065. Detecting App Bound Encryption Bypass and VSCode Abuse

Hello everyone! Today we'll look at Phantom Goblin - a malware operation that leverages social engineering tactics to distribute stealers, which was uncovered by Cyble researhers.


Despite the fact many techniques are quite noisy, a few caught my attention. The first one is bypassing App Bound Encryption (ABE) to extract cookie data via running browser in headless mode and enabling remote debugging.

We can use the following query to search for such activity (you can expand browsers list, of course):

event_type: "processcreate" 

AND 

proc_file_name: ("brave.exe" OR "chrome.exe" OR "msedge.exe") 

AND 

cmdline: ("headless" AND "remote-debugging-port" AND "remote-allow-origins")

Another interesting technique is abusing Visual Studio Code to create a remote tunnel. We can search for such activity using the following query:

event_type: "processcreate" 

AND 

proc_file_name: "code.exe" 

AND 

cmdline: "tunnel"

Have you noticed any other interesting techniques in the report?

See you tomorrow! 

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!