170. Hunting for Mocha Manakin
Hello everyone!
Red Canary has colored another bird. This time the cluster is called Mocha Manakin. The adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT.
Researchers note that ths activity has overlaps with Interlock ransomware, so it's important to detect this as early as possible.
They already shared a few detection opportunities you can use, but I also suggest hunting for suspicious events related to PowerShell spawning node.exe:
event_type: "processcreatewin"
AND
proc_p_file_path: "powershell.exe"
AND
proc_file_path: "node.exe"
See you tomorrow!
Comments
Post a Comment