National Cyber Warfare Foundation (NCWF) Forums


Threat Hunting IQY files with YARA


0 user ratings
2021-01-01 15:45:03
milo
Ransomware
The goal of threat hunting is to proactively identify potential threats that have evaded existing security measures. Over the past several months the use of malicious Excel IQY files to deliver malware has fallen into this category for many organizations and users as a blind spot. Threat actors, both cybercrime and APT, have launched phishing campaigns using this technique to evade common detection methodologies and have left computer network defenders wondering how to catch future occurrences of this technique. Although many of the notable phishing campaigns have similar indicators that one might hunt for, limiting yourself to these will leave your scope narrowed to a limited set of known threats, and when hunting you are looking to identify otherwise unknown threats. In this post, we will review how to leverage YARA signatures in a multi-staged hunting approach to identify indicators of potential malicious activity in these file types. We will cover the IQY file format in both its legitimate and malicious uses, as well as identify common indicators of malicious activity seen in the wild, and how we can broaden those indicators to increase the scope of our threat hunting.

Threat Hunting IQY files with YARA
https://inquest.net/blog/2018/08/23/hunting-iqy-files-with-yara
The goal of threat hunting is to proactively identify potential threats that have evaded existing security measures. Over the past several months the use of malicious Excel IQY files to deliver malware has fallen into this category for many organizations and users as a blind spot. Threat actors, both cybercrime and APT, have launched phishing campaigns using this technique to evade common detection methodologies and have left computer network defenders wondering how to catch future occurrences of this technique. Although many of the notable phishing campaigns have similar indicators that one might hunt for, limiting yourself to these will leave your scope narrowed to a limited set of known threats, and when hunting you are looking to identify otherwise unknown threats. In this post, we will review how to leverage YARA signatures in a multi-staged hunting approach to identify indicators of potential malicious activity in these file types. We will cover the IQY file format in both its legitimate and malicious uses, as well as identify common indicators of malicious activity seen in the wild, and how we can broaden those indicators to increase the scope of our threat hunting.
2018-08-23
Adam Swanda
https://inquest.net/blog/2018/08/23/hunting-iqy-files-with-yara

Source: Inquest
Source Link: https://inquest.net/blog/2018/08/23/hunting-iqy-files-with-yara


Comments
new comment
Nobody has commented yet. Will you be the first?
 
return to home



Copyright 2012 through 2021 - National Cyber Warfare Foundation - All rights reserved worldwide.