176. Adversaries Abuse Vercel to Deliver RATs
Hello everyone!
Adversaries always experiment with services thay use for malware delivery. This time CyberArmor spotted threat actors abused Vercel to host a malicious page.
Vercel provides developer tools, frameworks, and cloud infrastructure to build and maintain websites. The adversary used it to deliver LogMeIn - another commonly abused legitimate remote access software.
So, we can hunt for accessing Vercel infrastructure from uncommon hosts:
event_type: "dnsreqwin"
AND
dns_rname: "vercel.app"
Also, you can hunt for LogMeIn with uncommon file names and locations:
event_type: "processcreatewin"
AND
proc_file_productname: "GoTo Resolve"
See you tomorrow!
Comments
Post a Comment