Tag: Ariel Millahuel

Execution Tactic | TA0002
Execution Tactic | TA0002

Overview and Analysis, Top Data Sources, and Relevant Sigma Rules to Detect Execution SOC Prime’s Detection as Code platform provides access to a constantly growing library of 180,000+ context-enriched detection and response algorithms aligned with the MITRE ATT&CK® framework v.10. The newly released On Demand subscription tiers for SOC Prime’s platform provide curated Sigma rules […]

Read More
PyVil RAT by Evilnum Group
PyVil RAT by Evilnum Group

The Evilnum group operations were first discovered in 2018. The group is highly focused on attacks on large financial technology organizations, especially on investment platforms and cryptocurrency-related companies. Most of their targets are located in Europe and the United Kingdom, but the group also carried out separate attacks on organizations in Canada and Australia. Researchers […]

Read More
JSOutProx RAT
JSOutProx RAT

Last year, India was named the most cyber-attacked country. Critical infrastructures in oil and gas industries, and defence, banking, and manufacturing sectors are listed as the most common targets.  In April 2020, the governmental establishments and a number of banks in India were targeted by email campaigns delivering a malicious JavaScript and Java-based backdoor which […]

Read More
Transparent Tribe APT
Transparent Tribe APT

Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a cyber espionage unit that is linked to the Pakistani government and has been active since at least 2013. The group has been quite active in the last four years targeting primarily Indian military and government personnel, but during the last year, they attacked more and more […]

Read More
BLINDINGCAN RAT
BLINDINGCAN RAT

Late last week, Ariel Millahuel released community threat hunting rule to detect BLINDINGCAN Remote Access Trojan that is used by North Korean state-sponsored hackers: https://tdm.socprime.com/tdm/info/pi0B7x1SzQlU/FiBkEHQBSh4W_EKGcibk/?p=1 The rule is based on a malware analysis report recently published by CISA experts. Threat actor used BLINDINGCAN RAT in a cyberespionage campaign primarily targeted at the US defense and […]

Read More
Detection Content: Drovorub Malware
Detection Content: Drovorub Malware

Last week, the FBI and NSA released a joint security alert containing details about Drovorub malware, a new utility in APT28’s hands. This is a Linux malware that is used to deploy backdoors in compromised networks. The malware is a multi-component system that consists of a kernel module rootkit, an implant, a C&C server, a […]

Read More
Threat Hunting Rules: Gamaredon Group Behavior
Threat Hunting Rules: Gamaredon Group Behavior

The Gamaredon group appeared in 2013 and at first, did not use custom malware, but over time developed a number of cyber espionage tools, including Pterodo and EvilGnome malware. In recent months, the group has been actively sending phishing emails with documents containing malicious macros that download a multitude of different malware variants. The Gamaredon […]

Read More
IOC Sigma: Mock Folders Creation
IOC Sigma: Mock Folders Creation

Today we want to pay attention to the community IOC Sigma rule submitted by Ariel Millahuel to detect the creation of mock directories that can be used to bypass User Account Control (UAC): https://tdm.socprime.com/tdm/info/KB1bISN0mbzm/Hua9s3MBSh4W_EKGTlO2/?p=1 A mock folder is a specific imitation of a Windows folder with a trailing space in its name, and the security […]

Read More
Detection Content: Bazar Loader
Detection Content: Bazar Loader

This fall has brought another challenge to the guardians of corporate infrastructures. Earlier this year, in late April, developers of TrickBot used a new stealthy backdoor in a phishing campaign targeted at professional services, healthcare, manufacturing, IT, logistics, and travel companies across the United States and Europe. Many advanced threat actors including the infamous Lazarus […]

Read More
Threat Hunting Rules: Redaman RAT
Threat Hunting Rules: Redaman RAT

Today, in the Threat Hunting Rules category, we are pleased to present you a new rule developed by Ariel Millahuel, which detects Redaman RAT: https://tdm.socprime.com/tdm/info/gAF3sheoIG9y/qtkZmnMBQAH5UgbBy6do/?p=1 Redaman is a form of banking trojans distributed by phishing campaigns. It was first seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in […]

Read More