CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum

 1title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
 2id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
 3status: test
 4description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
 5references:
 6    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
 7    - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
 8author: Sittikorn S
 9date: 2021-07-16
10modified: 2022-10-09
11tags:
12    - attack.initial-access
13    - attack.execution
14    - attack.credential-access
15    - attack.t1566
16    - attack.t1203
17    - cve.2021-33771
18    - cve.2021-31979
19    - detection.emerging-threats
20    # - threat_group.Sourgum
21logsource:
22    product: windows
23    category: file_event
24detection:
25    selection:
26        TargetFilename|contains:
27            - 'C:\Windows\system32\physmem.sys'
28            - 'C:\Windows\System32\IME\IMEJP\imjpueact.dll'
29            - 'C:\Windows\system32\ime\IMETC\IMTCPROT.DLL'
30            - 'C:\Windows\system32\ime\SHARED\imecpmeid.dll'
31            - 'C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat'
32            - 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat'
33            - 'C:\Windows\system32\config\config\startwus.dat'
34            - 'C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini'
35            - 'C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
36            - 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini'
37    condition: selection
38falsepositives:
39    - Unlikely
40level: critical

References

• https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/

  
  Read More

• Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus

  

  Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Using Internet scanning, we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.

  
  Read More

Related rules

• CVE-2021-31979 CVE-2021-33771 Exploits
• Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
• Download From Suspicious TLD - Blacklist
• Download From Suspicious TLD - Whitelist
• Droppers Exploiting CVE-2017-11882