Description of Campaign
Dragonfly threat group has been active since 2010 and is known for targeting the energy sector in the United States and Europe. The Dragonfly RAT can facilitate remote command execution on infected devices and is used for collecting intelligence and potentially positioned for future state-sponsored infrastructure attacks. 

Treat this threat with the highest severity as it indicates a potential wide spread intrusion by a capable and well-funded threat group.

How to use this article:

1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. 
2. Review the product detection table and confirm that your environment is at least on the specified content version.
   To download the latest content versions, go to the Security Updates page.
3. Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
4. Review KB91836 - Countermeasures for entry vector threats.
5. Review KB87843 - Dynamic Application Containment rules and best practices.
6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

Campaign IOC

Type	Value
Domain	tureg.info
Domain	doublestats.online
Domain	satanal.info
URL	https://smarttoys.com.ua/bitrix/services/ajax/refresh/refresh.php
URL	https://vr-bangers.com/wp-content/cache/keep-alive/alive.php
URL	https://ecco0.b13x.org/ajax/base/include/list.php
URL	https://kanri.rbridal.net/json/renew.php
Host name	kanri.rbridal.net
Host name	ecco0.b13x.org
MD5	20ec7658254eddd917e1b351e1728534
MD5	418e58b78731546089eb1b7fa6e1d99f
MD5	4ad06a76e1ad423b13e03587a887ede0
MD5	8aeacf3fde1b49940fb4d08226dccbc4
MD5	fca1fa07afa1b3ff9f67f2a377de51ae
MD5	fd6145bbc722ef52eed6b94dd520170c
MD5	fff6dc1216fe549fa1d700f1ccfcd754

 
Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	9390
V3 DAT (Endpoint Security)	3841

 
Detection Summary

IOC	Scanner	Detection
4ad06a76e1ad423b13e03587a887ede0	AVEngine V2	Dragonfly
	AVEngine V3	Dragonfly
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
8aeacf3fde1b49940fb4d08226dccbc4	AVEngine V2	DragonFly.a
	AVEngine V3	DragonFly.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
fff6dc1216fe549fa1d700f1ccfcd754	AVEngine V2	DragonFly.a
	AVEngine V3	DragonFly.a
	JTI (ATP Rules)	-
	RP Static	Real Protect-LS
	RP Dynamic	-

 
Minimum set of Manual Rules to improve protection to block this campaign

IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.

Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
 
Endpoint Security - Advanced Threat Protection:  
Aggressive set of Manual Rules to improve protection to block this campaign

IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.

Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
 
Endpoint Security - Access Protection Custom Rules:  
VirusScan Enterprise - Access Protection Custom Rules:  
Host Intrusion Prevention: