Tag Archives: carbonblack

Carbon Black query searching for malicious NPM library – coa & rc

Leave a reply

Based on GitHub Advisory Database:
https://github.com/advisories/GHSA-g2q5-5433-rhrf – Embedded malware in rc
https://github.com/advisories/GHSA-73qr-pfmq-6rp8 – Embedded malware in coa

rc affected versions:
= 1.2.9
= 1.3.9
= 2.3.9

coa affected versions:
= 2.0.3
= 2.0.4
= 2.1.1
= 2.1.3
= 3.0.1
= 3.1.3

We can utilize Carbon Black Investigate feature to see if there’s any malicious npm library been installed in our environments. Here’s the query to do that:

Search for effected coa & rc library versions:

(filemod_name:\coa-2.0.3* OR filemod_name:\coa-2.0.4* OR filemod_name:\coa-2.1.1* OR filemod_name:\coa-2.1.3* OR filemod_name:\coa-3.0.1* OR filemod_name:\coa-3.1.3* OR filemod_name:\rc-1.2.9* OR filemod_name:\rc-1.3.9* OR filemod_name:\rc-2.3.9*)

Search for possible C2:

netconn_domain:pastorcryptograph[.]at

IOC:

• pastorcryptograph[.]at
• sdd.dll from coa - SHA256: f53ef1ed12f9ba49831ea33100083c9a92bc8adc6620f8a3b36a2d9ae2eb8591
• sdd.dll from rc - SHA256: 26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf
• sdd.dll - SHA256: 687a401007c29ee595004d93c4dd5de6c5c9f86f811f8e1d9f1ad1962507cd65

References:
https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/
https://www.virustotal.com/gui/file/687a401007c29ee595004d93c4dd5de6c5c9f86f811f8e1d9f1ad1962507cd65/detection/
https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-062.pdf

Carbon Black query for Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)

Leave a reply

Carbon Black query that can be use to detect if any MSHTML RCE happened (probably need to be refined more):

((process_cmdline:control.exe AND ((process_cmdline:*.inf AND process_cmdline:AppData) OR (process_cmdline:*.cpl AND process_cmdline:../)) AND -process_cmdline:*\icedrive\*) OR ((hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (parent_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR parent_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (filemod_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR filemod_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52)))

Search if any assets making connections towards IOCs (known IOCs as of 9 Sept):

netconn_domain:joxinu.com OR netconn_domain:pawevi.com OR netconn_domain:macuwuf.com

References:

IOCs:

  • hidusi.com
  • dodefoh.com
  • joxinu.com
  • pawevi.com
  • macuwuf.com
  • 23.106.160.25
  • 6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B – championship.inf
  • 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 – A Letter before court 4.docx