266. Hunting for PteroGraphin

Hello everyone!

ESET released a report on potential collaboration of two notorious threat actors: Gamaredon and Turla. So let's look at some hunting opportunities.

According to the report, Turla leveraged Gamaredon's downloaders to deliver its own malware.

Gamaredon's downloaders, for example, PteroGraphin, are PowerShell-based and use telegra[.]ph for storing the payloads, so it enables us to hunt for similar behaviors:

event_type: "dnsreqwin"

AND

dns_rname: "telegra.ph"

AND

proc_file_name: "powershell.exe"

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access