Threat Hunting Rules: Golden Chickens MaaS

As you know, Malware-as-a-Service (MaaS) is a business that has already become commonplace and runs on the underground forums and black markets offering an array of services. The first attacks using Golden Chickens MaaS began back in 2017, and the Cobalt group was among their first “clients”. The success of this project heavily relies on specific tools and services, which provide customers with the malware and the infrastructure they need for targeted attacks. 

This spring, malware authors once again improved TerraLoader, VenomLNK, and more_eggs, and several threat actors have already taken advantage of the updated functionality. TerraLoader is a multipurpose loader written in PureBasic, its new variant uses different string de/obfuscation, brute-forcing implementation, and anti-analysis techniques. VenomLNK is a Windows shortcut file likely generated by a newer version of the VenomKit building kit. Now it uses a new volume serial number, an evolved execution scheme, and only the local path to the Windows command prompt. And more_eggs backdoor now includes a minimum delay before executing or retrying an action, and cleans up memory after using it.

New community threat hunting Sigma by Osman Demir helps to detect the updated tools which are part of Golden Chickens MaaS: https://tdm.socprime.com/tdm/info/9qsYmDO3UnAK/8tPCj3MBQAH5UgbBiEhf/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution, Defense Evasion, Persistence, Privilege Escalation

Techniques: Regsvr32 (T1117), Scheduled Task (T1053), User Execution (T1204)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.