (development version) Hook Analyser 3.1, and passed the keyword "Crypto Defense" to understand co-relation of malware variants behaviors.
Following are the results* -
Blue dot - keyword (Crypto defense)
Red dot - malware sample or hash
Black dot - IP address where malware sample or hash communicates to
Apparently, many "unique" variants of malware samples (of Crypto defense family) have been released - which could indicate that this ransomware is gaining attention or is actively being used by cyber criminals.
Imphash of malware variants are different - which indicates that the malware samples might have been compiled by different threat actors / compilers.
Certain variants share similar IOC's - in terms of IP addresses they communicate to.
Tor network is being leveraged by cyber criminals on this malware family - for payment / decryption process related purposes
Certain malware variants have been seen since 2009. However, majority of them are being seen in 2013.
Indicators of Compromise (IOCs) for Crypto Defense - To help security community and incident responders, I have uploaded malware variants indicator of compromises (XML format).
Thought of sharing some initial thoughts and work I managed to do (during
free time / weekends) on Cyber Intelligence. As you might be aware, with the
release of Hook Analyse 3.0 (released last year), Cyber Intelligence has become
one of the key focus areas - which can be used to provide Strategic and Tactical
directions related to Cyber threats to an organisation.
The following screenshots are taken from "development" version of Hook
Analyser 3.1 -
Menu 1 (option 1): Threat landscape - by country - This module will ingest
"user-specified" external (or Internet facing) IP addresses from Internal /
external URLs and map them back to countries. This has a potential of realising
Cyber risks, and putting controls at strategic roadmap - for e.g. enforcing a
stringent policy at DLP, travel to high-risk countries.
Menu 1 (option 2) : Threat landscape - by Geography- This module will ingest
external (or Internet facing) IP addresses from Internal / external URLs and
map them back to exact location. This option compliments the above - in case an
organisation has multiple offices in geography, they could zoom in and consider
controls for a specific location.
Menu 1 (option 3): Vulnerability Feeds- This module will ingest
"user-specified" external (or Internet facing) RSS feeds and generates a table.
At the moment, the table can be used more on a tactical side
(for e. a new 0-day got released), instead of Strategic (for e.g. which software
or vendors have got more issues or timeline etc).
Menu 1 (option 4) : Top 50 suspicious IPs - This module will reach to
websites (for e.g. Stopbadware) and pull information about known blacklisted
IPs, along with a rational - for e.g. number of malware URLs (along with ASN and
Owner detail) associated with an IP.
Menu 1 (option 5): Suspicious ASN - This module will reach to websites (for
e.g. Stopbadware) and pull information about ASNs associated with malware
related activities. The representation is then performed via a bubble chat. For
reference, larger bubble would mean, ratio of number of malware URLs to number
of IPs on that ASN is high!
Menu 1 (Option 6) - Malware Intelligence - The module will reach onto public
sources to gather information about certain keywords and generates a "motion
timeline" of malwares associated to the keywords.
Menu 2 (Option 1) - Keyword based malware intelligence - This module will
reach onto public source to gather information about "user-specified" keywords
linked to malware samples.
Menu 2 (Option 2) - Keyword based search intelligence - This module will
reach onto Google to extract websites (and IPs) hosting information about the
user-specified keyword, and map it back to geo-location. This module could be
useful if an organisation wants to keep a closer look on phishing websites
targeting their customers.
The menu (3) - which is not added on the dashboard yet, is about IP address based
intelligence. The module basically pulls information about "user-specified" IP
list/file from public sources for e.g. DNS records, associated malware URLs,
malware files & associated HTTP/TCP/DNS connections, and generates
"bird-eye" and "detailed" information graphs with correlation.
For reference, blue dot represents - an IP address, Purple dot represents - a
DNS record , Orange dot represents -URL associated with a malware and Red
rectangle represents - the malware sample associated with an IP address.
For sometime now, I've been thinking to add another feature/module (on Cyber Threat Intelligence module) to Hook Analyser project - keyword based Cyber intelligence. Fortunately, I had enough free time this afternoon to write the module.
I haven't decided about the release date yet, though I'm planning to do sometime this month - So stay tuned!
Here is the glimpse of "updated" Cyber Threat Intelligence dashboard - obviously this is at development stage, hence I can't commit the same dashboard on release of new version.
I strongly recommend to keep looking for upcoming release of Hook Analyser 3.0 - which will include Cyber Threat Intelligence capability.
This will include a simple dashboard with information - easy to interpret and understand.
On a side note - I have been working on another solution/project which performs analysis of malware attacks and internet presence (on internet) across industries and present the result in an intuitive manner.
The solution will be shared at some later stage - just a heads-up!
Thought of sharing this interesting Google's project, Digital Attack Map. This is a live data visualisation of active DDoS attacks around the globe. This is one of the initiatives from Google Idea and Arbor Networks.
I will let you explore the website to understand more about it. By looks of it (not sure data could be exported - which could then be useful for enterprises to concert with internal data source), it appears to be quite useful from the following perspective -
It will provide "close to real-time" information about active DDoS attacks across different geographies.
Historic data/events can be leveraged on to predict or produce actionable intelligence.