181. Hunting for Mustang Panda's Claimloader

Hello everyone!

As I noted yesterday, more and more threat actors add DLL side-loading to their arsenals. Let's at one using it for quite a long time - Mustang Panda (or Horned Werewolf as we track it).

According to this report, the adversary distributed phishing emails with Google Drive links to ZIP or RAR archives. This archives contain masquaraded legitimate executables (for example, 9th WPCT Region-Wise Action Plans on Tibet.exe) and malicious Claimloader DLLs. 

The threat actors abused the following legitimate executables: Adobe Licensing WF Helper (adobe_licensing_wf_helper.exe), Wargaming.net Game Center (helper_process.exe) and FFWallpaper Widgets Jyy (fhbjyy.exe).

Of course, you already know what to do:

event_type: "processcreatewin"

AND

((proc_file_originalfilename: "adobe_licensing_wf_helper.exe" AND NOT proc_file_name: "adobe_licensing_wf_helper.exe") OR (proc_file_originalfilename: "helper_process.exe" AND NOT proc_file_name: "helper_process.exe") OR (proc_file_originalfilename: "fhbjyy.exe" AND NOT proc_file_name: "fhbjyy.exe"))

Also a good idea is to hunt for this executables with proper names in uncommon locations!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge