Password stealer (PwdFetcher) detector


Even though these threat actors don’t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time.
We were able to trace attacker activity back to October 2015; however, it is possible that the attackers have been active even longer. These attackers use three different .NET malware strains in their attacks – Quasar RAT, Sobaken (a RAT derived from Quasar) and a custom-made RAT called Vermin. All three malware strains have been in active use against different targets at the same time, they share some infrastructure and connect to the same C&C servers. A possible explanation for using three parallel malware strains is that each strain is developed independently.

  • QRadar AQL
SELECT UTF8(payload) as search_payload, "Image", "File Hash" from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and "EventID"='1' and ("File Hash" = '2A5C9D4DAE5E53B2962FBE2B7FA8798A127BC9A6' or "File Hash" = '9B1586766AF9885EF960F05F8606D1230B36AC15' or "File Hash" = 'A2F0D5AF81D93752CFF1CF1E8BB9E6CAEE6D1B5E' or "File Hash" = 'CE18467B33161E39C36FC6C5B52F68D49ABCFC2A')
  • Splunk
(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1" (file_hash="2A5C9D4DAE5E53B2962FBE2B7FA8798A127BC9A6" OR file_hash="9B1586766AF9885EF960F05F8606D1230B36AC15" OR file_hash="A2F0D5AF81D93752CFF1CF1E8BB9E6CAEE6D1B5E" OR file_hash="CE18467B33161E39C36FC6C5B52F68D49ABCFC2A")) | table Image,TargetObject,Hashes
  • EDR Carbon Black
(childproc_count:[1 to *] AND (file_hash:2A5C9D4DAE5E53B2962FBE2B7FA8798A127BC9A6 OR file_hash:9B1586766AF9885EF960F05F8606D1230B36AC15 OR file_hash:A2F0D5AF81D93752CFF1CF1E8BB9E6CAEE6D1B5E OR file_hash:CE18467B33161E39C36FC6C5B52F68D49ABCFC2A))
  • Windows PowerShell
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "2A5C9D4DAE5E53B2962FBE2B7FA8798A127BC9A6" -or $_.message -match "9B1586766AF9885EF960F05F8606D1230B36AC15" -or $_.message -match "A2F0D5AF81D93752CFF1CF1E8BB9E6CAEE6D1B5E" -or $_.message -match "CE18467B33161E39C36FC6C5B52F68D49ABCFC2A")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Leave a Reply

Your email address will not be published.