Cybersecurity

9 readers

39 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

founded 2 years ago

MODERATORS

[email protected]

Good day everyone! (ioc.exchange)

submitted 6 months ago by [email protected] to c/[email protected]

3 comments fedilink hide all child comments

Good day everyone!

Check Point Software researchers provide us a detailed report on a newly discovered malware the #StyxStealer! It is capable of "stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency" and contains defense evasion techniques. While the malware may be new, one technique that stood out isn't! The use of the Windows run registry key for persistence (Software\Microsoft\Windows\CurrentVersion\Run) is not.

This registry key is abused because of the function it carries with it: you can reference an executable or script or whatever you want in the registry details and it will execute once a user logs in. This removes the need for the adversary to have to social engineer or compromise a host over and over again.

Knowing that, enjoy the article and stay tuned for your Threat Hunting Tip of the Day!

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

top 3 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 6 months ago (1 children)

@[email protected] How do they gain admin access? Just hope for authorization from a user?

[–] [email protected] 1 points 6 months ago

@[email protected] Looking at the report, I have to make an assumption: Since the malware is able to monitor the clipboard, maybe the user copied and pasted some admin creds OR since it is able to extract passwords and information from browsers if the victim has privileged creds stored in extensions or their browser password manager they could get them from there.

[–] [email protected] 1 points 6 months ago

For your Threat Hunting Tip of the Day:

I have covered this one many times, but I will continue to beat this horse as long as it exists. Adversaries WILL abuse the Run Registry Key for persistence, old malware will and new malware will and even future malware will. Why? Because of the function: Execute on logon.

So, if you are hunting for this, first make sure you have visibility into that registry key, emulate the traffic if you need to. Then make sure your tools have the visibility, that means you can hunt for it. Then, you can take this Intel 471 Free Community Hunt Package and drop it in your tool to begin the hunt! Enjoy and Happy Hunting!

Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c

Cyborg Security #CyberSecurity #ITSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting