174. Adversaries Abuse Python to Sideload a Backdoor

Hello everyone!

We already talked about cases, where adversaries abused Python to execute various scripts. But this time, according to Knownsec report, the Confucius group used it for sideloading.

The adversary leveraged malicious LNK files (yes, again and again) to download a bunch of files to the compromised system. These files included python313.dll (a backdoor researchers called Anondoor) and BlueAle.exe - a renamed copy of pythonw.exe.

And yes, this is another case we can hunt for suspicious renamed legitimate executables:

event_type: "processcreatewin"

AND

proc_file_originalfilename: "pythonw.exe"

AND NOT

proc_file_name: "pythonw.exe"

Make sure to check the report for more detection ideas!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge