Tag: Emir Erdogan

This week in our digest there are rules exclusively developed by participants of the Threat Bounty Program. Threat actor behind the recent Ursnif variant possibly conducts targeted cybercrime operations that are still ongoing. At the heart of these campaigns is a variant of the Ursnif Trojan that was repurposed as a downloader and reconnaissance tool […]

QakBot banking trojan (aka QBot) has been used in attacks on organizations for over 10 years, and its authors continuously monitor threat landscape trends adding new features or removing them if they don’t work properly. In 2017, this malware possessed worm-like capabilities and was capable of locking Active Directory users to make additional damage to […]

We start the week with a new rule from Emir Erdogan – HawkEye Multiple Detection (Covid19 Themed Phishing Campaign). This malware is also known as Predator Pain steals a variety of sensitive information from the infected system, including bitcoin wallet information and credentials to browsers and mail clients. The stealer is capable of taking screenshots […]

This digest includes rules from both members of the Threat Bounty Program and the SOC Prime Team. Let’s start with rules by Arunkumar Krishna which will debut in our Rule Digest with CVE-2020-0932: A Remote Code Execution Bug in Microsoft SharePoint. CVE-2020-0932 was patched in April, it allows authenticated users to execute arbitrary code on […]

This week we want to highlight the community Sigma rule by Emir Erdogan that helps detect Nefilim/Nephilim ransomware used in destructive attacks. This ransomware family was first discovered two months ago, and its code is based on NEMTY ransomware which emerged last summer as a public affiliate program. It looks like NEMTY forked into two […]

A recently published article “SIGMA vs Indicators of Compromise” by Adam Swan, our Senior Threat Hunting Engineer demonstrates the benefits of threat hunting Sigma rules over IOCs-based content. Although we can’t brush off IOC Sigma rules, since they can help identify a fact of compromise, in addition, not all adversaries quickly make changes to their malware, […]

The ‘Process Injection by Ursnif (Dreambot Malware)’ exclusive rule by Emir Erdogan is released on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/IIfltgwf9Tqh/piHTv3EBjwDfaYjKDztK/  Ursnif banking Trojan has been used by adversaries in various modifications for about 13 years, constantly gaining new features and acquiring new tricks to avoid security solutions. Its source code was leaked in 2014, and since […]

SOC Prime brings to your attention a small digest of the latest community rules developed by participants of the Threat Bounty Program (https://my.socprime.com/en/tdm-developers). The digest includes 5 rules that help to detect Trojans and Hidden Tear Ransomware. In the future, we will continue to publish such selections of content to detect specific threat actors or […]