Remcos RAT was first spotted in 2016. Now it hat purports to be a legitimate remote access tool but it was used in multiple global hacking campaigns. On various sites and forums, cybercriminals advertise, sell, and offer the cracked version of this malware. Since the end of February, security researchers have discovered several campaigns that […]
Floxif Trojan is primarily known for being used by the Winnti group, they distributed it with the infected CCleaner, which was downloaded by users from the official site. The attack occurred in September 2017, attackers allegedly gained access to CCleaner’s build environment. Floxif Trojan was used with Nyetya Trojan to collect information about infected systems […]
We continue to draw your attention to rules whose capabilities are beyond the more common detection content analyzing Sysmon logs. Today in our digest there are two rules for detecting attacks on Web Servers, a continuation of a series of rules (1, 2) for discovering traces of Outlaw hacking group attacks, and detection content that […]
A recently published article “SIGMA vs Indicators of Compromise” by Adam Swan, our Senior Threat Hunting Engineer demonstrates the benefits of threat hunting Sigma rules over IOCs-based content. Although we can’t brush off IOC Sigma rules, since they can help identify a fact of compromise, in addition, not all adversaries quickly make changes to their malware, […]
New Sigma rule by Osman Demir helps to detect COVID-19 related phishing attacks targeted at medical suppliers. https://tdm.socprime.com/tdm/info/IkntTJirsLUZ/uowd33EB1-hfOQirsQZO/ The campaign became known at the end of last week, and researchers believe that it is associated with 419 scammers who exploit the COVID-19 pandemic for Business Email Compromise attacks. Adversaries send highly targeted phishing emails with […]
This week, the rules to detect malware and APT activity from both our team and the participants of the SOC Prime Threat Bounty Program got into the spotlight. In digests, we try to draw your attention to interesting rules published over the past week. APT StrongPity by Ariel Millahuel https://tdm.socprime.com/tdm/info/lC2OEeruDxdg/fos3nHEB1-hfOQir9NI-/?p=1 StrongPity APT (aka Promethium) […]
Bladabindi backdoor has been known since at least 2013, its authors monitor cybersecurity trends and improve backdoor to prevent its detection: they recompile, refresh, and rehash it, so IOCs-based detection content is almost useless. In 2018, the Bladabindi backdoor became fileless and was used as a secondary payload delivered by njRAT / Njw0rm malware. The […]
The āProcess Injection by Ursnif (Dreambot Malware)ā exclusive rule by Emir Erdogan is released on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/IIfltgwf9Tqh/piHTv3EBjwDfaYjKDztK/ Ursnif banking Trojan has been used by adversaries in various modifications for about 13 years, constantly gaining new features and acquiring new tricks to avoid security solutions. Its source code was leaked in 2014, and since […]
New community rule by Ariel Millahuel that enables detection of Buer loader is available on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/5F93tXFdZmx9/ Buer is a modular loader that was first spotted at the end of last summer and since then this malware has been actively promoted on the underground marketplaces. Proofpoint researchers tracked multiple campaigns spreading Buer loader, […]
SOC Prime is presenting another interview with a participant of the SOC Prime Threat Bounty Developer Program (https://my.socprime.com/en/tdm-developers). We want to introduce to you Den Iuzvyk who published 60+ community rules of the highest quality and detection value during six months of his participation in the Threat Bounty Program. Read more interviews with content developers […]