Threat Hunting Rules: PurpleWave Infostealer

Another Infostealer with backdoor functions was discovered in late July. Malware authors advertise it on Russian cybercrime forums and sell various modifications of the utility at an affordable price. New Infostealer is written in C++ and was dubbed PurpleWave by its authors. 

The malware can perform a number of malicious actions of a hacker’s choice on the attacked system. The primary Infostealer’s function is stealing passwords, cookies, cards, autofill(s) data, and browser history. PurpleWave also can collect files from the specified path, make screenshots, gather and exfiltrate system information, steal Telegram session files, Steam application data, and cryptocurrency wallet data. Its backdoor functions include downloading and executing additional modules and malware. It is currently unknown what modules this malware has, but it is in the early stages of development, and its authors will most likely add both new functions and additional capabilities for stealthy operations.

Community threat hunting rule developed by Osman Demir helps to detect PurpleWave Infostealer at early stages before damage is dealt: https://tdm.socprime.com/tdm/info/84bcA1lMKHRR/mUcnC3QBPeJ4_8xc-nqY/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Command and Control, Credential Access

Techniques: Credentials from Web Browsers (T1503), Standard Application Layer Protocol (T1071), Steal Web Session Cookie (T1539)

 

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.