Day 29 - Transfer[.]sh Script Abuse

Earlier today Cisco Talos shared research about a new threat campaign:

New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign

Todays yara rule detects scripts that download from transfer[.]sh while also supressing output!

Yara Rule

Here's the yara rule I wrote for detecting suspicous transfer[.]sh usage:

rule sus_transfersh_scripting {
  meta:
    author = "Colin Cowie"
    description = "Detects transfer.sh usage with output suppression"
    reference  = "f02512e7e2950bdf5fa0cd6fa6b097f806e1b0f6a25538d3314c793998484220"
  strings:
  	$echooff = "@echo off"
    $bitsadmin = "bitsadmin"
    $curl = "curl"
    $wget = "wget"
    $transfer = "transfer.sh" 
  condition:
  	$echooff
    and ($curl or $wget or $bitsadmin)
    and $transfer
    and filesize<800KB
}

Results

Retrohunting with this rule found some fun InfoStealer malware:

Nitro Generator.zip
- Exfiltrates data to transfer.sh
- 8a8681c57efa5b44968048a2d12bd286cffbf6b70cf268a47534ce3c658b822c
Fake "soundspack" that steals discord nitro
- wetransfer_soundpack-marco-s-4_2023-02-04_1644.zip
- Exfiltrates data to transfer.sh
- bee960244bed23886e38fc23fdcbab699ea0fd118c95930e18f39a3baa8f82f7

References

https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/
https://www.virustotal.com/gui/file/f02512e7e2950bdf5fa0cd6fa6b097f806e1b0f6a25538d3314c793998484220/details

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

029.md

029.md

Day 29 - Transfer[.]sh Script Abuse

Yara Rule

Results

References

Files

029.md

Latest commit

History

029.md

File metadata and controls

Day 29 - Transfer[.]sh Script Abuse

Yara Rule

Results

References