201. Adversaries Misuse Microsoft CAB File Extract Utility in Lumma Infection Chain
Hello everyone!
Let's look at another LOLBIN commonly misused by adversaries. This time we're going to talk about Microsoft CAB File Extract Utility and Lumma Stealer - a very common modern threat.
Despite the fact Microsoft CAB File Extract Utility should be used to extract files with .cab extension, you can use any, for example, .mp4. That's what the adversary does (in fact, this behavior is related to CypherIT crypter), for example:
extrac32 /Y Ultimate.ppt *.*
extrac32 /Y Championships.sldm *.*
extrac32 /Y Worm.potm *.*
extrac32 /Y Stainless.mid *.*
extrac32 /Y Combinations.psd *.*
So, from detection and hunting perspective, we can search for extrac32 execution events, which don't have .cab files in the command line:
event_type: "processcreatewin"
AND
proc_file_path: "extrac32.exe"
AND NOT
cmdline: *cab*
See you tomorrow!
Comments
Post a Comment