Follow @EthHackingNews |
Related IOCs
rule M_APT_Backdoor_TAMECAT_2 { meta: author = "Mandiant" md5 = "9c5337e0b1aef2657948fd5e82bdb4c3" date_created = "2024-03-05" date_modified = "2024-03-05" rev = "1" strings: $ = "$a.CreateDecryptor($a.Key,$a.iv)" $ = "$CommandParts = \"\"" $ = "$macP = $env:APPDATA+\"\\" $ = "$macP = \"$env:LOCALAPPDATA\\" $ = "$mac += Get-Content -Path $macP" $ = "$CommandParts =$SessionResponse.Split(\"" $ = "[string]$CommandPart = \"\";" $ = "Foreach ($CommandPart in $CommandParts)" $ = "$CommandPart.Split(\"~\");" $ = "elseif($StartStop -eq \"stop\")" $ = "if($StartStop -eq \"start\")" $ = "&(gcm *ke-e*) $Command;" condition: 3 of them and filesize<2MB }
rule M_APT_Downloader_TAMECAT_NICECURL_VBScript_1 { meta: author = "Mandiant" md5 = "d7bf138d1aa2b70d6204a2f3c3bc72a7" date_created = "2024-03-13" date_modified = "2024-03-13" rev = "1" strings: $ = "For Each antivirus in installedAntiviruses" $ = "list=list & VBNewLine & antivirus.displayName" $ = "\"conhost conhost powershell.exe -w 1 -c \"" $ = "-UseBasicParsing).Content; &(gcm *e-e?p*)$" $ = "Set oE = objShell.Exec(" $ = "\"cmd.exe /c set c=cu9rl --s9sl-no-rev9oke -s -d \"" $ = "& call %c:9=% & set b=sta9rt" condition: 3 of them }
rule M_APT_Backdoor_TAMECAT { meta: author = "Mandiant" md5 = "d7bf138d1aa2b70d6204a2f3c3bc72a7" date_created = "2024-03-11" date_modified = "2024-03-11" rev = "1" strings: $s1 = "OutputCom = OutputCom & \"NOT_FOUND\"" ascii wide $s2 = "OutputCom = OutputCom & list" ascii wide $s3 = "If antivirus.productState And &h01000 Then" ascii wide condition: all of them }
Follow @EthHackingNews |