023. Detecting a Gamaredon Copycat

Hello everyone! Recently Knownsec 404 Team released a report on activity cluster we track as Core Werewolf. The cluster is quite active and uses simple, but effective methods. In most cases they rely on legitimate remote access software - UltraVNC.

At the same time, installation routine is very noisy, so let's talk about detection and hunting opportunities!

As I mentioned already, the adversary leveraged UltraVNC, but it's always renamed. We can use it together with typical command line arguments to build pseudo-detector:

process_name != "WinVNC.exe"

&&

command_line_includes : ("-autoreconnect" && "-connect")

&&

process_pe_original_file_name == "WinVNC.exe"

Another example: the threat actors abused taskkill to stop the process. Again, we can use this information to build another pseudo-detector:

process_name == "taskkill.exe"

&&

command_line_includes : ("/f" && "/im")

As always, there are more! Spotted already? Great!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!