029.md

Day 29 - Transfer[.]sh Script Abuse

Earlier today Cisco Talos shared research about a new threat campaign:

• New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign

Todays yara rule detects scripts that download from transfer[.]sh while also supressing output!

Yara Rule

Here's the yara rule I wrote for detecting suspicous transfer[.]sh usage:

rule sus_transfersh_scripting {
  meta:
    author = "Colin Cowie"
    description = "Detects transfer.sh usage with output suppression"
    reference  = "f02512e7e2950bdf5fa0cd6fa6b097f806e1b0f6a25538d3314c793998484220"
  strings:
  	$echooff = "@echo off"
    $bitsadmin = "bitsadmin"
    $curl = "curl"
    $wget = "wget"
    $transfer = "transfer.sh" 
  condition:
  	$echooff
    and ($curl or $wget or $bitsadmin)
    and $transfer
    and filesize<800KB
}

Results

Retrohunting with this rule found some fun InfoStealer malware:

• Nitro Generator.zip
  • Exfiltrates data to transfer.sh
  • 8a8681c57efa5b44968048a2d12bd286cffbf6b70cf268a47534ce3c658b822c
• Fake "soundspack" that steals discord nitro
  • wetransfer_soundpack-marco-s-4_2023-02-04_1644.zip
  • Exfiltrates data to transfer.sh
  • bee960244bed23886e38fc23fdcbab699ea0fd118c95930e18f39a3baa8f82f7

References

• https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/
• https://www.virustotal.com/gui/file/f02512e7e2950bdf5fa0cd6fa6b097f806e1b0f6a25538d3314c793998484220/details