023. Detecting a Gamaredon Copycat
Hello everyone! Recently Knownsec 404 Team released a report on activity cluster we track as Core Werewolf. The cluster is quite active and uses simple, but effective methods. In most cases they rely on legitimate remote access software - UltraVNC.
At the same time, installation routine is very noisy, so let's talk about detection and hunting opportunities!
As I mentioned already, the adversary leveraged UltraVNC, but it's always renamed. We can use it together with typical command line arguments to build pseudo-detector:
process_name != "WinVNC.exe"
&&
command_line_includes : ("-autoreconnect" && "-connect")
&&
process_pe_original_file_name == "WinVNC.exe"
Another example: the threat actors abused taskkill to stop the process. Again, we can use this information to build another pseudo-detector:
process_name == "taskkill.exe"
&&
command_line_includes : ("/f" && "/im")
As always, there are more! Spotted already? Great!
See you tomorrow!
Comments
Post a Comment