SID 1:64407

Rule Category

MALWARE-OTHER --

Alert Message

MALWARE-OTHER Unix.Trojan.Wolfsbane download attempt

Rule Explanation

This rule is specifically looking for some unique bytecode contained in the Wolfsbane installation utility used by APTs.

What To Look For

This rule triggers on a file transfer of the Unix.Trojan.Wolfsbane malware.

Known Usage

Attacks/Scans seen in the wild

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Execution::User Execution::Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

CVE

None

Additional Links

virustotal.com/gui/file/fddec9ff14ebd957038f9c24843bff935c4f73651e9704b553dec116851f7ae5

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None