051. Bloody Wolf's Techniques From Detection Perspective
Hello everyone! Let's talk about recently uncovered techniques leveraged by Bloody Wolf activity cluster.
The threat actors rely on phishing emails and distribute legitimate PDF file with malicious links. These links are used to deliver malicious JAR files. They used to distribute STRRAT, but in recent campaigns changed it to legitimate remote access software commonly abused by various adversaries - NetSupport.
Details are available in the report, but let's look at some of detection opportunities. The victim clicks the phishing link and downloads a JAR file. Usually, it's located under Downloads folder. What about execution? Java is used to execute it, usually with -jar parameter. What's more, user must execute it, so the parent process for Java should be explorer.exe. Here's what we got:
event_type: "processcreate"
AND
proc_p_file_path: "explorer.exe"
AND
cmdline:("java" AND "jar" AND "Downloads")
To get the list of download links for NetSupport components, executed JAR file requests pastebin[.]com - and this is another detection opportunity:
event_type: "dnsreq"
AND
dns_rname: "pastebin.com"
AND
proc_cmdline:("java" AND "jar" AND "Downloads")
Let's look at NetSupport itself as well. As always, it can be renamed, so let's focus on the original file name and uncommon locations:
event_type: "processcreate"
AND
proc_file_originalfilename: "client32.exe"
AND NOT
proc_file_path: "program files"
I'm you spotted even more detection opportunities in the report! Share them in the comments!
See you tomorrow!
Comments
Post a Comment