378. Hunting for APT37: Zoho WorkDrive Abuse
Hello everyone! Today we’ll talk about another legitimate service that attackers abuse - in this case, APT37. And of course, we’ll look at how to use this information for proactive threat hunting. So, in one of APT37’s fairly recent campaigns (we track this cluster as Squid Werewolf), they used the RESTLEAF implant, which abused Zoho WorkDrive - a cloud-based file management and collaboration platform. From a proactive hunting perspective, we can identify all network communications related to Zoho WorkDrive and then separate the legitimate events: event_type: "dnsreqwin" AND dns_rname: "workdrive.zohoexternal.com" See you soon!