024. PlushDaemon Supply-Chain Attack: Detection Opportunities

Hello everyone! Recently ESET published a report on a supply-chain attack against a VPN provider in South Korea. The group behind the attack is named PlushDaemon.

Despite the fact supply-chain attacks are quite hard to detect, we always have lots and lots of detection opportunities for post-exploitation! Let's look at some of them.

The adversary abused legitimate regcap.exe utility (included in Visual Studio) to side-load a malicious DLL - lregdll.dll. The utility was renamed to PerfWatson.exe. So, what to look for?

  • Renamed regcap.exe execution from suspicious locations, for example, subfolders of %PUBLIC% (metadata will help you)
  • Loading of DLLs from suspicious locations, often matching with the binary used for side-loading
Next thing - persistence. The adversary used less common mechanisms, so it's also quite easy to detect:

  • Look for Userinit entry modifications under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key
  • Look for load entry modifications under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows registry key

One more opportunity - abusing pythonw.exe. The threat actors leveraged legitimate Python interpreter to run various malicious modules:
  • Check for pythonw.exe executions from uncommon locations (what's more, it's not very common for regular workstations)
  • Search for pythonw.exe usage for running a library module as a script (-m argument)
See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!