176. Adversaries Abuse Vercel to Deliver RATs

Hello everyone!

Adversaries always experiment with services thay use for malware delivery. This time CyberArmor spotted threat actors abused Vercel to host a malicious page.

Vercel provides developer tools, frameworks, and cloud infrastructure to build and maintain websites. The adversary used it to deliver LogMeIn - another commonly abused legitimate remote access software.

So, we can hunt for accessing Vercel infrastructure from uncommon hosts:

event_type: "dnsreqwin"

AND

dns_rname: "vercel.app"

Also, you can hunt for LogMeIn with uncommon file names and locations:

event_type: "processcreatewin"

AND

proc_file_productname: "GoTo Resolve"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge