Threat Hunting Content: Taurus Stealer Detection

Taurus information-stealing malware is a relatively new tool created by Predator The Thief team that promotes it on hacker forums. The infostealer can steal sensitive data from browsers, cryptocurrency wallets, FTP, email clients, and various apps. The malware is highly evasive and includes techniques to evade sandbox detection. Adversaries developed a dashboard where their customers can keep an eye on the infection counts according to geolocations. This dashboard also provides the attacker with the ability to customize the configuration of Taurus.

An inexpensive and effective tool has not gone unnoticed by cybercriminals, and since the beginning of June, researchers have been tracking malicious campaigns distributing Taurus Infostealer. Adversaries send spam emails with a document in attachment containing malicious macro code to download further payloads. If the user enables macro, an AutoOpen() subroutine is called, which will run the malicious VBA macro executing a PowerShell script via BitsTransfer to download three different files from the Github site and save them in a Temp folder with predefined names. 

Exclusive threat hunting Sigma rule by Osman Demir enables security solutions to spot Taurus malware during its installation process: https://tdm.socprime.com/tdm/info/SCpXVANx2z2W/1HoNBXMBSh4W_EKGWceZ/?p=1

 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Defense Evasion, Execution

Techniques: PowerShell (T1086), Scripting (T1064)