061. DONOT Team Has a Presentation for You

Hello everyone! I think, you already got used to malicious Microsoft Word documents and Microsoft Excel spreadsheets, right? But what about Microsoft PowerPoint? Of course, we all use it to create presentations for threat briefings, but what about adversaries? Yes, they also use it!


Let's look at DONOT Team (APT-Q-38) campaign described in this report. One of kill chains included a malicious PowerPoint presentation (PPT), delivered via a link in a phishing PDF document. Malicious macro in the PPT file executes the shellcode in order to download next stages.

The first detection opportunity - powerpnt.exe spawns cmd.exe to execute a BAT file:

cmd.exe /c C:\Users\user\AppData\Local\TEMP\FROX\cross.bat

You can catch such activity this way:

event_type: "processcreate"

AND

proc_p_file_path: "powerpnt.exe"

AND

proc_file_path: "cmd.exe"

What does the BAT file do? Creates a scheduled task via schtasks.exe:

schtasks /create /tn "PerformTaskMaintain" /tr "C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\FROX\PLAIN.dll",VelocitySpeed" /sc minute /mo 4

Running a DLL from Temp folder every 4 minutes? Not very common for legitimate tasks, right? We can hunt for the creation of tasks that will run every few minutes (you can even turn it into detection rule with proper exclusions):

event_type: "processcreate"

AND

proc_file_name: "schtasks.exe" 

AND

cmdline: ("create" AND "minute" AND ("1" OR "2" OR "3" OR "4" OR "5" OR "6" OR "7" OR "8" OR "9" OR "10"))

Also, I think you noticed a strange function name! Yes, rundll32.exe abuse, again!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!