FlowCloud Registry Markers

Mar 26, 2024 · attack.persistence attack.t1112 ·

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

Sigma rule (View on GitHub)

 1title: FlowCloud Registry Markers
 2id: 5118765f-6657-4ddb-a487-d7bd673abbf1
 3status: test
 4description: |
 5    Detects FlowCloud malware registry markers from threat group TA410.
 6    The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.    
 7references:
 8    - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
 9author: NVISO
10date: 2020/06/09
11modified: 2024/03/20
12tags:
13    - attack.persistence
14    - attack.t1112
15logsource:
16    product: windows
17    category: registry_event
18detection:
19    selection:
20        TargetObject|contains:
21            - '\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
22            - '\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
23            - '\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
24            - '\SYSTEM\Setup\PrintResponsor\'
25    condition: selection
26falsepositives:
27    - Unlikely
28level: critical

References

TA410: Malware Attacks Against U.S. Utilities Sector | Proofpoint US

Proofpoint found malware campaigns sent to US utility providers by threat actor group TA410. Learn about their delivery, techniques, and more.

Read More

FlowCloud Registry Markers

Sigma rule (View on GitHub)

References

TA410: Malware Attacks Against U.S. Utilities Sector | Proofpoint US

Related rules