Rule Digest: Trojans and Ransomware
In today’s digest, we want to highlight the content provided by members of the Threat Bounty Program that will help security solutions to detect Saefko RAT, Ursa trojan, and a pack of actively spreading ransomware strains.
The Saefko RAT is a relatively fresh remote-access trojan written in .NET that was first spotted in the midst of 2019. The Saefko RAT creates a startup key to execute the malware at login achieving persistence on the infected system. It then fetches the chrome browser history looking for specific types of activities like credit cards, business, social media, gaming, cryptocurrency, and shopping. After that, the trojan sends the collected data to its C&C server and receives further instructions to provide system information. Saefko RAT collects a range of data including screenshot, videos, keystroke logs, and it is also capable of downloading additional payload onto the compromised machine. This threat can be detected using the rule submitted by Ariel Millahuel: https://tdm.socprime.com/tdm/info/pzThUunC2GRh/h6ULBXMBPeJ4_8xcW1GX/?p=1
Next, we want to consider another rule from Ariel that helps to detect the Ursa trojan, the last sample of which was discovered last week. The malware was spread under the guise of a fake Adobe Flash installer and during installation runs msiexec.exe and WScript.exe to run a malicious VBS script installing Ursa trojan. You can find community threat hunting rule here: https://tdm.socprime.com/tdm/info/asMDB1Q6aq2d/0KUIBXMBPeJ4_8xcSk9v/?p=1
Now, we move on to ransomware detection content. Osman Demir posted a rule last week to spot Zeppelin ransomware, a new variant of Buran ransomware family. The Buran ransomware emerged in early May 2019 and continues to proliferate until now. In a matter of just 9 months, this ransomware released over 5 updates by changing its code and attack vectors in order to stay stealthy and cause more damage. Zeppelin ransomware was first spotted in late 2019, it reaches organizations’ networks primarily through phishing emails. These emails contain macro-enabled documents that will initiate the download and execution of the ransomware file on the victim’s machine. Moreover, other Zeppelin samples were also distributed through malvertising designed to trick its victims into clicking fake advertisements which will trigger the download of the malicious file. Lastly, Zeppelin, like other ransomware, utilizes the use of public remote desktop software via web interfaces to remotely control a victim’s machine and execute the ransomware. Community rule is available on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/Ovf0s4ss56b6/KoD_CXMBQAH5UgbBxfdB/?p=1
The following rule released by Emir Erdogan will help you discover the behavior of MedusaLocker ransomware with the unique for ransomware families evasion techniques. MedusaLocker was first spotted in September 2019, and adversaries use a batch file to evade detection. The malicious batch file that came with the ransomware payload contains a command that edits the Windows registry to remove Windows Defender when the computer is booted into safe mode without networking enabled (Minimal mode). Then it adds MedusaLocker as a service and configures it to run on every boot into safe mode Minimal. After setting up the safe mode environment to where it can run without interference. The batch files configure the next bootup of the computer to run in safe mode Minimal and reboots the computer silently. Ransomware Behaviour Analysis (MedusaLocker) rule is here: https://tdm.socprime.com/tdm/info/Z1vqspJZLMJn/D335CXMBSh4W_EKGZcUP/?p=1
In conclusion, we present to you another rule released by Emir that detects Hidden Tear ransomware. This IOC Sigma is based on malware samples discovered this week. Hidden Tear ransomware is not a new threat, and the content for its detection has already been published in one of our past digests. This open-source ransomware remains dangerous even five years after its code appeared on the GitHub repository, and new versions of Hidden Tear continue to be actively used in the wild. You can download the detection content for your security solution at the following link: https://tdm.socprime.com/tdm/info/J9TxSVXj3U1d/pKj2CXMBPeJ4_8xc9Fxr/?p=1
The rules have translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio,
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
MITRE ATT&CK:
Tactics: Execution, Persistence, Defense Evasion, Lateral Movement, Command and Control, Impact.
Techniques: Modify Registry (T1112), Registry Run Keys / Startup Folder (T1060), Command-Line Interface (T1059), Rundll32 (T1085), Data Encrypted for Impact (T1486), Disabling Security Tools (T1089), Inhibit System Recovery (T1490), Remote File Copy (T1105)
Wait for the next digest in a week.
Stay safe!