267. Hunting for PteroEffigy

Hello everyone!

Let's keep digging into the report on Gamaredon and Turla collaboration. This time we'll look at another Gamaredon's malware - PteroEffigy.

PteroEffigy is another PowerShell-based downloader, and it also abuses a legitimate web service. But unlike PteroGraphin, it leverages api.gofile[.]io instead of telegra[.]ph.

Of course, we can convert this knowledge into a hunting query:

event_type: "dnsreqwin"

AND

dns_rname: "gofile.io"

AND

proc_file_name: "powershell.exe"

See you tomorrow!


Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access