
FatalRAT Attack Campaign: Targeting Organizations and Individuals in the APAC Region
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1566.002Phishing: Spearphishing Link
ID | Data Source | Data Component | Detects |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[125][126] URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites.[2] Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). | |||
Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Furthermore, monitor network traffic for cloned sites as well as homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1027.002: Software Packing
ID | Data Source | Data Component | Detects |
Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code. |
T1497.001: System Checks
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. | |||
Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. | |||
Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. |
T1569 System Services
ID | Data Source | Data Component | Detects |
Monitor command-line invocations for tools capable of creating or modifying system services (e.g., systemctl on Linux, sc.exe on Windows, launchctl on macOS). Analytic 1 - Unusual service modification tools. sourcetype=command_logs| search command IN ("systemctl", "sc", "launchctl") | |||
Track changes to critical service-related files (e.g., /etc/systemd/system/, /etc/init.d/, and service binaries on Linux, C:\Windows\System32\services.exe`` on Windows, or/Library/LaunchDaemons``` on macOS). Analytic 1 - Unusual file modifications related to system services. sourcetype=file_monitor| search file_path IN ("/etc/systemd/system/", "/etc/init.d/", "/Library/LaunchDaemons/*", "C:\Windows\System32\services.exe") | |||
Monitor newly executed processes that may abuse system services or daemons to execute commands or programs. Analytic 1 - New processes abusing system services. sourcetype=process_logs| search process IN ("services.exe", "systemd", "launchd") | |||
Track the creation of new services, which could indicate adversarial activity aimed at persistence or execution. Analytic 1 - Monitors service creation and modification activities sourcetype=service_logs| search service_action="create" OR service_action="modify"| where user NOT IN ("known_admins") AND service_name NOT IN ("known_services") | |||
Monitor for changes made to windows registry keys and/or values that may abuse system services or daemons to execute commands or programs. Analytic 1 - Malicious service modification sourcetype= Sysmon EventCode=12| search registry_path="HKLM\SYSTEM\CurrentControlSet\Services\*" | where registry_action="modified" AND user NOT IN ("known_admins") |
T1056 Input Capture
ID | Data Source | Data Component | Detects |
Monitor for unusual kernel driver installation activity. Analytic 1 - Unexpected kernel driver installations. index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)") | |||
Monitor for changes made to files for unexpected modifications to access permissions and attributes. Analytic 1 - Unexpected file modifications. index=security sourcetype="WinEventLog:Security" EventCode=4663 | where Object_Type="File" AND Access_Mask IN ("0x2", "0x4", "0x20", "0x80", "0x100") | |||
Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [9] | |||
Monitor for newly executed processes conducting malicious activity | |||
Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. | |||
Monitor for changes made to windows registry keys or values for unexpected modificatio |
T1119: Automated Collection
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that could be taken to collect internal data. | |||
Monitor for unexpected files (e.g., .pdf, .docx, .jpg, etc.) viewed for collecting internal data. | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. | |||
Monitor Azure AD (Entra ID) Sign In logs for suspicious Applications authenticating to the Graph API or other sensitive Resources using User Agents attributed to scripting interpreters such as python or Powershell. Analytic 1 - Suspicious applications, unusual user agents (e.g., python, PowerShell), anomalous IP addresses, and unmanaged devices index="azure_ad_signin_logs" Operation="UserLogin"| search UserAgent="python" OR UserAgent="PowerShell"| stats count by ClientIP, UserId, DeviceProperties| where ClientIP!="expected_ip" OR DeviceProperties!="expected_properties" |
T1020 Automated Exfiltration
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection | |||
Monitor for abnormal access to files (i.e. .pdf, .docx, .jpg, etc.), especially sensitive documents, through the use of automated processing after being gathered during Collection. | |||
Monitor for newly constructed network connections associated with processes performing collection activity, especially those involving abnormal/untrusted hosts. | |||
Monitor network traffic content for evidence of data exfiltration, such as gratuitous or anomalous outbound traffic containing collected data. Consider correlation with process monitoring and command lines associated with collection and exfiltration. | |||
Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpected hardware devices, or other uncommon data flows. | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
T1573.001: Encrypted Channel: Symmetric Cryptography
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |