Potential Ke3chang/TidePool Malware Activity

calendar Jun 20, 2023 · attack.g0004 attack.defense_evasion attack.t1562.001 detection.emerging_threats  ·
Share on: linkedin copy

Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020

Sigma rule (View on GitHub)

 1title: Potential Ke3chang/TidePool Malware Activity
 2id: 7b544661-69fc-419f-9a59-82ccc328f205
 3status: test
 4description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
 5references:
 6    - https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
 7    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
 8author: Markus Neis, Swisscom
 9date: 2020/06/18
10modified: 2023/03/10
11tags:
12    - attack.g0004
13    - attack.defense_evasion
14    - attack.t1562.001
15    - detection.emerging_threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys.
22        # Setting these registry keys is unique to the Ke3chang and TidePool malware families.
23        # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
24        # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
25        # HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden
26        CommandLine|contains:
27            - '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force'
28            - '-Property String -name Check_Associations -value'
29            - '-Property DWORD -name IEHarden -value 0 -Force'
30    condition: selection
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top