201. Adversaries Misuse Microsoft CAB File Extract Utility in Lumma Infection Chain

Hello everyone!

Let's look at another LOLBIN commonly misused by adversaries. This time we're going to talk about Microsoft CAB File Extract Utility and Lumma Stealer - a very common modern threat.

Despite the fact Microsoft CAB File Extract Utility should be used to extract files with .cab extension, you can use any, for example, .mp4. That's what the adversary does (in fact, this behavior is related to CypherIT crypter), for example:

extrac32 /Y Ultimate.ppt *.*

extrac32 /Y Championships.sldm *.*

extrac32 /Y Worm.potm *.*

extrac32 /Y Stainless.mid *.*

extrac32 /Y Combinations.psd *.*

So, from detection and hunting perspective, we can search for extrac32 execution events, which don't have .cab files in the command line:

event_type: "processcreatewin"

AND

proc_file_path: "extrac32.exe"

AND NOT

cmdline: *cab*

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge