122. APT36 Abuses PowerPoint PPAM Files to Deliver Crimson RAT

Hello everyone!

We already talked about how adversaries abuse PowerPoint to deliver malware a few times. It's to discuss it again!

Seqrite has published a report on APT36 (we track this activity cluster as Translucent Werewolf) activity. According to this research, the threat actors leveraged PowerPoint add-on files (PPAM) to deliver Crimson RAT.

My observations suggest that such files are not very common in modern environments, so we can hunt for PPAM opening events:

event_type: "processcreatewin"

AND

proc_file_name: "powerpnt.exe"

AND

cmdline: "ppam"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge