061. DONOT Team Has a Presentation for You
Let's look at DONOT Team (APT-Q-38) campaign described in this report. One of kill chains included a malicious PowerPoint presentation (PPT), delivered via a link in a phishing PDF document. Malicious macro in the PPT file executes the shellcode in order to download next stages.
The first detection opportunity - powerpnt.exe spawns cmd.exe to execute a BAT file:
cmd.exe /c C:\Users\user\AppData\Local\TEMP\FROX\cross.bat
You can catch such activity this way:
event_type: "processcreate"
AND
proc_p_file_path: "powerpnt.exe"
AND
proc_file_path: "cmd.exe"
What does the BAT file do? Creates a scheduled task via schtasks.exe:
schtasks /create /tn "PerformTaskMaintain" /tr "C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\FROX\PLAIN.dll",VelocitySpeed" /sc minute /mo 4
Running a DLL from Temp folder every 4 minutes? Not very common for legitimate tasks, right? We can hunt for the creation of tasks that will run every few minutes (you can even turn it into detection rule with proper exclusions):
event_type: "processcreate"
AND
proc_file_name: "schtasks.exe"
AND
cmdline: ("create" AND "minute" AND ("1" OR "2" OR "3" OR "4" OR "5" OR "6" OR "7" OR "8" OR "9" OR "10"))
Also, I think you noticed a strange function name! Yes, rundll32.exe abuse, again!
See you tomorrow!
Comments
Post a Comment