updated description and added a new rule related with Oleview sideloa…

…ding
SigmaHQ · Mar 14, 2024 · c3045f0 · c3045f0
1 parent e9b83e2
commit c3045f0
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_side_load_oleview.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_side_load_oleview.yml
@@ -0,0 +1,40 @@
+title: Potential Raspberry Robin Aclui Dll SideLoading
+id: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a
+status: experimental
+description: Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
+references:
+    - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
+    - https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
+    - https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/
+    - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+author: Swachchhanda Shrawan Poudel
+date: 2024/03/14
+tags:
+    - detection.emerging_threats
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection_image:
+        Image|endswith: '\OleView.exe'
+    selection_dll_loaded:
+        ImageLoaded|endswith: '\aclui.dll'
+    filter_is_signed:
+        Signed: 'true'
+    filter_signature_status:
+        SignatureStatus:
+            - 'Valid'
+            - 'errorChaining'
+            - 'errorCode_endpoint'
+            - 'errorExpired'
+            - 'trusted'
+    filter_signatue:
+        Signature: 'Microsoft Windows'
+    condition: all of selection_* and not 1 of filter_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/...-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_internet_settings_zonemap.yml b/...-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_internet_settings_zonemap.yml
@@ -1,7 +1,9 @@
 title: Potential Raspberry Robin Registry Set Internet Settings Zonemap
 id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43
 status: experimental
-description: Detecting registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
+description: |
+    Detecting registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
+    Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
 references:
     - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
     - https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt