What is #OperationSMN?Operation SMN is the first of what Novetta hopes will be many efforts taken by the cyber security industry to capture, analyze, share, iterate, distribute, then act and report on threats. For this case we chose a single advanced threat group that we have named “Axiom,” whose activity has gone unabated for multiple years and has demonstrated a level of sophistication in both tooling and techniques that has proven to be extremely effective in maintaining long term persistence. This effort focused on the detection and removal of malware families (tools) used by Axiom, while the methods that we created and used were meant to insure that moving forward the ability to use these tools would be as constricted as possible. We are relying on industry to act on the information shared to provide that effect not only against Axiom, but other actors who use the same tools. During this operation we did not conduct any sink holing, domain takedowns, or conduct any technical operations against pieces of malware (no p2p botnets to poison). Also, by no means is this operation over; we are still collecting and analyzing data to provide an impact assessment, as well as finishing up full reporting for distribution.
How does a company or individual take advantage of #OperationSMN?
End point protection:The biggest and simplest thing that an enterprise or individual can do to take advantage of our effort is to download and install this month’s Malicious Software Removal Tool (MSRT) from Microsoft. This will give you the best chance of identifying and removing most of the known tools used by the Axiom threat group. We also highly encourage you to run the MSRT monthly against all Windows machines, as there are a host of other threats that are detected and cleaned by it.
Network Detection:As a participant of #OperationSMN, Cisco/Sourcefire has pushed out the following IDS signatures that will detect the malware families used by Axiom. It is highly encouraged and suggested that people download and deploy these signatures to their IDS platforms as soon as possible.
ClamAV names and Snort Signature IDs detecting Axiom/Group 72 RAT malware:
- Gh0stRat — Win.Trojan.Gh0stRAT, 19484, 27964
- PoisonIVY / DarkMoon — Win.Trojan.DarkMoon, 7816, 7815, 7814, 7813, 12715, 12724
- Hydraq — Win.Trojan.HyDraq, 16368, 21304
- HiKit — Win.Trojan.HiKit, 30948
- Zxshell — Win.Trojan.Zxshell, 32180, 32181
- DeputyDog — Win.Trojan.DeputyDog, 28493, 29459
- Derusbi — Win.Trojan.Derusbi, 20080