3 Replies Latest reply: Oct 20, 2017 12:48 PM by scott_sec+ RSS

Plugin for n. Korean botnet

scott_sec+ Novice

Any news on a plugin to helps us scan for IOC of the DeltaCharlie / Hidden Cobra tools?   These are part of the North Korean Ddos Botnet infrastructure.

  • Re: Plugin for n. Korean botnet
    CodyDumont Master

    Our malware scanning template should be able to help you in this situation. Go into "New Scan" and create a new scan using the "Malware Scan" Template. In this template you can configure a few location to help detect if this threat is present on the systems being scanned using the data found here https://www.us-cert.gov/ncas/alerts/TA17-164A .


    You can supply the yara signatures under Settings -> Assessment -> Malware -> Yara Rules

    You can provide the list of IPs in the IOC to the "Custom Netstat IP Threat List" Settings -> Assessment -> Malware -> Hash and Whitelist Files -> Custom Netstat IP Threat List


    then start the scan. We are aware of the hashes provided for this sample and our malicious process detection plugin will identify and report if the infection is found. The yara rules will detect if the are indicators with a different potential hash, and the netstat custom IP will detect if any of your systems are connected to the IPs listed as the IOC.

    • Re: Plugin for n. Korean botnet
      hoggendoss Novice

      Just happened across this thread, but Is the "Custom Netstat IP Threat List" a newer option?  I don't seem to have that available, but I'm a few revisions behind on SC.

      • Re: Plugin for n. Korean botnet
        scott_sec+ Novice

        Hello Andy,

        We are actually using Nessus Pro 6.11.1 (#101) LINUX

        And after I read through my post I see I could have been clearer.  Here are the steps...

        New Scan, Malware Scan, Assessment, and under "Hash and Whitelist Files you will see "Custom Netstat IP Threat List"  (List of IP addresses and descriptions of IPs that you want to detect."

        Sorry but I hope that helps,