CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum

 1title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
 2id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
 3status: test
 4description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
 5references:
 6    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
 7    - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
 8author: Sittikorn S
 9date: 2021/07/16
10modified: 2022/10/09
11tags:
12    - attack.credential_access
13    - attack.t1566
14    - attack.t1203
15    - cve.2021.33771
16    - cve.2021.31979
17    - detection.emerging_threats
18    # - threat_group.Sourgum
19logsource:
20    product: windows
21    category: file_event
22detection:
23    selection:
24        TargetFilename|contains:
25            - 'C:\Windows\system32\physmem.sys'
26            - 'C:\Windows\System32\IME\IMEJP\imjpueact.dll'
27            - 'C:\Windows\system32\ime\IMETC\IMTCPROT.DLL'
28            - 'C:\Windows\system32\ime\SHARED\imecpmeid.dll'
29            - 'C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat'
30            - 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat'
31            - 'C:\Windows\system32\config\config\startwus.dat'
32            - 'C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini'
33            - 'C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
34            - 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini'
35    condition: selection
36falsepositives:
37    - Unlikely
38level: critical

References

• https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/

  
  Read More

• Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus - The Citizen Lab

  

  Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Using Internet scanning, we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.

  
  Read More

Related rules

• CVE-2021-31979 CVE-2021-33771 Exploits
• CVE-2021-26858 Exchange Exploitation
• GALLIUM Artefacts - Builtin
• GALLIUM IOCs
• Audit CVE Event