Detection Content: Himera Loader

Today’s post is dedicated to the Himera loader malware that adversaries have been using in COVID-19 related phishing campaigns since last month. Cybercriminals continue to exploit the Family and Medical Leave Act requests related to the ongoing COVID19 pandemics as a lure, as this theme have already proven its effectiveness in distributing Trickbot and Kpot info stealer. 

In recent campaigns, emails were weaponized with two universal cyber-criminal tools: Himera and Absent-Loader. This week Osman Demir released community threat hunting rule to detect Himera loader samples related to these campaigns: https://tdm.socprime.com/tdm/info/xiOqL9btiBMi/pOZfdXIBv8lhbg_imf_P/?p=1

In this campaign, adversaries don’t leverage any type of macro or exploit in the malicious document, instead, the document contains the entire executable within it as an embedded object. Himera loader specializes in loading the next-stage malware code into the victim’s machine. It performs some classic anti-analysis tricks using the Windows API to avoid revealing the primary payload to researchers and keep the campaign secret for longer.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution

Techniques: User Execution (T1204)