Blog

Detection Content: Bazar Loader

In late April, developers of TrickBot used a new stealthy backdoor in a phishing campaign targeted at professional services, healthcare, manufacturing, IT, logistics, and travel companies across the United States and Europe. Many advanced threat actors including the infamous Lazarus APT use TrickBot’s services, and malware authors not only improve well-known tools like the Anchor […]

Read More
Rule of the Week: VHD Ransomware Detection

We believe that today we deservedly give the Rule of the Week title to the exclusive Sigma rule developed by Osman Demir to enable detection of VHD ransomware: https://tdm.socprime.com/tdm/info/jxteY8ELY6Yd/BwSPn3MBPeJ4_8xcn22h/?p=1  The first attacks using this ransomware strain began in March 2020, and only recently researchers have linked them to the Lazarus APT. This was facilitated by […]

Read More
Threat Hunting Rules: Redaman RAT

Today, in the Threat Hunting Rules category, we are pleased to present you a new rule developed by Ariel Millahuel, which detects Redaman RAT: https://tdm.socprime.com/tdm/info/gAF3sheoIG9y/qtkZmnMBQAH5UgbBy6do/?p=1 Redaman is a form of banking trojans distributed by phishing campaigns. It was first seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in […]

Read More
Detection Content: MATA Multi-platform malware framework by Lazarus APT

Last week, researchers reported on the latest notorious Lazarus APT tool, which has been used in the group’s attacks since spring 2018. Their new ‘toy’ was named MATA, it is a modular cross-platform framework with several components including a loader, orchestrator, and multiple plugins that can be used to infect Windows, Linux, and macOS systems. […]

Read More
Threat Hunting Rules: Golden Chickens MaaS

As you know, Malware-as-a-Service (MaaS) is a business that has already become commonplace and runs on the underground forums and black markets offering an array of services. The first attacks using Golden Chickens MaaS began back in 2017, and the Cobalt group was among their first “clients”. The success of this project heavily relies on […]

Read More
Detection Content: RDAT Backdoor

Last week, researchers published details of the attacks targeted at Middle Eastern telecommunications carried out by APT34 (aka OilRig and Helix Kitten), and updated tools in the arsenal of this group. Of course, participants in the Threat Bounty Program did not pass by and published a couple of rules for detecting RDAT Backdoor, but more […]

Read More
Threat Hunting Content: Emotet Returns Once Again

For never was a story of more woe than this of once again returning Emotet. This time, there were no full-scale campaigns for about seven months, although isolated cases of infection were recorded and researchers found documents distributing this malware. The attacks resumed last Friday, with the botnet sending about 250,000 emails in a matter […]

Read More
Rule of the Week: Unauthenticated File Read in Cisco ASA & Cisco Firepower

Again, we go off the usual publication schedule due to the emergence of an exploit for the critical vulnerability CVE-2020-3452 in Cisco ASA & Cisco Firepower, as well as the emergence of rules for detecting exploitation of this vulnerability. CVE-2020-3452 was discovered late last year, but it wasn’t disclosed until last week Cisco released an […]

Read More
Detection Content: Formbook Dropped Through Fake PDF (Sysmon Behavior)

The Covid19 outbreak has revealed a number of blind sides of cybersecurity. We do our best to keep you in the picture of the latest trends on our Weekly Talks, webinars, relevant content Digests. However, human curiosity in the flood of information may be a weak spot. FormBook, the infostealer known since 2016, has been […]

Read More
Threat Hunting Content: DNS.exe Crashing (Possible CVE-2020-1350 detection)

July turned out to be fruitful for disclosed critical vulnerabilities: CVE-2020-5902 (F5 BIG-IP), CVE-2020-8193 (Citrix ADC / Netscaler), CVE-2020-2034 (Palo Alto PAN-OS), CVE-2020-6287 (SAP Netweaver), CVE-2020-3330 (Cisco VPN / Firewalls), and CVE-2020-1350 (aka SIGRed, the vulnerability in Microsoft Windows DNS Server). Last week, Threat Bounty Program contributors and the SOC Prime team published a series […]

Read More