051. Bloody Wolf's Techniques From Detection Perspective

Hello everyone! Let's talk about recently uncovered techniques leveraged by Bloody Wolf activity cluster.

The threat actors rely on phishing emails and distribute legitimate PDF file with malicious links. These links are used to deliver malicious JAR files. They used to distribute STRRAT, but in recent campaigns changed it to legitimate remote access software commonly abused by various adversaries - NetSupport.


Details are available in the report, but let's look at some of detection opportunities. The victim clicks the phishing link and downloads a JAR file. Usually, it's located under Downloads folder. What about execution? Java is used to execute it, usually with -jar parameter. What's more, user must execute it, so the parent process for Java should be explorer.exe. Here's what we got:

event_type: "processcreate" 

AND 

proc_p_file_path: "explorer.exe" 

AND 

cmdline:("java" AND "jar" AND "Downloads")

To get the list of download links for NetSupport components, executed JAR file requests pastebin[.]com - and this is another detection opportunity:

event_type: "dnsreq" 

AND

dns_rname: "pastebin.com"

AND

proc_cmdline:("java" AND "jar" AND "Downloads")

Let's look at NetSupport itself as well. As always, it can be renamed, so let's focus on the original file name and uncommon locations:

event_type: "processcreate"

AND

proc_file_originalfilename: "client32.exe"

AND NOT

proc_file_path: "program files"

I'm you spotted even more detection opportunities in the report! Share them in the comments!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!