![]() ![]() Number of visits, average time spent on the website and what pages have been Know when you have visited our site, and will not be able to monitorĬollects anonymous data related to the user's visits to the website, such as the If you do not allow these cookies we will not Which pages are the most and least popular and see how visitors moveĪll information these cookies collect is aggregatedĪnd therefore anonymous. Measure and improve the performance of our site. These cookies allow us to count visits and traffic sources so we can More Threat Hunting Content on our blog: Techniques: Modify Registry (T1112), Obfuscated Files or Information (T1027) SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio,ĮDR: Windows Defender ATP, Carbon Black, Elastic Endpoint The rule has translations for the following platforms: Threat Hunting rule by Ariel Millahuel enables your security solution to detect the registration of PipeMon modular backdoor as an alternative Print Processor: During the investigation of the latest campaign, researchers discovered at least one instance where the group was able to compromise an organization’s build system and had the possibility to plant malware inside the video game executable. Their operation ShadowHammer affected tens of thousands of systems around the world, and last fall, the Winnti group used PortReuse malware in the attack on a major mobile hardware and software manufacturer based in Asia. They are infamous for high-profile supply-chain attacks and trojanizing popular software. The Winnti group has been active since at least 2011 targeting primarily the video game and software industry with rare attacks on the healthcare and education sectors. During the installation, the loader drops the malware into Windows Print Processors folder and setup.dll registers the malicious DLL loader as an alternative Print Processor. Every observed module exhibits different functionalities, and it is a single DLL exporting a function called IntelLoader and is loaded using a reflective loading technique. They named the backdoor PipeMon because the malware author used “Monitor” as the name of the Visual Studio project, and multiple named pipes were used for inter-module communication. Researchers at ESET discovered this backdoor used in attacks on companies in South Korea and Taiwan that develop popular Massively Multiplayer Online games. PipeMon is a modular backdoor that is signed with a certificate belonging to a video game company, which was compromised by Winnti group in 2018. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |