212. A Curious Case of Masquerading

Hello everyone!

Masquerading (T1036) - a very common technique we see daily. Sometimes it's boring, sometimes it's not. But let's look at a curious case.

Kaspersky released a report on how adversaries abuse GitHub and social media to deliver Cobalt Strike Beacons. The threat actors distributed RAR archives with multiple files inside. The victim should run an LNK file to start the infection process. The following command is executed:

%cd% /c echo F | xcopy /h /y %cd%\Требования\Требования %public%\Downloads\

& start %cd%\Требования

& ren %public%\Downloads\Company.pdf nau.exe

& ren %public%\Downloads\Requirements.pdf BugSplatRc64.dll

& %public%\Downloads\nau.exe

And here we have a few detection opportunities. The first one - abusing xcopy to copy files to %PUBLIC%:

event_type: "processcreatewin"

AND

proc_file_path: "xcopy.exe"

AND

cmdline: "public"

The second - using ren to rename a PDF file into an EXE:

event_type: "processcreatewin"

AND

proc_file_path: "ren.exe"

AND

cmdline: (*pdf* AND *exe*)

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge