059. Threat Actors Abuse FTP to Execute Scripts

Hello everyone! I think you are aware of abusing ftp.exe for data exfiltration. But what about command execution?


Cado Security Labs shared information on malicious activity attributed to Mustang Panda (we track this cluster as Horned Werewolf). In this campaign the adversary leveraged a very interesting technique -  abused ftp.exe to execute an FTP script inside the disguised PDF file:

C:\Windows\System32\ftp.exe -s:"แบบตอบรับ.pdf"

Of course, if you'll look for ftp.exe executions with -s parameter, you face lots of false positives (still acceptable for your threat hunting missions!), so you should focus on PDF and other file types, which are not common to contain commands or scripts:

event_type: "processcreate"

AND

proc_file_name: "ftp.exe"

AND

cmdline: ("s" AND "pdf")

Despite the fact the threat actors choose such creative approach, the installation routine is still quite noisy and includes, for example, dropping an executable to C:\ProgramData.

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!