Colin Cowie

Continuing #100DaysOfYara with Day 2️⃣​7️⃣: More practice with the VT module, detecting JavaScript malware
🔗 https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/027/027.md

Recently proofpoint shared research about a new threat group they track as #TA886 that makes use of JavaScript malware:
📖​https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me

Todays yara rule uses the VirusTotal module to detect JavaScript files that download a .msi sample in the same way TA886's malware does. This rule dug up a lot of low detected samples from this recent campaign!

#IOCs from retrohunting can be found here:
🔗
https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/027/retrohuntin_results.csv

100DaysOfYara_2023/027.md at main · colincowie/100DaysOfYara_2023

#100DaysOfYara is a challenge in which participants aim to create 100 Yara rules over the course of 100 days. This could involve creating new rules to identify previously unknown malware, or updati...

GitHub
Feb 14, 2023 at 2:31amWeb