065. Detecting App Bound Encryption Bypass and VSCode Abuse
Hello everyone! Today we'll look at Phantom Goblin - a malware operation that leverages social engineering tactics to distribute stealers, which was uncovered by Cyble researhers.
Despite the fact many techniques are quite noisy, a few caught my attention. The first one is bypassing App Bound Encryption (ABE) to extract cookie data via running browser in headless mode and enabling remote debugging.
We can use the following query to search for such activity (you can expand browsers list, of course):
event_type: "processcreate"
AND
proc_file_name: ("brave.exe" OR "chrome.exe" OR "msedge.exe")
AND
cmdline: ("headless" AND "remote-debugging-port" AND "remote-allow-origins")
Another interesting technique is abusing Visual Studio Code to create a remote tunnel. We can search for such activity using the following query:
event_type: "processcreate"
AND
proc_file_name: "code.exe"
AND
cmdline: "tunnel"
Have you noticed any other interesting techniques in the report?
See you tomorrow!
Comments
Post a Comment