Kalambur Backdoor Curl TOR SOCKS Proxy Execution
Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
Sigma rule (View on GitHub)
1title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
2id: e99375eb-3ee0-407a-9f90-79569cc6a01c
3status: experimental
4description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
5references:
6 - https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns
7author: Arda Buyukkaya (EclecticIQ)
8date: 2025-02-11
9tags:
10 - attack.execution
11 - attack.command-and-control
12 - attack.t1090
13 - attack.t1573
14 - attack.t1071.001
15 - attack.t1059.001
16 - attack.s0183
17 - detection.emerging-threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 Image|endswith: '\curl.exe'
24 selection_socks:
25 CommandLine|contains:
26 - 'socks5h://'
27 - 'socks5://'
28 - 'socks4a://'
29 selection_onion:
30 CommandLine|contains: '.onion'
31 condition: all of selection_*
32falsepositives:
33 - Unlikely
34level: high
References
-
Sandworm APT targets Ukrainian users with Trojanized Microsoft KMS tools for cyber espionage, leveraging pirated software to exfiltrate sensitive data and compromise critical infrastructure.
Read More
Related rules
- Ursnif Malware C2 URL Pattern
- Greenbug Espionage Group Indicators
- CVE-2022-24527 Microsoft Connected Cache LPE
- ChromeLoader Malware Execution
- OilRig APT Activity