New Query: Lagtoy Scheduled Task Backdoor

Cisco-Talos · Feb 28, 2024 · bc3ec05 · bc3ec05
1 parent d2e7f14
commit bc3ec05
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/packs/win_malware.conf b/packs/win_malware.conf
@@ -1745,6 +1745,15 @@
                 "windows"
             ]
         },
+        "malware_lagtoy_scheduled_task_backdoor": {
+            "query": "SELECT name, path, action, datetime(last_run_time, 'unixepoch', 'UTC') as last_run_time FROM scheduled_tasks WHERE action LIKE regex_match(action,'.*cmd /c.*StrictHostKeyChecking no.*-NCqf.*',0);",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "A scheduled task associated to the Lagtoy malware has been detected. The threat actor ToyMaker has been known to utilize the Windows Task Scheduler to create an SSH backdoor to maintain persistence and attack other systems on the victim network.",
+            "platform": [
+                "windows"
+            ]
+        },
         "SugarGh0st RAT File Detected": {
             "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE f.directory LIKE '\\users\\%\\AppData\\Local\\Temp' AND LOWER(f.filename) IN ('msadocg.dll', 'dplay.lib', 'ctfmon.bat', 'libeay32.dll', 'libeay32.lib');",
             "interval": 86400,

diff --git a/win_malware/malware_lagtoy_scheduled_task_backdoor.yaml b/win_malware/malware_lagtoy_scheduled_task_backdoor.yaml
@@ -0,0 +1,15 @@
+malware_lagtoy_scheduled_task_backdoor:
+  query: 'SELECT name, path, action, datetime(last_run_time, "unixepoch", "UTC") as last_run_time
+          FROM scheduled_tasks WHERE action LIKE regex_match(action,".*cmd /c.*StrictHostKeyChecking no.*-NCqf.*",0);'  
+  interval: 86400
+  snapshot: true
+  description: A scheduled task associated to the Lagtoy malware has been detected. The threat actor
+              ToyMaker has been known to utilize the Windows Task Scheduler to create an SSH 
+              backdoor to maintain persistence and attack other systems on the victim network. 
+  references:
+  mitre_tactics:
+  - Persistence: TA0003
+  mitre_techniques:
+  - Scheduled Task: T1053.005
+  platform:
+  - windows