Detection Content: GoldenHelper Behavior

This week we will not highlight any rule in the “Rule of the Week” section, because the hottest rules have already been published in yesterday’s special digest dedicated to the rules that detect exploitation of a critical vulnerability in Windows DNS Servers, CVE-2020-1350 (aka SIGRed).

Today’s publication is dedicated to the detection of GoldenHelper malware that was embedded in official software.  Adversaries hid the malware in the Golden Tax Invoicing Software (Baiwang Edition), required by Chinese banks for payment of VAT taxes. GoldenHelper malware utilizes sophisticated techniques to hide its delivery, presence, and activity. Some of the interesting techniques GoldenHelper uses include randomization of name whilst in transit, randomization of file system location, timestomping, IP-based DGA (Domain Generation Algorithm), UAC bypass, and privilege escalation. Discovered versions of GoldenHelper were digitally signed by NouNou Technologies and designed to drop a final payload. Researchers believe that the campaign to distribute this malware has already ended, but attackers can still use the final payload installed on compromised systems, so it is recommended to check the logs for traces of GoldenHelper malware. Ariel Millahuel‘s new rule is designed to not only find traces of GoldenHelper malware but also the final payload installed: https://tdm.socprime.com/tdm/info/mPVslo9HzEDd/RrAXV3MBQAH5UgbBJ2aR/

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK:

Tactics: Defense Evasion

Techniques: Modify Registry (T1112)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.