Detection Content: GoldenHelper Behavior

[post-views]
July 17, 2020 · 2 min read
Detection Content: GoldenHelper Behavior

This week we will not highlight any rule in the “Rule of the Week” section, because the hottest rules have already been published in yesterday’s special digest dedicated to the rules that detect exploitation of a critical vulnerability in Windows DNS Servers, CVE-2020-1350 (aka SIGRed).

Today’s publication is dedicated to the detection of GoldenHelper malware that was embedded in official software.  Adversaries hid the malware in the Golden Tax Invoicing Software (Baiwang Edition), required by Chinese banks for payment of VAT taxes. GoldenHelper malware utilizes sophisticated techniques to hide its delivery, presence, and activity. Some of the interesting techniques GoldenHelper uses include randomization of name whilst in transit, randomization of file system location, timestomping, IP-based DGA (Domain Generation Algorithm), UAC bypass, and privilege escalation. Discovered versions of GoldenHelper were digitally signed by NouNou Technologies and designed to drop a final payload. Researchers believe that the campaign to distribute this malware has already ended, but attackers can still use the final payload installed on compromised systems, so it is recommended to check the logs for traces of GoldenHelper malware. Ariel Millahuel‘s new rule is designed to not only find traces of GoldenHelper malware but also the final payload installed: https://tdm.socprime.com/tdm/info/mPVslo9HzEDd/RrAXV3MBQAH5UgbBJ2aR/

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

 

MITRE ATT&CK:

Tactics: Defense Evasion

Techniques: Modify Registry (T1112)

 

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Execution Tactic | TA0002
Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
PyVil RAT by Evilnum Group
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
JSOutProx RAT
Blog, Latest Threats — 2 min read
JSOutProx RAT
Eugene Tkachenko