EvilNum APT Golden Chickens Deployment Via OCX Files

 1title: EvilNum APT Golden Chickens Deployment Via OCX Files
 2id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
 3status: test
 4description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
 5references:
 6    - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
 7    - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
 8author: Florian Roth (Nextron Systems)
 9date: 2020-07-10
10modified: 2023-03-09
11tags:
12    - attack.defense-evasion
13    - attack.t1218.011
14    - detection.emerging-threats
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains|all:
21            - 'regsvr32'
22            - '/s'
23            - '/i'
24            - '\AppData\Roaming\'
25            - '.ocx'
26    condition: selection
27falsepositives:
28    - Unknown
29level: critical

References

• More evil: A deep look at Evilnum and its toolset

  

  ESET research gives a detailed picture of the operations of Evilnum and its toolkit used in attacks against carefully chosen targets in the fintech sector.

  
  Read More

• Analysis c0f50b921260b070d3db1a372eb05d932e05a87ebc13b608c0ec46989f56f013.sct (MD5: 1E5BC1D8F6D2CD52E622DC1D60AE35A7) No threats detected - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

Related rules

• APT29 2018 Phishing Campaign CommandLine Indicators
• APT29 2018 Phishing Campaign File Indicators
• Equation Group DLL_U Export Function Load
• Fireball Archer Install
• IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32