063. Kimsuky Abuses Control Panel Items to Evade Detection
Hello everyone! I think you already noticed that Kimsuky (we track it as Monotithic Werewolf) is a frequent guest in my blog. The thing is - the cluster is quite creative and provides lots of detection ideas!
Today we'll loot at how the adversary abused Control Panel Items in the campaign described in this report.
So, the threat actors used a malicious file with double extension - [한글] 계엄사-합수본부 운영 참고자료[원본].hwp.cpl. It is a Control Panel item, and is executed with control.exe. It means we can search for abusing of control.exe (you can experiment with double extensions, of course):
event_type: "processcreate"
AND
proc_file_name: "control.exe"
AND
cmdline: ("hwp" AND "cpl") OR ("docx" AND "cpl") OR ("pdf" AND "cpl")
After execution, the file connects to github[.]com to download additional files - and we have another detection opportunity:
event_type: "dnsreq"
AND
dns_rname: "github.com"
AND
proc_file_path: "control.exe"
Also, note the persistence mechanism used by the adversary - it's no the most common!
See you tomorrow!
Comments
Post a Comment