From c3045f015395127afe53894f9b5508ba41826054 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel Date: Thu, 14 Mar 2024 20:04:54 +0545 Subject: [PATCH] updated description and added a new rule related with Oleview sideloading --- .../image_load_side_load_oleview.yml | 40 +++++++++++++++++++ ...registry_set_internet_settings_zonemap.yml | 4 +- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_side_load_oleview.yml diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_side_load_oleview.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_side_load_oleview.yml new file mode 100644 index 000000000000..38accbc5236d --- /dev/null +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_side_load_oleview.yml @@ -0,0 +1,40 @@ +title: Potential Raspberry Robin Aclui Dll SideLoading +id: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a +status: experimental +description: Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024. +references: + - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ + - https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ + - https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ + - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +author: Swachchhanda Shrawan Poudel +date: 2024/03/14 +tags: + - detection.emerging_threats + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection_image: + Image|endswith: '\OleView.exe' + selection_dll_loaded: + ImageLoaded|endswith: '\aclui.dll' + filter_is_signed: + Signed: 'true' + filter_signature_status: + SignatureStatus: + - 'Valid' + - 'errorChaining' + - 'errorCode_endpoint' + - 'errorExpired' + - 'trusted' + filter_signatue: + Signature: 'Microsoft Windows' + condition: all of selection_* and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_internet_settings_zonemap.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_internet_settings_zonemap.yml index 4e47277e2a83..3c31a3ca1a8e 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_internet_settings_zonemap.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_internet_settings_zonemap.yml @@ -1,7 +1,9 @@ title: Potential Raspberry Robin Registry Set Internet Settings Zonemap id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43 status: experimental -description: Detecting registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. +description: | + Detecting registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. + Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections. references: - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt - https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt