TECH ALERT | Palo Alto Networks: Threat Mitigation and Cover-age for Havex, Dragonfly, Energetic Bear and Oldrea

Over the past few days there have been a variety of reports about the Havex RAT (Remote Access Trojan), Energetic Bear RAT, Backdoor.Oldrea, and Trojan.Karagany.  Enclosed is an update with specific mitigations Palo Alto networks has added in addition to Threat Mitigation best practices to leverage the full Palo Alto Networks Solution.   The Palo Alto team has been tracking Havex for quite a while and are regularly finding samples via WildFire and providing coverage via AV and additional indicators via URL filtering.  AV malware naming is challenging as Havex is also known as Backdoor.Oldrea, Energetic Bear RAT, and Trojan.Karagany.

 Palo Alto Networks has added the following Specific Threat Mitigation  

Antivirus Mitigation:

• They have previously added and continue to add specific AV coverage for hundred of samples of Havex, also known as Oldreaor the Energetic Bear RAT
• They have previously had coverage and added additional AV protection for samples for TrojanDownloader/Win32.karagany (Karagany)
• Besides the AV names mentioned, protection also shows up as wide variety of different names.  Examples:  Virus/Win32.WGeneric.cnfms, Trojan/Win32.spnr.ajac
• https://www.virustotal.com/en/file/0b74282d9c03affb25bbecf28d5155c582e246f0ce21be27b75504f1779707f5/analysis/
• https://www.virustotal.com/en/file/ec48b131612ef5637b387d9c2b0907d68a080fb77c6168e779fb7f3a0efa04dc/analysis/

Spyware/CnC Mitigation:

• A specific Havex CnC Spyware signature will be released in the upcoming content releases

URL Filtering – PAN-DB Specific Mitigation

• Various malicious IP’s and Domains have been added to PAN-DB from the reports.
• Many references are compromised individual’s blogs that may only be temporarily added to PAN-DB.

Wildfire Mitigation:

• They have seen various samples in Wildfire and validated detection as malicious.

Similar to any other malware family or threats, Palo Alto Networks customers should leverage the entire solution for Threat Mitigation 

Best Practices for Threat Prevention Coverage and Mitigation:  

Reduce the Attack Surface:

• Leverage APP-ID to reduce the attack surface:

-Look for TCP and UDP-unknown traffic which can be indicative of the various trojans and RATs that are communicating outbound

• SSL Decryption for Webmail:

-Use SSL decryption on webmail at a minimum to prevent targeted attacks and watering hole attacks to personal email addresses.

-A single malicious RTF file, PDF or Office document is all it takes to own an organization and bypass all your protection when you don’t have visibility into SSL communications.

• File-Blocking Technology for Mitigation:

-Block or at least warn via continue page on all PE (portable executables), .EXEs from being installed by employees

-Consider blocking all additional high-risk targeted attack content types such as  RTF files, .SCR files, .HLP files and .LNK files

Prevent Known Attacks:

• Use IPS signatures to prevent the vulnerability from being exploited from client-side attacks, exploit kits and watering hole attacks

Consider inline blocking with a strict IPS policy.   Prevent the client-side vulnerability from being exploited with a drive-by download and dropping the malware on the system.

• Antivirus –  As Mentioned above
• Use Spyware/CnC prevention to find infected systems that may pull down additional variants.  Ensure DNS detection is enabled and in blocking mode! 

Suspicious DNS – Investigate and remediate ANY suspicious DNS queries.  These are most likely infected systems! 

• Example:  Suspicious DNS Query (generic:lilokobimqit.kz)(4042599)

• Use URL Filtering Subscription with PAN-DB to prevent threats from being downloaded from malicious domains! 

-Block on Malware domains, as well as proxy avoidance, and peer2peer.

-Use a “Continue page” on unknown category websites

Focus on Prevention of Unknown and 0-day Malware:

• Wildfire to detect the unknown and 0-day malware or dropper related to Havex, Energetic Bear, Oldrea or Karagany

-Forward all incoming PE files to Wildfire to determine if any malicious executables are downloaded

-Forward all high-risk targeted attack documents types to Wildfire incoming Office Documents , PDFs and Java files to Wildfire for analysis

-Ensure RTF files are blocked or forward to WildFire at a minimum.

-Wildfire will automatically see the malicious behavior and push out AV signatures, DNS and CnC signatures to prevent additional employees from being infected.

• Leverage the Botnet Report to find infected systems: 

-Look at the Botnet Report to ensure you haven’t missed already infected systems.

• Create a Sinkhole to find infected systems 

-Use the PanOS 6.0 feature to ensure you are finding already infected systems easily.

• Updates for Software:

-Recommend that employees not install Adobe Reader, Flash and Java updates if these pop-up.  Consider installing all updates for users or have users visit the websites directly.   Malware authors will prey on social engineering tactics to get your employees to install fake Reader, Flash and Java updates – but these can be part of the infection vector.