059. Threat Actors Abuse FTP to Execute Scripts
Hello everyone! I think you are aware of abusing ftp.exe for data exfiltration. But what about command execution?
Cado Security Labs shared information on malicious activity attributed to Mustang Panda (we track this cluster as Horned Werewolf). In this campaign the adversary leveraged a very interesting technique - abused ftp.exe to execute an FTP script inside the disguised PDF file:
C:\Windows\System32\ftp.exe -s:"แบบตอบรับ.pdf"
Of course, if you'll look for ftp.exe executions with -s parameter, you face lots of false positives (still acceptable for your threat hunting missions!), so you should focus on PDF and other file types, which are not common to contain commands or scripts:
event_type: "processcreate"
AND
proc_file_name: "ftp.exe"
AND
cmdline: ("s" AND "pdf")
Despite the fact the threat actors choose such creative approach, the installation routine is still quite noisy and includes, for example, dropping an executable to C:\ProgramData.
See you tomorrow!
Comments
Post a Comment