056. PebbleDash: Detection Opportunities
Hello everyone! Today we'll look at PebbleDash malware behaviors and how to detect it. This backdoor is actively used by Kimsuky (we track this activity cluster as Monolithic Werewolf).
Let's look inside this report. The adversary distributed phishing emails with EGG files attached. Not a common choice, right? That's not all. The EGG file contains a PIF file - a binary configuration file for the DOS emulator/simulator in Windows! Such files are not very common, so we can start from hunting for any executions of PIF files:
event_type: "processcreate"
AND
proc_file_name.keyword:/.*\.pif/
The file drops and opens a PDF file, as well as drops and executes another PIF file - PebbleDash backdoor, which abuses reg.exe for persistence in the compromised system.
Here we have a few detection opportunities. The first one - a PIF file opens a PDF file:
event_type:"processcreate"
AND
proc_p_file_path.keyword:/.*\.pif/
AND
cmdline.keyword:/.*\.pdf/
The next one - a PIF file abuses reg.exe:
event_type:"processcreate"
AND
proc_p_cmdline.keyword:/.*\.pif.*/
AND
cmdline:("reg" AND "add" AND "run")
Uncommon extensions may allow adversaries to bypass some email security solutions, but malware behaviors still provide us lost of detection opportunities!
See you tomorrow!
Comments
Post a Comment