Threat Hunting Content: SamoRAT Behavior

Today in the Threat Hunting Content section, we want to pay attention to the community rule released in Threat Detection Marketplace by Ariel Millahuel that detects fresh samples of SamoRAT malware: https://tdm.socprime.com/tdm/info/38LTISI1kgNm/w6aTR3MBQAH5UgbBM9Gi/?p=1

This remote access trojan appeared on the radars of researchers recently, the first SamoRAT samples were discovered about a month ago. The trojan is a .NET-based malware which is mainly used by cybercriminals to receive and execute different commands on the infected system. Like other remote access trojans, it is also capable of downloading and executing other malware and tools used by adversaries.

SamoRAT employs the use of anti-analysis check for detecting when it is being analyzed by AV systems, allowing it to change its behavior so that no alarms are triggered by the antivirus software. The trojan has the functionality to stop the Windows Defender process and disable its features by editing registries to avoid detection in run-time.  It also capable of running PowerShell commands to disable Windows Defender’s additional features. SamoRAT achieves persistence via scheduled tasks or modification of Windows registries (depending on administrator privileges for running at start-up). After gaining a foothold, the malware registers itself to the command-and-control server by sending a POST request and then makes one more POST request to the same address indicating that it is ready to receive commands. 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

 

MITRE ATT&CK:

Tactics: Persistence

Techniques: Registry Run Keys / Startup Folder (T1060)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.