174. Adversaries Abuse Python to Sideload a Backdoor
Hello everyone!
We already talked about cases, where adversaries abused Python to execute various scripts. But this time, according to Knownsec report, the Confucius group used it for sideloading.
The adversary leveraged malicious LNK files (yes, again and again) to download a bunch of files to the compromised system. These files included python313.dll (a backdoor researchers called Anondoor) and BlueAle.exe - a renamed copy of pythonw.exe.
And yes, this is another case we can hunt for suspicious renamed legitimate executables:
event_type: "processcreatewin"
AND
proc_file_originalfilename: "pythonw.exe"
AND NOT
proc_file_name: "pythonw.exe"
Make sure to check the report for more detection ideas!
See you tomorrow!
Comments
Post a Comment