Threat Hunting Content: Devil Shadow Botnet

Nowadays, during the lockdown, many organizations continue to use Zoom at the corporate level to conduct conference meetings, despite the security issues found in this application. Attackers have been exploiting the increased popularity of this application for several months, and you can partially protect your organization from attacks by hardening Zoom service. But this will not completely solve the problem, since cybercriminals can send users links to malware instead of Zoom installer, and now they hide malware into fake installers, which run the legitimate version of Zoom installer to avoid suspicion. Such installers are larger and run slower than a legitimate file, but the ordinary user will probably not pay attention to it. In this way, attackers are now distributing Devil Shadow Botnet.

Using this botnet, cybercriminals can spy on victims via webcam, take screenshots, and use a keylogger module to collect credentials and other sensitive information for the next steps of the attack.

Participants in the SOC Prime Threat Bounty Program quickly responded to this threat and published two community Sigma rules to uncover traces of Devil Shadow Botnet. The rules are quite different and cover different MITRE ATT&CK techniques.

Fake ZOOM Installer.exe (Devil Shadow Botnet) by Emir Erdogan: https://tdm.socprime.com/tdm/info/UPInonyraJtb/kubvWnIBv8lhbg_iDO5q/

Devil Shadow Botnet Hidden in Fake Zoom Installers by Osman Demir: https://tdm.socprime.com/tdm/info/q4ibRAYze5tg/aubhWnIBv8lhbg_icO7O/?p=1

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution, Privilege Escalation, Credential Access, Persistence, Defense Evasion, Command and Control

Techniques: User Execution (T1204), Hooking (T1179), Kernel Modules and Extensions (T1215), Process Injection (T1055), Software Packing (T1045), Uncommonly Used Port (T1065)

More rules to detect Zoom-related attacks: https://tdm.socprime.com/?searchValue=zoom