127. Detecting RMMs from Ransomware Affiliate's Toolkit: Supremo

Hello everyone!

Let's keep looking at RMMs observed in ransomware gangs' toolkit. This time we'll look at Supremo. It's a legitimate remote access tool observed to be used by Black Basta ransomware affiliates ITW.

Usually the adversary do not modify the binary, so it look absolutely legitimate. It means we can focus on metadata again and again. So here's the query:

event_type: "processcreatewin"

AND

proc_file_productname: "Supremo Remote Control"

The same can be said about file creation events in the tool-related folders:

event_type: "filecreate"

AND

file_path: "SupremoRemoteDesktop"

What other interesting RMMs used by ransomware affiliates you saw?

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge