{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vip-keylogger/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","cryptography","malware","asyncrat","xworm","vip keylogger"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting suspicious PowerShell activity involving the System.Security.Cryptography namespace, excluding common hashing algorithms like SHA and MD5. The detection leverages Windows PowerShell Script Block Logging (EventCode 4104) to identify scripts using cryptographic functions. This is significant because malware often uses cryptography to decrypt or decode additional malicious payloads, which can lead to further code execution, privilege escalation, or persistence within the compromised environment. The technique is commonly used by malware families like AsyncRAT, XWorm, and VIP Keylogger. Defenders should investigate the parent process of such scripts, the decrypted data, network connections established by the script, and the user context in which the script is executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes the \u003ccode\u003eSystem.Security.Cryptography\u003c/code\u003e namespace to perform cryptographic operations.\u003c/li\u003e\n\u003cli\u003eThe script decrypts or decodes a malicious payload (e.g., a second-stage executable or configuration file).\u003c/li\u003e\n\u003cli\u003eThe decrypted payload is written to disk or loaded directly into memory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decrypted payload, potentially establishing persistence via registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware leverages the established persistence mechanism for long-term access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions such as data exfiltration, lateral movement, or remote command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security measures by hiding malicious code within encrypted payloads. This can lead to data theft, system compromise, and further propagation within the network. Malware families like AsyncRAT, XWorm, and VIP Keylogger use this technique to maintain persistence and perform malicious activities undetected. The impact can range from individual workstation compromise to large-scale data breaches depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging on all endpoints to generate the necessary logs (EventCode 4104) for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e to your SIEM to detect the described activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process, decrypted data, network connections, and the user executing the script.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e based on your environment\u0026rsquo;s specific needs and known-good PowerShell usage to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted PowerShell scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-powershell-cryptography/","summary":"The analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.","title":"Suspicious PowerShell Script Using Cryptography Namespace","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-cryptography/"},{"_cs_actors":["Braodo Stealer"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["stealc-stealer","crypto-stealer","braodo-stealer","apt37","hellcat-ransomware","vip-keylogger","screen-capture","malware"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThe Braodo stealer malware is known for capturing screenshots of a victim\u0026rsquo;s desktop as part of its data theft activities. This malware, often distributed through malicious campaigns, targets sensitive information by creating image files of the user\u0026rsquo;s active screen. These screenshots are typically saved in directories that are easily accessible and commonly used by malware, such as temporary folders. This technique allows attackers to gather credentials, financial information, or other confidential data displayed on the screen. The stealer has been observed in campaigns originating from Vietnam, targeting users in the United States with malware, fraud, and dropshipping schemes. Detecting and responding to these types of screen capture attempts is crucial for preventing sensitive data from being compromised and exfiltrated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user unknowingly downloads and executes a malicious file, potentially delivered through a phishing email or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe Braodo stealer malware is executed on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe malware begins capturing screenshots of the victim\u0026rsquo;s desktop using Windows APIs.\u003c/li\u003e\n\u003cli\u003eThe screenshots are saved as .png, .jpg, or .bmp files.\u003c/li\u003e\n\u003cli\u003eThe files are saved in the user\u0026rsquo;s TEMP directory (e.g., C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\).\u003c/li\u003e\n\u003cli\u003eThe malware may compress or encrypt the captured screenshots.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates the captured data to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information displayed on the victim\u0026rsquo;s screen, such as credentials or financial data, and uses it for malicious purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the theft of sensitive information, including credentials, financial data, and personally identifiable information (PII). This can result in financial loss, identity theft, and reputational damage for the victim. The Braodo stealer has been observed targeting users in the United States, indicating a broad scope of potential victims. The malware\u0026rsquo;s ability to capture screenshots allows attackers to bypass multi-factor authentication and other security measures that rely on information displayed on the screen.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (FileCreate) logging to monitor file creation events on endpoints (required for the Sigma rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Screen Capture Files Created in TEMP Directory\u003c/code\u003e to identify potential screen capture activity in temporary directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes creating image files in the TEMP directory.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint security policies to prevent the execution of malware from temporary directories.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections from processes creating screen capture files (T1071).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-braodo-screen-capture/","summary":"This analytic detects the creation of screen capture files in the TEMP directory, specifically targeting activity associated with the Braodo stealer malware, which captures screenshots of the victim's desktop as part of its data theft activities.","title":"Braodo Stealer Screen Capture in TEMP Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-03-braodo-screen-capture/"}],"language":"en","title":"CraftedSignal Threat Feed — Vip-Keylogger","version":"https://jsonfeed.org/version/1.1"}