Rule Digest: Emotet, Ransomware, and Trojans

Hello everyone, we are back with five fresh rules submitted this week by participants of the Threat Bounty Program. You can check our previous digests here, and if you have any questions, then welcome to the chat.

Pykspa worm-like malware can install itself to maintain persistence, listen to incoming port for additional commands, and drop additional malicious tools on the system. The malware creates files in alternative data streams and may be able to perform recon operations such as reading clipboard data and keyboards keys pressed. Pykspa also contains evasive mechanisms such as cursor move detection and can disable Windows Defender. Community threat hunting rule by Ariel Millahuel enables your security solution to find this threat: https://tdm.socprime.com/tdm/info/rcY5qc7SEawT/_grReXIBAq_xcQY4Z2Yi/?p=1


The following rule presented is also from Ariel. It allows your security solution to detect Brontok Trojan, which does not have any high-profile analyzes or discovered connections with any well-known cybercrime group so far. The malicious software appeared for the first time last year, and the latest sample appeared in any.run this week. Despite the lack of media attention, Brontok Trojan is actively developed and used in the wild: https://tdm.socprime.com/tdm/info/Hz9ZYxXcZO7V/PYzOeXIB1-hfOQirXnPb/?p=1

The following rule by Osman Demir helps to detect the still unnamed banking Trojan that was created to impact users of a particular banking organizations in Portugal and Brazil. The URL of the initial installer was initially collected from the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting only Portuguese citizens. The Trojan has a strong AntiVM mechanism and a feature to “disinfect” the device (after a command probably received from C2). It can detect SO version, grab security programs that are running (AVs, etc), kill the Trojan itself from the running processes, check which browser is running, and create overlay windows to collect banking details and send them to the C2 server. Check the rule here: https://tdm.socprime.com/tdm/info/2PkMG33DPVZY/MozLeXIB1-hfOQirPHO6/?p=1


Emotet malware is one of the most serious threats to business, and we can never have too many rules for detecting it. Another threat hunting rule by Emir Erdogan allows your solution to detect this threat at an early stage of attack and helps identify compromised systems before Emotet delivers the next stage payload: https://tdm.socprime.com/tdm/info/ZVzZLqsN5xom/OIzMeXIB1-hfOQir2HP6/?p=1

We want to believe that the creators of the Emotet botnet will not ignore the summer vacation this year. For more rules for detecting Emotet malware, check the Threat Detection Marketplace.

The last rule in our collection was also published by Emir Erdogan. It detects Lock Screen ransomware which has been making a comeback after ransomware authors stopped using this form of malicious software for some time: https://tdm.socprime.com/tdm/info/EjBcNQcv2luc/sYxrdHIB1-hfOQirym9A/?p=1

Considering that a lock screen ransomware locks away your operating system instead of just a few choice files like most ransomware do makes lock screen ransomware more troublesome. The good news is that the operators of this ransomware are not stealing data to put pressure on their victims.

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Collection, Defense Evasion, Persistence, Privilege Escalation, Credential Access, Execution, Initial Access

Techniques: 

Email Collection (T1114), File Deletion (T1107), Hooking (T1179), Modify Registry (T1112), Process Injection (T1055), Command-Line Interface (T1059), Obfuscated Files or Information (T1406), PowerShell (T1086), Spearphishing Attachment (T1193), Spearphishing Link (T1192), Service Execution (T1035)

Wait for the next digest in a week.

PS

Don’t miss Weekly Talks on Breaking News in Cybersecurity: https://my.socprime.com/en/weekly-talks/

Tune in to the weekly talks of the SOC Prime Team hosted by Andrii Bezverkhyi together with our Solutions Architect, Nate Guagenti, and Adam Swan, Senior Threat Hunting Engineer. We are going to discuss practical tips and tricks on how to tackle modern cyber threats associated with the latest TTPs, APT activities, and remote workforce security challenges. Feel like chatting? You can come up with your questions through the live chat during these sessions. 

Stay safe!