Tag: Emir Erdogan

Rule of the Week: Qbot Trojan Detection

And again, we want to highlight the content for detecting QBot malware in the Rule of the Week section. About a month ago, a simple but effective rule from Emir Erdogan was already published in this section. But the twelve-year-old Trojan continues to evolve, and just a couple of days ago, fresh samples of this […]

Read More
Rule Digest: Emotet, Ransomware, and Trojans

Hello everyone, we are back with five fresh rules submitted this week by participants of the Threat Bounty Program. You can check our previous digests here, and if you have any questions, then welcome to the chat. Pykspa worm-like malware can install itself to maintain persistence, listen to incoming port for additional commands, and drop […]

Read More
Threat Hunting Content: AsyncRat Detection

Today, under the Threat Hunting Content column, we are heightening your interest in AsyncRAT Detection (Sysmon Behavior) community rule by Emir Erdogan. The rule enables the detection of AsyncRat by using sysmon logs. According to the author of the project on GitHub, AsyncRat is a Remote Access Tool designed to remotely monitor and control other […]

Read More
Threat Hunting Content: Devil Shadow Botnet

Nowadays, during the lockdown, many organizations continue to use Zoom at the corporate level to conduct conference meetings, despite the security issues found in this application. Attackers have been exploiting the increased popularity of this application for several months, and you can partially protect your organization from attacks by hardening Zoom service. But this will […]

Read More
IOC Sigma: GreenBug APT Group Activities

Greenbug APT is an Iranian-based cyber-espionage unit that has been active since at least June 2016. The group most likely uses spear-phishing attacks to compromise targeted organizations. Adversaries use multiple tools to compromise other systems on the network after an initial compromise, and steal user names and passwords from operating systems, email accounts, and web […]

Read More
Detection Content: Malspam Downloads Zloader Malware

Zloader Trojan (also known as Zeus Sphinx and Terdot) was initially spotted in August 2015. It is based on the Zeus v2 Trojan’s leaked source code and cybercriminals used it in attacks on financial organizations across the globe collecting sensitive data via web injections. In early 2018, the use of this banking Trojan in the […]

Read More
Rule of the Week: QakBot Malware Detection

QakBot banking trojan (aka QBot) has been used in attacks on organizations for over 10 years, and its authors continuously monitor threat landscape trends adding new features or removing them if they don’t work properly. In 2017, this malware possessed worm-like capabilities and was capable of locking Active Directory users to make additional damage to […]

Read More
Interview with Developer: Emir Erdogan

We keep interviewing the members of the Threat Bounty Program  (https://my.socprime.com/en/tdm-developers), and today we want to introduce you to Emir Erdogan. Emir has been participating in the program since September 2019, he has 110+ Sigma rules published to his name, but Emir also publishes YARA rules to detect actual threats. His rules are often found […]

Read More
Threat Hunting Content: HawkEye Multiple Detection

We start the week with a new rule from Emir Erdogan – HawkEye Multiple Detection (Covid19 Themed Phishing Campaign). This malware is also known as Predator Pain steals a variety of sensitive information from the infected system, including bitcoin wallet information and credentials to browsers and mail clients. The stealer is capable of taking screenshots […]

Read More