Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Endpoint_Processes
- Last Updated: 2020-01-22
- Author: iDefense Cyber Espionage Team, iDefense
- ID: 988C59C5-0A1C-45B6-A555-0C62276E327E
This story was created as a joint effort between iDefense and Splunk.
The MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'help'='c:\\windows\\system32\\rundll32.exe c:\\windows\\system32\\zipfldr.dll,RouteTheCall c:\\programdata\\winapp.exe'. Though this technique is not exclusive to MUDCARP, it has been spotted in the group’s arsenal of advanced techniques seen in the wild.
This Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.
If behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:
- newapp.freshasianews[.]comIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:
source | version: 1