Know Your Adversary

Hello everyone! Masquerading (T1036) - a very common technique we see daily. Sometimes it's boring, sometimes it's not. But let's look at a curious case. Kaspersky released a report on how adversaries abuse GitHub and social media to deliver Cobalt Strike Beacons. The threat actors distributed RAR archives with multiple files inside. The victim should run an LNK file to start the infection process. The following command is executed: %cd% /c echo F | xcopy /h /y %cd%\Требования\Требования %public%\Downloads\ & start %cd%\Требования & ren %public%\Downloads\Company.pdf nau.exe & ren %public%\Downloads\Requirements.pdf BugSplatRc64.dll & %public%\Downloads\nau.exe And here we have a few detection opportunities. The first one - abusing xcopy to copy files to %PUBLIC% : event_type: "processcreatewin" AND proc_file_path: "xcopy.exe" AND cmdline: "public" The second - using ren to rename a PDF file into an EXE: event_type: "proc...

Hello everyone! Adversaries always try to masquerade malicious files to look like absolutely legitimate. Today we'll look at Adwind campaign, which was reported by CERT-AGID . So, the malicious JAR file was disguised to look like an image: "C:\Users\Public\InvoiceXpress\bin\java.exe" -jar -noverify "C:\Users\Public\InvoiceXpress\bin\InvoiceXpress.png" It makes malicious file look like legitimate, but at the same time provides us detection opportunities! For example: event_type: "processcreatewin" AND proc_file_name: "java.exe" AND cmdline: "png" Of course, you can experiment with file extensions, as well as executables, for example, you can hunt for rundll32.exe and regsvr32.exe . See you tomorrow!