Merge branch 'armageddon-vbs-backdoor' into 'master'

New Query: Armageddon VBS Backdoor See merge request malware-team/osquery_queries!324
Cisco-Talos · Aug 23, 2024 · d31d8ad · d31d8ad
2 parents b7307fb + 5b42463
commit d31d8ad
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/packs/win_malware.conf b/packs/win_malware.conf
@@ -640,6 +640,15 @@
                 "windows"
             ]
         },
+        "aramgeddon_vbs_backdoor": {
+            "query": "SELECT f.filename, f.path, f.directory, st.name, st.action FROM file f JOIN scheduled_tasks st ON st.action LIKE concat('%', concat(f.filename, '%')) WHERE lower(f.directory) LIKE '%%\\appdata\\roaming\\%' AND f.path LIKE '%.%%' AND lower(st.action) LIKE '%e:vbscript%' AND (SELECT COUNT(*) FROM file WHERE lower(directory) LIKE '%%\\appdata\\roaming\\%' AND path LIKE '%.%%') >= 2;",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "A backdoor associated with the Armageddon threat actor was installed on the system. Armageddon is a group notable for performing attacks on behalf of the Russian Federal Security Service (FSB). This backdoor is written in Visual Basic and serves to establish persistence on the system and then download & execute additional files on the system.",
+            "platform": [
+                "windows"
+            ]
+        },
         "ransomware_funicorn_filepath": {
             "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE (f.directory LIKE 'C:\\Users\\%%' AND f.filename LIKE regex_match(f.filename, '\\S+\\.fuckunicornhtrhrtjrjy$', 0)); ",
             "interval": 86400,

diff --git a/win_malware/armageddon_vbs_backdoor.yaml b/win_malware/armageddon_vbs_backdoor.yaml
@@ -0,0 +1,19 @@
+armageddon_vbs_backdoor:
+  query: 'SELECT f.filename, f.path, f.directory, st.name, st.action 
+FROM file f JOIN scheduled_tasks st ON st.action LIKE concat("%", concat(f.filename, "%")) 
+WHERE lower(f.directory) LIKE "%%\appdata\roaming\%" 
+  AND f.path LIKE "%.%%" 
+  AND lower(st.action) LIKE "%e:vbscript%" 
+  AND (SELECT COUNT(*) FROM file WHERE lower(directory) LIKE "%%\appdata\roaming\%" AND path LIKE "%.%%") >= 2;'
+  interval: 86400
+  snapshot: true
+  description: A backdoor associated with the Armageddon threat actor was installed on the system. Armageddon is a group notable for performing attacks on behalf of the Russian Federal Security Service (FSB). This backdoor is written in Visual Basic and serves to establish persistence on the system and then download & execute additional files on the system.
+  references:
+  - https://csirt.csi.cip.gov.ua/en/posts/uac-0010-2023
+  - https://panacea.threatgrid.com/mask/samples/39578a17ac43710af154b88a43b70cbc?region=US
+  mitre_tactics:
+  - Persistence: TA0003
+  mitre_techniques:
+  - Scheduled Task : T1053.005
+  platform:
+  - windows