Taurus information-stealing malware is a relatively new tool created by Predator The Thief team that promotes it on hacker forums. The infostealer can steal sensitive data from browsers, cryptocurrency wallets, FTP, email clients, and various apps. The malware is highly evasive and includes techniques to evade sandbox detection. Adversaries developed a dashboard where their customers can keep an eye on the infection counts according to geolocations. This dashboard also provides the attacker with the ability to customize the configuration of Taurus.

An inexpensive and effective tool has not gone unnoticed by cybercriminals, and since the beginning of June, researchers have been tracking malicious campaigns distributing Taurus Infostealer. Adversaries send spam emails with a document in attachment containing malicious macro code to download further payloads. If the user enables macro, an AutoOpen() subroutine is called, which will run the malicious VBA macro executing a PowerShell script via BitsTransfer to download three different files from the Github site and save them in a Temp folder with predefined names. 

Exclusive threat hunting Sigma rule by Osman Demir enables security solutions to spot Taurus malware during its installation process: https://tdm.socprime.com/tdm/info/SCpXVANx2z2W/1HoNBXMBSh4W_EKGWceZ/?p=1


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Carbon Black, Elastic Endpoint



Tactics: Defense Evasion, Execution

Techniques: PowerShell (T1086), Scripting (T1064)

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts