170. Hunting for Mocha Manakin

Hello everyone!

Red Canary has colored another bird. This time the cluster is called Mocha Manakin. The adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT.

Researchers note that ths activity has overlaps with Interlock ransomware, so it's important to detect this as early as possible.

They already shared a few detection opportunities you can use, but I also suggest hunting for suspicious events related to PowerShell spawning node.exe:

event_type: "processcreatewin"

AND

proc_p_file_path: "powershell.exe"

AND

proc_file_path: "node.exe"

See you tomorrow!


Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge