SERIOUS! infected binary for windows found on the setup tab of next dns dashboard

Rob Yeah, no. 

Its not that the binary itself is actually the payload, but rather what it drops. 

Look again under Relations > dropped files. 

If you go to Behaviour and look at the matched rules, you will find one very serious.

Rob The LNK files are flagged as trojan.runner as they inject themself in the windows explorer process through a cmd one liner. its a common and recent payload tactic. besides that,

it checks for kernel debuggers, has a odd timestamp, opens the clipboard, creates a direct input object ( keylogger ), modifies ASEP, uses taskkill to kill AV and checks for their hooks,  and matches this Sigma rule:

action: global
title: Oilrig
status: stable
description: OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.
references:
- https://tdm.socprime.com/tdm/info/Nvw0NkZgaA6d
- https://app.any.run/tasks/a76f05b4-1634-4fb2-b559-c32d00d550e2/
- https://app.any.run/tasks/2d717782-6ccf-4bb5-b412-4536cbb870b1/
- https://app.any.run/tasks/99afd397-1d97-4e97-80c1-6c9b85c26a93/
- https://app.any.run/tasks/5c2a6265-c8f3-44fc-b3b3-f547f46aa586/
- https://malpedia.caad.fkie.fraunhofer.de/actor/oilrig
- https://attack.mitre.org/techniques/T1059/
- https://attack.mitre.org/techniques/T1053/
- https://attack.mitre.org/techniques/T1504/
tags:
- attack.execution
- attack.persistence
- attack.privilege_escalation
- attack.T1059
- attack.T1053
author: Ariel Millahuel
detection:
  condition: 1 of them
fields:
- EventID
- CommandLine
- TargetFilename
- Details
falsepositives:
- none
level: critical
---
logsource:
  product: windows
  service: sysmon
detection:
  selection1:
    EventID: 11
    TargetFilename|contains:
    - 'nsExec.dll'
    - 'nseEBFB.tmp'
    - 'chkSrv.vbs'
    - 'SCSCAN.xml'
    - 'AnyDesk.exe'
---
logsource:
  category: process_creation
  product: windows
detection:
  selection2:
    Commandline:
    - cmd.exe" /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    - schtasks.exe /create /F /tn "SC Scheduled Scan" /xml "C:\Users\admin\AppData\Local\Microsoft\Taskbar\SCSCAN.xml
    - ipconfig /flushdns
    - cmd.exe /c copy "C:\Users\admin\AppData\Local\Temp\\*.doc" "C:\Users\admin\AppData\Roaming\Tmp.doc
    - cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN "InetlSecurityAssistManager" /TR "C:\Users\admin\AppData\Local\Temp\\*.exe" /f
    - cmd.exe" /c start /b schtasks /query /fo csv
    - powershell.exe" -exec bypass -File C:\programdata\Office365DCOMCheck.ps1

BaZurk I don't think so, ive downloaded the infected binary and kaspersky KSN stated that it was at least 4 months old and that less than 1.000 KSN members used this file. That is only Kaspersky users.

Tairiku Okami @rob Yes Rules are made on behaviour of known payloads, matches display the file in question ( the next dns binary ) doing similar actions that have been shown in a rule. 

So, after seeing that it belongs to the critical tag. i avoid it. 

Or am i missing something.