170. Hunting for Mocha Manakin

Hello everyone!

Red Canary has colored another bird. This time the cluster is called Mocha Manakin. The adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT.

Researchers note that ths activity has overlaps with Interlock ransomware, so it's important to detect this as early as possible.

They already shared a few detection opportunities you can use, but I also suggest hunting for suspicious events related to PowerShell spawning node.exe:

event_type: "processcreatewin"

AND

proc_p_file_path: "powershell.exe"

AND

proc_file_path: "node.exe"

See you tomorrow!


Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access