1 Reply Latest reply: Aug 24, 2017 10:13 AM by CodyDumont RSS

Plugin for n. Korean botnet

scott_sec+ Novice

Any news on a plugin to helps us scan for IOC of the DeltaCharlie / Hidden Cobra tools?   These are part of the North Korean Ddos Botnet infrastructure.

  • Re: Plugin for n. Korean botnet
    CodyDumont Master

    Our malware scanning template should be able to help you in this situation. Go into "New Scan" and create a new scan using the "Malware Scan" Template. In this template you can configure a few location to help detect if this threat is present on the systems being scanned using the data found here https://www.us-cert.gov/ncas/alerts/TA17-164A .

     

    You can supply the yara signatures under Settings -> Assessment -> Malware -> Yara Rules

    You can provide the list of IPs in the IOC to the "Custom Netstat IP Threat List" Settings -> Assessment -> Malware -> Hash and Whitelist Files -> Custom Netstat IP Threat List

     

    then start the scan. We are aware of the hashes provided for this sample and our malicious process detection plugin will identify and report if the infection is found. The yara rules will detect if the are indicators with a different potential hash, and the netstat custom IP will detect if any of your systems are connected to the IPs listed as the IOC.