8.2 KiB
8.2 KiB
https://gbhackers.com/earth-alux-hackers-use-vargiet-malware/ https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
Track Suspicious Process and Library Activities
index=* sourcetype=wineventlog EventCode=4688 OR EventCode=7045
| eval CommandLineLower=lower(CommandLine)
| where like(CommandLineLower, "%java%") AND like(CommandLineLower, "%com.opensymphony.webwork%")
| stats count by Account_Name, CommandLine, Parent_Process_Name, Hostname
Monitor for Suspicious Java Execution and Payloads
index=* sourcetype=syslog OR sourcetype=process_monitor
| eval process_lower=lower(process)
| search process_lower="java" AND (process_lower="jakarta.servlet.ServletRequestListener" OR process_lower="javax.servlet.ServletRequestListener")
| stats count by user, process, parent_process, host
Processes decoding Base64-encoded payloads dynamically in memory
index=* sourcetype=process_monitor
| eval CommandLineLower=lower(CommandLine)
| search CommandLineLower="base64" OR CommandLineLower="aes" OR CommandLineLower="md5"
| stats count by user, process, parent_process, host
Detecting Second-Stage Backdoors
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="cobeacon" OR CommandLineLower="vargeit")
| eval SuspiciousActivity=if(match(CommandLineLower, ".*(c2|beacon|http).*"), "Yes", "No")
| where SuspiciousActivity="Yes"
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count
Splunk Rule for DLL Sideloading Detection
index=* sourcetype=wineventlog EventCode=4688
| eval suspicious_dll=if(match(CommandLine, "(?i)\.dll") AND NOT match(CommandLine, "(?i)(System32|SysWOW64)\\.*\.dll"), 1, 0)
| where suspicious_dll=1
| stats count by Parent_Image, Process_Name, CommandLine, Parent_Process_Name, User
| rename Parent_Image as "Parent Process", Process_Name as "Executed Process", CommandLine as "Command Line", Parent_Process_Name as "Parent Process Name", User as "Executing User"
| sort -count
COBEACON loader – MASQLOADER
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval EventPath=coalesce(Process_Name, File_Name)
| search EventPath IN ("msmpsrv.exe", "msedge.dll", "ms.log")
| transaction Process_Name maxspan=1s
| where Process_Name="msmpsrv.exe" AND mvfind(File_Name, "msedge.dll") AND mvfind(File_Name, "ms.log")
| stats count by Hostname, EventPath, User, Parent_Process_Name
| rename EventPath as "File Transition Path", Parent_Process_Name as "Parent Process", User as "Executing User"
| sort -count
Detecting VARGEIT Behaviors
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="mspaint" OR CommandLineLower="conhost")
OR (CommandLineLower="c2" OR CommandLineLower="firewall" OR CommandLineLower="shellcode")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
| sort -count
Detecting RSBINJECT Activity
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="rsbinject" OR CommandLineLower="cobeacon")
| where match(CommandLineLower, "(--load|-l|--test|-t|--flag|-f)") OR like(CommandLineLower, "%shellcode%")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count
Detect RAILLOAD
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="vargeit" OR CommandLineLower="railload")
| where like(CommandLineLower, "%dll%") OR match(CommandLineLower, "(encrypted|config|payload|registry)")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, Registry_Key_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User", Registry_Key_Path as "Registry Access"
| sort -count
Detect RAILSETTER
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="railload" OR CommandLineLower="railsetter")
| search (CommandLineLower="schtasks" OR CommandLineLower="timestomp" OR CommandLineLower="base64" OR CommandLineLower="copy")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
| sort -count
mspaint Exfiltration
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search Image="C:\\Windows\\System32\\mspaint.exe"
| where match(CommandLineLower, "[a-zA-Z0-9]{16,}") /* Detects suspicious long strings like Base64 or unique identifiers */
OR match(CommandLineLower, "(us-east-1|eu-west-1|ap-southeast-1)") /* Example regions */
OR match(CommandLineLower, "(bucketname|accesskey|secretkey|dataexfil)")
| stats count by Hostname, User, CommandLine, Parent_Process_Name, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count
#20250417 dj mspaint Strange Process Spawn
index=win_sysmon EventCode=10 ParentUser="NT AUTHORITY\\SYSTEM" process_name=*
| stats count by _time, ParentUser, ParentImage, process_name, EventCode
| where ParentImage!="C:\\Windows\\explorer.exe" AND ParentImage!="C:\\Windows\\System32\\cmd.exe"
| rename process_name as ProcessName
| table _time, ParentUser, ParentImage, ProcessName, EventCode
#20250417 wip yaml
title: Detect VARGEIT Malware Execution
id: f1234567-89ab-cdef-0123-456789abcdef
description: Detects potential execution patterns of the VARGEIT backdoor, including DLL sideloading, process injection into mspaint.exe, and network activity linked to Earth Alux operations.
author: YourName
references:
- https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
logsource:
product: windows
service: sysmon
detection:
selection:
Image|endswith:
- "\mspaint.exe" # VARGEIT injects payloads into mspaint.exe
ParentImage|endswith:
- "\rundll32.exe" # DLL sideloading through rundll32
condition: selection
fields:
- Image
- ParentImage
- CommandLine
- User
level: high
sigma rule for sus graph api usage by non-outlook process
title: Suspicious ICMP Activity from mspaint.exe
id: abcdef12-3456-7890-abcd-ef1234567890
status: experimental
description: |
Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
and the protocol used is ICMP, which is unusual for the MS Paint process.
author: Your Name
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image|endswith: "\mspaint.exe"
Protocol: ICMP
condition: selection
falsepositives:
- Rare legitimate diagnostic tools or scanning software
level: high
sigma sus icmp activity from mspaint
title: Suspicious ICMP Activity from mspaint.exe
id: abcdef12-3456-7890-abcd-ef1234567890
status: experimental
description: |
Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
and the protocol used is ICMP, which is unusual for the MS Paint process.
author: Your Name
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image|endswith: "\mspaint.exe"
Protocol: ICMP
condition: selection
falsepositives:
- Rare legitimate diagnostic tools or scanning software
level: high
#suricata wip
alert http any any -> any any (
msg:"Earth Alux - Potential Godzilla web shell indicator observed in HTTP payload";
flow:to_server,established;
content:"Godzilla";
nocase;
http_client_body;
classtype:trojan-activity;
sid:1000002;
rev:1;
)