Trellix Insights: Golden Chickens (Gc) Malware-as-a-Service provider

Technical Articles ID: KB93194
Last Modified: 2022-08-23 14:57:52 Etc/GMT

Environment

IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by Trellix Insights technology. The content is intended for use by Trellix Insights users, but is provided for general knowledge to all customers. Contact us for more information about Trellix Insights.

Summary

Description of Campaign
Top tier threat actors, such as FIN6, are known to use Malware-as-a-Service providers (MaaS) including one labeled as "Golden Chickens." The MaaS offers a range of malware including reconnaissance tools, information stealers, malware building kits, wipers, loaders, and ransomware. The malware uses several techniques for persistence and defense evasion including obfuscation, scripting, DLL side-loading, signed binaries, and DLL search order hijacking.

How to use this article:

If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
Review KB91836 - Countermeasures for entry vector threats.
Review KB87843 - Dynamic Application Containment rules and best practices.
Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

Campaign IOC

Type	Value
SHA256	93AFEAFB5E2918B1EEE0DDF98AA0912FA5064B7AD315F4E7131139E6F45DC944
SHA256	5FCB4D2F6BDE72570CFFA1F82D9479E54C2CC0CEEC0F7DA13BB56334B8E195C0
SHA256	CD56CF243B6ED99804BD85A77667525F728E820E94D751AC42E6F3EA7AA43557
SHA256	06EC6F367990DFC2D09C505CE03965AC7BAA942C39FDACF91844EDECC821E72C
SHA256	D65B60BA3592D3EC1BA1DF60F5F3AB8D670CAF367ACA7CA06F9340F5F38FB130
SHA256	BE55ACB1B5471B1C0FAD6425E662C96C2B5FA136B62A13B89A63731BE481E40C
SHA256	300C58478A93E4160DBBD01598D2F1DF3F51519687D2C954682ECB7813386AB4
SHA256	9E254EE0E9D151732F396EBA6C748396D6A8C98A3D45E7232C8B3A4786CFDED7
SHA256	29A25253FF0F580B3ABACA28747CC050668F9B1CD7067DB2C34D0FDE1BF4F416
SHA256	9BA6A8D6953D230124ABAA6168A959D95FFE2C06A9A221AE526E8E1BAA5F6BC3
SHA256	803C900C2B7DBF8AB9875A18D305809DA7E7A4F3D31350ECCFBBA5324E6C6815
SHA256	C5FE4CC8C7B8EC6F39B3035BEAEE14CB756CE9CA5555D8720EE2995119065A30
SHA256	B35834B29FAE93C8841B4694BAC9D06B5DF0BF338A53B63FC0D4FA53DBC9F683
SHA256	134C3A5A9FCD168A1F7737D3110BE615B5848AFBC6DEE5F6E3EA2601B63EBF30
SHA256	D63F9EBB974355063DFAECAACD5C2FBF3CFBBC052DA5E1892E1656D2DBC9C3C3
SHA256	56DA825D8ABB8C57E79BB381C01063073FFDFE3A867744CA11AF101685FDCE3A
SHA256	1ADC890756DC9A9F3F50272FA541273968D1FEB3D5F51FA415DB1CE70C9412D3
SHA256	D36996C032CDF538FC93CFCA95CFC4EBAAF2BFB57163248B379BBB3D4883CD73
SHA256	D3C9791ED73A4D09EE99D74B80BCC75F454011E607BF73A57268AE3485527A3B
URL	http://faxtoweb.org/documents/scanned/efax_statement_01_08_2019.zip
URL	https://webfax.org/documents/archived/efax_statement_25_07_2019.zip
URL	https://crewtyxz.biz/documents/scanned/statement_02_2019.zip
URL	https://mail.cdn-line.kz/squid/changelog.txt%20scrobj.dl
URL	http://mail.cdn-line.kz/squid/changelog.txt%20scrobj.dl
URL	https://mail.hotmail.org.kz/owalanding/ajax.php
URL	http://update.office.com.kz/check/update.php
URL	https://mail.yahoo.org.kz/yui/type.php
URL	https://oneppdatemicro.com/login.php
URL	https://api.nexfail.com/v1
URL	http://faxtoweb.org/de/txt
URL	https://ssl.gstatic.kz/ui/v3
URL	http://update.office.com.kz/ping.php
URL	http://faxtoweb.org/de.txt
URL	http://webfax.org/fr.txt
URL	https://mail.hotmail.org.kz/owa/prefetch.php
URL	http://crewtyxz.biz/fr.txt
URL	https://webmail.maildomain.kz/include/ajax.php
URL	http://webfax.org/us.txt
URL	https://mail.regsvr32.kz/blog/ajax.php
URL	https://update.msf.org.kz/live/check
URL	https://api.outlook.kz/api/v2
URL	https://api2.gcdn.kz/en/v2
URL	https://mail.cdn-line.kz/ping.php
Domain	mail.yahoo.org.kz
Domain	faxtoweb.org
Domain	webfax.org
Domain	crewtyxz.biz
Domain	oneppdatemicro.com
Domain	mail.regsvr32.kz
Domain	update.msf.org.kz
Domain	mail.hotmail.org.kz
Domain	api.nexfail.com
Domain	mail.cdn-line.kz
Domain	webmail.maildomain.kz
Domain	api.outlook.kz
Domain	update.office.com.kz
Domain	ssl.gstatic.kz
Domain	api2.gcdn.kz

Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	9544
V3 DAT (Endpoint Security)	3995

Detection Summary

IOC	Scanner	Detection
93AFEAFB5E2918B1EEE0DDF98AA0912FA5064B7AD315F4E7131139E6F45DC944	AVEngine V2	Trojan-Agent.e
	AVEngine V3	Trojan-Agent.e
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
5FCB4D2F6BDE72570CFFA1F82D9479E54C2CC0CEEC0F7DA13BB56334B8E195C0	AVEngine V2	Trojan-FRLE!244409416353
	AVEngine V3	Trojan-FRLE!244409416353
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
CD56CF243B6ED99804BD85A77667525F728E820E94D751AC42E6F3EA7AA43557	AVEngine V2	Generic.azz
	AVEngine V3	Generic.azz
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
06EC6F367990DFC2D09C505CE03965AC7BAA942C39FDACF91844EDECC821E72C	AVEngine V2	Trojan-FPWD!40E047C82FB0
	AVEngine V3	Trojan-FPWD!40E047C82FB0
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D65B60BA3592D3EC1BA1DF60F5F3AB8D670CAF367ACA7CA06F9340F5F38FB130	AVEngine V2	LNK/Downloader.ap
	AVEngine V3	LNK/Downloader.ap
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
BE55ACB1B5471B1C0FAD6425E662C96C2B5FA136B62A13B89A63731BE481E40C	AVEngine V2	Trojan-Agent.e
	AVEngine V3	Trojan-Agent.e
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
300C58478A93E4160DBBD01598D2F1DF3F51519687D2C954682ECB7813386AB4	AVEngine V2	Generic Trojan.kl
	AVEngine V3	Generic Trojan.kl
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
9E254EE0E9D151732F396EBA6C748396D6A8C98A3D45E7232C8B3A4786CFDED7	AVEngine V2	Generic Trojan.ln
	AVEngine V3	Generic Trojan.ln
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
29A25253FF0F580B3ABACA28747CC050668F9B1CD7067DB2C34D0FDE1BF4F416	AVEngine V2	Trojan-FPQI!A1464D12E1D0
	AVEngine V3	Trojan-FPQI!A1464D12E1D0
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
9BA6A8D6953D230124ABAA6168A959D95FFE2C06A9A221AE526E8E1BAA5F6BC3	AVEngine V2	LNK/Downloader.ap
	AVEngine V3	LNK/Downloader.ap
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
803C900C2B7DBF8AB9875A18D305809DA7E7A4F3D31350ECCFBBA5324E6C6815	AVEngine V2	LNK/Downloader.ap
	AVEngine V3	LNK/Downloader.ap
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C5FE4CC8C7B8EC6F39B3035BEAEE14CB756CE9CA5555D8720EE2995119065A30	AVEngine V2	LNK/Downloader.ap
	AVEngine V3	LNK/Downloader.ap
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
B35834B29FAE93C8841B4694BAC9D06B5DF0BF338A53B63FC0D4FA53DBC9F683	AVEngine V2	Generic Trojan.kl
	AVEngine V3	Generic Trojan.kl
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
134C3A5A9FCD168A1F7737D3110BE615B5848AFBC6DEE5F6E3EA2601B63EBF30	AVEngine V2	LNK/Downloader.ap
	AVEngine V3	LNK/Downloader.ap
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D63F9EBB974355063DFAECAACD5C2FBF3CFBBC052DA5E1892E1656D2DBC9C3C3	AVEngine V2	LNK/Downloader.ap
	AVEngine V3	LNK/Downloader.ap
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
56DA825D8ABB8C57E79BB381C01063073FFDFE3A867744CA11AF101685FDCE3A	AVEngine V2	Generic Trojan.ln
	AVEngine V3	Generic Trojan.ln
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
1ADC890756DC9A9F3F50272FA541273968D1FEB3D5F51FA415DB1CE70C9412D3	AVEngine V2	Generic.bja
	AVEngine V3	Generic.bja
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D36996C032CDF538FC93CFCA95CFC4EBAAF2BFB57163248B379BBB3D4883CD73	AVEngine V2	Generic Trojan.ln
	AVEngine V3	Generic Trojan.ln
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D3C9791ED73A4D09EE99D74B80BCC75F454011E607BF73A57268AE3485527A3B	AVEngine V2	Trojan-FPWD!F4C23351D9EC
	AVEngine V3	Trojan-FPWD!F4C23351D9EC
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Endpoint Security - Advanced Threat Protection:

Rule ID: 2 Use Enterprise file reputation to identify trusted or malicious files
Rule ID: 4 Use GTI file reputation to identify trusted or malicious files

Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Host Intrusion Prevention:

Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application

Affected Products

Trellix insights

Knowledge Center

Trellix Insights: Golden Chickens (Gc) Malware-as-a-Service provider

Environment

Summary

Affected Products

Title

Title

Knowledge Center

Trellix Insights: Golden Chickens (Gc) Malware-as-a-Service provider

Environment

Summary

Affected Products

Choose your region

Title

Title