Merge branch 'plugx_badiis_queries' into 'master'

New Queries - PlugX and BadIIS See merge request malware-team/osquery_queries!327
Cisco-Talos · Aug 22, 2024 · 08d0134 · 08d0134
2 parents 3e6e591 + 535953d
commit 08d0134
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 0 deletions.
diff --git a/packs/win_malware.conf b/packs/win_malware.conf
@@ -496,6 +496,15 @@
                 "windows"
             ]
         },
+        "malware_badiis_file_artifact": {
+            "query": "SELECT f.path, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path = h.path WHERE (f.path LIKE '\\ProgramData\\%%' AND (f.filename LIKE 'IISMODEx86.dll' OR f.filename LIKE 'IISMODEx64.dll')) OR (f.path LIKE '\\Windows\\Microsoft.NET\\Framework%%' AND f.filename LIKE 'HttpResetModule%.dll');",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "BadIIS is a malware with search engine optimization fraud capabilities, which are fake, sometimes malicious, websites that users can see at the top when they look for certain terms on search engines. BadIIS usually installs its files in ProgramData, inside directories with names of legitimate software as an attempt to avoid detection. ",
+            "platform": [
+                "windows"
+            ]
+        },
         "malware_indigodrop_filepath": {
             "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time FROM file f JOIN hash h ON f.path=h.path WHERE f.path LIKE 'C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\anything.exe'; ",
             "interval": 86400,
@@ -667,6 +676,15 @@
                 "windows"
             ]
         },
+        "malware_plugx_filepath": {
+            "query": "SELECT f.path, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path = h.path WHERE (f.path LIKE '\\Users\\%\\AppData\\Local\\Temp\\%%' AND (f.filename LIKE 'acrobat.dll' OR f.filename LIKE 'acrobat.dxe')) OR (f.path LIKE '\\Users\\%\\AppData\\Local\\Temp\\%\\ddos\\%%' AND (f.filename LIKE 'FVTProect32.sys' OR f.filename LIKE 'FVTProect64.sys'));",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "PlugX exploits vulnerable legitimate binaries, such as Acrobat.exe, to initiate its loader. It's also known for using a technique to sideload dynamic link libraries (DLL), which involves placing a malicious DLL, with the same name as a legitimate one, in the same directory from which an application is loaded to take advantage of the DLL search order.",
+            "platform": [
+                "windows"
+            ]
+        },
         "malware_remcos_mutex": {
             "query": "SELECT session_id, object_name, object_type FROM winbaseobj WHERE object_type='Mutant' AND LOWER(object_name) LIKE '%remcos%' AND (object_name=regex_match(object_name, '^remcos[a-z0-9]?[\\-_][A-Za-z0-9]{6}', 0) OR object_name='Remcos_Mutex_Inj'); ",
             "interval": 86400,

diff --git a/win_malware/malware_badiis_file_artifact.yaml b/win_malware/malware_badiis_file_artifact.yaml
@@ -0,0 +1,28 @@
+BadIIS File Artifact:
+  query: SELECT f.path, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, 
+    DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, 
+    DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, 
+    DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, 
+    DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type 
+    FROM file f LEFT JOIN hash h ON f.path = h.path 
+    WHERE ( f.path LIKE '\ProgramData\%%' 
+    AND (f.filename LIKE 'IISMODEx86.dll' 
+    OR f.filename LIKE 'IISMODEx64.dll')) 
+    OR (f.path LIKE '\Windows\Microsoft.NET\Framework%%' 
+    AND f.filename LIKE 'HttpResetModule%.dll');
+  interval: 86400
+  snapshot: true
+  description: BadIIS is a malware with search engine optimization fraud capabilities, which are fake, 
+    sometimes malicious, websites that users can see at the top when they look for certain terms on 
+    search engines. BadIIS usually installs its files in ProgramData, inside directories with names of 
+    legitimate software as an attempt to avoid detection. 
+  references:
+  - c747d509ecfed834d147bdf7390903e0670e6624b7921ffcb5c73390af615850
+  mitre_tactics:
+  - Persistence: TA0003
+  - Defense Evasion: TA0005
+  mitre_techniques:
+  - IIS Components: T1505.004
+  - Match Legitimate Name or Location: T1036.005
+  platform:
+  - windows
diff --git a/win_malware/malware_plugx_filepath.yaml b/win_malware/malware_plugx_filepath.yaml
@@ -0,0 +1,29 @@
+PlugX File Artifact:
+  query: SELECT f.path, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, 
+    DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, 
+    DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, 
+    DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, 
+    DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type 
+    FROM file f LEFT JOIN hash h ON f.path = h.path 
+    WHERE (f.path LIKE '\Users\%\AppData\Local\Temp\%%' 
+    AND (f.filename LIKE 'acrobat.dll' 
+    OR f.filename LIKE 'acrobat.dxe')) 
+    OR (f.path LIKE '\Users\%\AppData\Local\Temp\%\ddos\%%' 
+    AND (f.filename LIKE 'FVTProect32.sys' 
+    OR f.filename LIKE 'FVTProect64.sys'));
+  interval: 86400
+  snapshot: true
+  description: PlugX exploits vulnerable legitimate binaries, such as Acrobat.exe, to initiate its loader. 
+    It's also known for using a technique to sideload dynamic link libraries (DLL), which involves 
+    placing a malicious DLL, with the same name as a legitimate one, in the same directory from 
+    which an application is loaded to take advantage of the DLL search order. 
+  references:
+  - 046a03725df3104d02fa33c22e919cc73bed6fd6a905098e98c07f0f1b67fadb
+  mitre_tactics:
+  - Privilege Escalation: TA0004
+  - Defense Evasion: TA0005
+  mitre_techniques:
+  - Dynamic-link Library Injection: T1055.001
+  - Match Legitimate Name or Location: T1036.005
+  platform:
+  - windows