Trellix Insights: Operation Minebridge
Technical Articles ID:
KB92504
Last Modified: 2022-08-15 14:34:11 Etc/GMT
Last Modified: 2022-08-15 14:34:11 Etc/GMT
Environment
IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by Trellix Insights technology. The content is intended for use by Trellix Insights users, but is provided for general knowledge to all customers. Contact us for more information about Trellix Insights.
Summary
Description of Campaign
An unknown threat actor targeted the financial and marketing sectors in the United States and South Korea with spear-phishing emails containing a malicious attachment.
The campaign used multiple techniques including obfuscation, masquerading, regsvr32, scripting, and VBA stomping. These techniques aimed to create a persistent threat and evade defenses. The attacks deployed theMinebridge backdoor to perform several tasks including downloading other tools, deleting files, and uploading information from infected hosts.
How to use this article:
Campaign IOC
Minimum Content Versions:
Detection Summary
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices.
To view the best practices for Endpoint Security Dynamic Application Containment rules, see KB87843 - Dynamic Application Containment rules and best practices.
Endpoint Security - Advanced Threat Protection:Rule ID: 2 Use Enterprise file reputation to identify trusted or malicious files
Host Intrusion Prevention:
Rule ID: 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Endpoint Security - Exploit Prevention:Rule ID: 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Endpoint Security - Access Protection Custom Rules:Rule: 1
Executables (Include): winword.exe
Subrules:
Subrule Type: Files
Operations: Execute
Targets (Include): regsvr32.exe
VirusScan Enterprise - Access Protection Custom Rules:Rule: 1
Rule Type: File
Process to include: winword.exe
File or folder name to block: regsvr32.exe
Actions to prevent: Terminate
Aggressive set of Manual Rules to improve protection to block this campaignHost Intrusion Prevention:
Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1020 Windows Agent Shielding - File Access
An unknown threat actor targeted the financial and marketing sectors in the United States and South Korea with spear-phishing emails containing a malicious attachment.
The campaign used multiple techniques including obfuscation, masquerading, regsvr32, scripting, and VBA stomping. These techniques aimed to create a persistent threat and evade defenses. The attacks deployed the
How to use this article:
- If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
- Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page. - Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
- Review
KB91836 - Countermeasures for entry vector threats . - Review KB87843 - Dynamic Application Containment rules and best practices.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.
Campaign IOC
Type | Value |
Minimum Content Versions:
Content Type | Version |
Detection Summary
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices.
To view the best practices for Endpoint Security Dynamic Application Containment rules, see KB87843 - Dynamic Application Containment rules and best practices.
Endpoint Security - Advanced Threat Protection:
Endpoint Security - Exploit Prevention:
Endpoint Security - Access Protection Custom Rules:
Executables (Include): winword.exe
Subrules:
Subrule Type: Files
Operations: Execute
Targets (Include): regsvr32.exe
VirusScan Enterprise - Access Protection Custom Rules:
Rule Type: File
Process to include: winword.exe
File or folder name to block: regsvr32.exe
Actions to prevent: Terminate
Aggressive set of Manual Rules to improve protection to block this campaign
Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1020 Windows Agent Shielding - File Access