042. Is It Easy to Detect Trojanized Microsoft KMS Activation Tools Used By Sandworm?
Hello everyone! Have you ever detected Microsoft KMS activation tools during your security operations? Yes? Me too! But not all tools are as harmless as one may think!
EclecticIQ analysts presented a report on recent Sandworm campaign, where the threat actors used trojanized Microsoft KMS activation tools to deliver BACKORDER loader.
If you look through the report, the first thing you notice - BACKORDER is quite noisy. For example:
- It abuses wmic to add Microsoft Defender exclusion path and collect information on system's network adapter configuration
- It abuses reg to collect information on Microsoft Defender AntiSpyware feature state
- It abuses sc query to collect information about Microsoft Defender related service
The funny thing - it's expected behavior for KMS activation tools! What's is more, Dark Crystal RAT is masquaraded to look like a KMS activation tool: C:\Users\User\AppData\Roaming\kms2023\kms2023.exe!
Thankfully, there's another copy located into C:\Users\User\AppData\Local\staticfile.exe - and this is a great candidate for hunting! Sucpicious location and suspicious name! What else? Persistence mechanism! And yes, a scheduled task again. That's it!
See you tomorrow!
Comments
Post a Comment