<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Inetcache - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/inetcache/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 01 May 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/inetcache/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Execution from INetCache Folder</title><link>https://feed.craftedsignal.io/briefs/2024-05-inetcache-execution/</link><pubDate>Wed, 01 May 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-inetcache-execution/</guid><description>The rule detects suspicious execution of processes from the INetCache folder, often indicative of malicious payloads delivered via WININET, potentially signaling initial access or command and control activity.</description><content:encoded><![CDATA[<p>This threat brief addresses the risk of malicious actors leveraging the INetCache folder for executing malware. The INetCache folder, used for storing temporary internet files, can be exploited to deliver and execute malicious payloads via WININET. This technique is used by attackers to disguise malware as legitimate files cached during browsing, making it difficult for users to identify malicious activity. This rule focuses on detecting suspicious processes initiated from this cache, especially when launched by common file explorers, which often signifies initial access or command and control activities. A recent Trend Micro report has associated this technique with the Water Hydra threat actor who have been observed exploiting this vector (CVE-2024-21412).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>User browses a compromised website or opens a malicious document containing a link.</li>
<li>The website or document triggers the download of a malicious executable to the INetCache folder.</li>
<li>The user inadvertently clicks on the downloaded file within the INetCache folder, often disguised as a legitimate file.</li>
<li>Alternatively, a parent process like <code>explorer.exe</code>, <code>winrar.exe</code>, <code>7zFM.exe</code>, or <code>Bandizip.exe</code> is used to execute the malicious file from the INetCache folder.</li>
<li>The malicious executable runs, establishing a connection to a command and control (C2) server.</li>
<li>The C2 server sends commands to the compromised host, allowing the attacker to perform actions such as data exfiltration, lateral movement, or deploying additional malware.</li>
<li>The attacker uses the compromised system to gain further access to the internal network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation leads to initial access and potential command and control over the compromised system. This can result in data theft, deployment of ransomware, or further propagation within the network. Given the wide use of WININET and web browsing, many Windows systems are potentially vulnerable. The Trend Micro report (CVE-2024-21412) indicates this technique is being actively used in targeted attacks, highlighting the immediate need for detection and prevention measures.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Suspicious Execution from INetCache Folder</code> to detect processes executing from the INetCache directory.</li>
<li>Enable Sysmon process creation logging to capture the necessary process execution events for the Sigma rule.</li>
<li>Implement enhanced monitoring for the INetCache directory and related processes as described in the rule's documentation.</li>
<li>Investigate and patch CVE-2024-21412 to prevent the Water Hydra campaign.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>initial-access</category><category>command-and-control</category><category>execution</category><category>inetcache</category><category>windows</category></item></channel></rss>