Know Your Adversary

Hello everyone! Another legitimate tool abused by the ransomware gangs - AzCopy . According to this cybersecurity advisory, Interlock ransomware gang used the tool for data exfiltration. The tool allows an the adversary to copy files from compromised systems to a remote Azure storage. As the tool is legitimate, it's another great target for hunting, for example: event_type: "processcreatewin" AND proc_file_path: "azcopy.exe" Talking about Interlock, it's worth noting another tool in their arsenal we discussed earlier - Interlock RAT. See you tomorrow!

Hello everyone! Red Canary has colored another bird . This time the cluster is called  Mocha Manakin . The adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT . Researchers note that ths activity has overlaps with  Interlock ransomware, so it's important to detect this as early as possible. They already shared a few detection opportunities you can use, but I also suggest hunting for suspicious events related to PowerShell spawning node.exe : event_type: "processcreatewin" AND proc_p_file_path: "powershell.exe" AND proc_file_path: "node.exe" See you tomorrow!