Kaspersky Labs recently released a report describing a coordinated attack focused on industrial companies that targeted some 500 companies in 50 countries. The attackers gained an initial foothold using spearphishing and the emails contained attachments with malicious payloads. Their analysis also categorizes the malicious attachments into various Remote Access Toolkits (RATs) like Pony, njRAT, JRAT and others.
We analyzed the IoC’s released in the Kaspersky report and cross referenced them against TruSTAR incident reports and found correlations with reports dating back to May 2016. The analysis also provided contextual enrichment and attacker details that help you go beyond just blocking and tackling based on the IoC’s.
To make all this analysis more useful we have submitted a curated version of the Kaspersk IoC’s to the COMMUNITYand you can analyze these correlations in TruSTAR Station. You can also export the correlated IoC’s (FireEye Tap, STIX, CSV) and add them to your firewall/IPS/SIEM to monitor your infrastructure. We also recommend you submit the IoC’s from this report to your enclave and see how they correlate with your own data.
If you see something interesting we would love for you to get in touch with us, or even release your own insights to the community. We will roll out an upgraded version of chat next week so we can begin to have dialogue of these reports and events going forward. The upgraded version of chat will include alerts and notifications for reports of interest and we will be adding more capabilities over the next few weeks.