048. Detecting Kimsuky Dropbox Abuse

Hello everyone! Securonix presented a fresh report on recent Kimsuky activity (as you remember, we track this cluster as Monolithic Werewolf). The adversary keeps distributing malicious LNK files and abusing PowerShell, and this time leverages Dropbox.


Despite the fact the attack chain is very sophisticated and has multiple stages, there's a quick win from detection perspective. 

So, the thing I want to note is abusing PowerShell to download the next stage from Dropbox. This activity includes quering the following domain name: "dl.dropboxusercontent.com". Of course, we can use this knowledge for detection:

event_type: "dnsreq"

AND

proc_cmdline:/.*powershell.*/

AND 

dns_rname: "dl.dropboxusercontent.com"

And yes, this simple detection logic allows us to catch an advanced threat actor! That's it!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!