PlugX DLL Search Order Hijacking Using Avast wsc_proxy (RedCanary Threat Detection Report)

May 10, 2023 · attack.s0013 ·

Detects possible DLL Search Order hijacking using Avast antivirus wsc_proxy application. This technique is associated with PlugX. Part of the RedCanary 2023 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: PlugX DLL Search Order Hijacking Using Avast wsc_proxy (RedCanary Threat Detection Report)
 2id: c518ac74-2e2b-4197-84d7-ea5118c557eb
 3status: experimental
 4description: |
 5    Detects possible DLL Search Order hijacking using Avast antivirus wsc_proxy application. 
 6    This technique is associated with PlugX. Part of the RedCanary 2023 Threat Detection Report.    
 7references:
 8    - https://redcanary.com/threat-detection-report/threats/raspberry-robin/
 9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12    - attack.s0013
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\wsc_proxy.exe'
19    filter:
20        Image|contains: '\program files\'
21    condition: selection and not filter
22falsepositives:
23    - Could be the result of an administrator installing the application in a custom path
24level: low```

References

Raspberry Robin - Red Canary Threat Detection Report

Discovered by Red Canary in 2021, Raspberry Robin is an activity cluster spread by external drives that leverages Windows Installer.

Read More

PlugX DLL Search Order Hijacking Using Avast wsc_proxy (RedCanary Threat Detection Report)

Sigma rule (View on GitHub)

References

Raspberry Robin - Red Canary Threat Detection Report