Detection Content: COVID-19 Related Attack at Medical Suppliers

New Sigma rule by Osman Demir helps to detect COVID-19 related phishing attacks targeted at medical suppliers. https://tdm.socprime.com/tdm/info/IkntTJirsLUZ/uowd33EB1-hfOQirsQZO/

The campaign became known at the end of last week, and researchers believe that it is associated with 419 scammers who exploit the COVID-19 pandemic for Business Email Compromise attacks. Adversaries send highly targeted phishing emails with malicious MS Word documents inquiring about various materials needed to address the COVID-19 pandemic. The document exploits old but still effective CVE-2017-11882 vulnerability to deliver Agent Tesla infostealer. AgentTesla is a modular .Net-based malware that steals data from different applications and WiFi credentials, this commercial malware is one of the favorite tools of BEC scammers. 

Osman Demir published his first content in the late November 2019, and now he has 100+ published rules, including content addressing the Wanted List requests. Interview with Osman Demir: https://socprime.com/blog/interview-with-developer-osman-demir/

 

Threat Detection is supported for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness

EDR: Carbon Black, Elastic Endpoint

 

MITRE ATT&CK:

Tactics: Initial Access

Technique: Spearphishing Attachment (T1193)

 

Other rules related to this campaign:

AgentTesla RAT Detection rule by Emir Erdogan – https://tdm.socprime.com/tdm/info/bwpRaR1KCq8h/2gPEG3EB61gt8vwY-DXY/

Powershell Obfuscation By AgentTesla rule by Emir Erdogan – https://tdm.socprime.com/tdm/info/lZkiLjSHfmwQ/PYvnXnEB1-hfOQirOqxi/

Agent Tesla behavior (Sysmon and Powershell detection) by Ariel Millahuel – https://tdm.socprime.com/tdm/info/AgFv1HqhtfgQ/J7Fa43ABqweaiPYIihcd/  

Steal Wifi Passwords (using upgraded agent tesla) by Osman Demir – https://tdm.socprime.com/tdm/info/PsBE0K0CXzlB/KCHzlnEBjwDfaYjKDxpo/

CVE-2017-11882 Exploitation by Florian Roth – https://tdm.socprime.com/tdm/info/KUZsK6Fq4Rzi/Bc2JDmsBohFCZEpapqaa/

Exploitation of CVE-2017-11882 (possible APT27 attack) by Emir Erdogan – https://tdm.socprime.com/tdm/info/243LAdCcDV9W/FMVH-W4BUORkfSQh6bqx/