Network Connection Initiated To Mega.nz
Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
Sigma rule (View on GitHub)
1title: Network Connection Initiated To Mega.nz
2id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
3status: test
4description: |
5 Detects a network connection initiated by a binary to "api.mega.co.nz".
6 Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
7references:
8 - https://megatools.megous.com/
9 - https://www.mandiant.com/resources/russian-targeting-gov-business
10author: Florian Roth (Nextron Systems)
11date: 2021/12/06
12modified: 2024/02/01
13tags:
14 - attack.exfiltration
15 - attack.t1567.001
16logsource:
17 category: network_connection
18 product: windows
19detection:
20 selection:
21 Initiated: 'true'
22 DestinationHostname|endswith:
23 - 'mega.co.nz'
24 - 'mega.nz'
25 condition: selection
26falsepositives:
27 - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
28level: medium
References
-
Megatools - command line client for Mega.nz Megatools is a collection of programs for accessing Mega.nz service from a command line of your desktop or server. Megatools allow you to copy individual...
Read More -
Note: Mandiant have removed anonymized addresses from this list, the remaining addresses are from legitimate hosting providers. Note: Mandiant believes the actor hosted a malicious payload on the f...
Read More
Related rules
- Network Connection Initiated To DevTunnels Domain
- Process Initiated Network Connection To Ngrok Domain
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Communication To Ngrok Tunneling Service Initiated
- Active Directory Structure Export Via Ldifde.EXE