3 weeks ago
18
Sigma rule to detect RedDelta DLL hijacking attempts to load PlugX:
title: Potential RedDelta APT DLL Hijacking Attempt
id: a8535c40-4e04-4ff6-baea-479ea6b0adea
status: stable
description: Detects DLL potential hijacking of LDeviceDetectionHelper.exe in a subdirectory of AppData\Local. Used by RedDelta APT to load PlugX.
author: MGUT, Insikt Group, Recorded Future
date: 2024/09/06
references:
- https://tria.ge/240803-bmgessseme/behavioral1/analog?q=lDevice&image=C%3A%5CUsers%5CAdmin%5CAppData%5CLocal%5CaPGfRwbjwQD%5CLDeviceDetectionHelper.exe
tags:
- attack.t1574.001 # Hijack Execution Flow: DLL Search Order Hijacking
logsource:
product: windows
category: process_creation
detection:
image_start:
Image|startswith:
- 'C:\Users\'
image_end:
Image|endswith:
- '\AppData\Local\*\LDeviceDetectionHelper.exe'
condition:
image_start and image_end
level: critical
falsepositives:
- Unlikely
YARA rule to detect RedDelta loaders written in NIM:
import "pe"
rule APT_CN_RedDelta_Nim_Loader_DEC23 {
meta:
author = "JGrosfelt, Insikt Group, Recorded Future"
date = "2023-12-21"
description = "Detects RedDelta RC4 Implementation in Nim Loaders"
version = "1.0"
RF_THREATACTOR = "RedDelta"
RF_THREATACTOR_ID = "en_T6N"
strings:
/*
RedDelta Custom RC4 Implementation (from RC4)
8B 8D E0 FB FF FF mov ecx, [ebp+var_420]
89 F2 mov edx, esi
32 54 3B 08 xor dl, [ebx+edi+8]
0F BE D2 movsx edx, dl
E8 E7 C5 FF FF call sub_6DB03E5C
89 85 E0 FB FF FF mov [ebp+var_420], eax
89 F8 mov eax, edi
83 C0 01 add eax, 1
89 C7 mov edi, eax
0F 81 8E FE FF FF jno loc_6DB07716
*/
$s1 = { 8B 8D E0 FB FF FF 89 F2 32 54 3B 08 0F BE D2 E8 ?? ?? ?? ?? 89 85 E0 FB FF FF 89 F8 83 C0 01 89 C7 0F }
condition:
(uint16 (0) == 0x5a4d)
and $s1
}
rule APT_CN_RedDelta_Nim_Loader_Aug24 {
meta:
author = "MGUT, Insikt Group, Recorded Future"
date = "2024-09-06"
description = "Detects RedDelta MSI files used to load PlugX via DLL hijacking"
version = "1.0"
hash = "49c32f39d420b836a2850401c134fece4946f440c535d4813362948c2de3996f"
hash = "c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205"
RF_THREATACTOR = "RedDelta"
RF_THREATACTOR_ID = "en_T6N"
strings:
$func = "winimConverterVarObjectToPtrObject"
condition:
uint16be(0) == 0x4d5a
and filesize < 500KB
and pe.number_of_exports == 2
and pe.exports("HidD_GetHidGuid")
and pe.exports("NimMain")
and $func
}
YARA rule to detect MSI executables used to load PlugX:
rule APT_CN_RedDelta_MSI_Aug24 {
meta:
author = "MGUT, Insikt Group, Recorded Future"
date = "2024-09-06"
description = "Detects RedDelta MSI files used to load PlugX via DLL hijacking"
version = "1.0"
hash = "30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19"
hash = "2d884fd8cfa585adec7407059064672d06a6f4bdc28cf4893c01262ef15ddb99"
RF_THREATACTOR = "RedDelta"
RF_THREATACTOR_ID = "en_T6N"
strings:
$s1 = "TARGETDIR[%LOCALAPPDATA]"
$s2 = "\\LDeviceDetectionHelper.exe"
$s3 = "hid.dll"
condition:
uint32be(0) == 0xd0cf11e0 and all of them
}
YARA rule to detect LNK files used to load PlugX (applies to infection chain from 2023):
rule APT_CN_RedDelta_LNK_Oct23 {
meta:
author = "Mkelly, Insikt Group, Recorded Future"
date = "2023-10-13"
description = "Detects RedDelta LNK files used to retrieve and install .msi files via Powershell"
version = "1.0"
hash = "a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129"
hash = "74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1"
RF_THREATACTOR = "RedDelta"
RF_THREATACTOR_ID = "en_T6N"
strings:
$s1 = "install.InstallProduct" wide
$s2 = "install=New-Object" wide
$s3 = "install.uilevel = 2" wide
$s4 = "REMOVE=ALL" wide
condition:
uint16(0) == 0x004c
and filesize < 5MB
and 3 of them
}