Sigma rule to detect RedDelta DLL hijack attempts to load PlugX:
Title: Possible RedDelta APT DLL hijacking attempt
id: a8535c40-4e04-4ff6-baea-479ea6b0adea
Status: Stable
Description: Detects potential DLL hijacking in LDeviceDetectionHelper.exe located in subdirectories of AppData\Local. Used by RedDelta APT to load PlugX.
Author: MGUT, Insikt Group, Recorded Future
Date: 2024/09/06
References:
https://tria.ge/240803-bmgessseme/behavioral1/analog?q=lDevice&image=C%3A%5CUsers%5CAdmin%5CAppData%5CLocal%5CaPGfRwbjwQD%5CLDeviceDetectionHelper.exe
tag:
– Attack.t1574.001 # Hijack execution flow: DLL search order hijack
Log source:
Product: window
Category: Process_Creation
detection:
Image start:
Image|Starts with:
– ‘C:\User\’
Image ends:
Image | Ends with:
– ‘\AppData\Local\*\LDeviceDetectionHelper.exe’
situation:
image_start and image_end
Level: Critical
False positive:
– not likely
YARA rules to detect RedDelta loaders written in NIM:
Import “pe”
Rule APT_CN_RedDelta_Nim_Loader_DEC23 {
Meta:
Author = “JGrosfelt, Insikt Group, Recorded Future”
Date = “2023-12-21”
description = “Detecting RedDelta RC4 implementation in Nim Loader”
Version = “1.0”
RF_THREATACTOR = “Red Delta”
RF_THREATACTOR_ID = “en_T6N”
String:
/*
RedDelta custom RC4 implementation (from RC4)
8B 8D E0 FB FF FF mov ecx, (ebp+var_420)
89 F2 move edx, esi
32 54 3B 08 xor dl, (ebx+edi+8)
0F BE D2 movsx edx, dl
E8 E7 C5 FF FF call sub_6DB03E5C
89 85 E0 FB FF FF mov (ebp+var_420), eax
89 F8 move eax, edit
83 C0 01 Add eax, 1
89 C7 move edit, eax
0F 81 8E FE FF FF jno loc_6DB07716
*/
$s1 = { 8B 8D E0 FB FF FF 89 F2 32 54 3B 08 0F BE D2 E8 ?? ?? ?? ?? 89 85 E0 FB FF FF 89 F8 83 C0 01 89 C7 0F }
situation:
(uint16 (0) == 0x5a4d)
and $s1
}
Rule APT_CN_RedDelta_Nim_Loader_Aug24 {
Meta:
Author = “MGUT, Insikt Group, Recorded Future”
Date = “2024-09-06”
description = “Detects RedDelta MSI files used to load PlugX via DLL hijacking”
Version = “1.0”
hash = “49c32f39d420b836a2850401c134fece4946f440c535d4813362948c2de3996f”
hash = “c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205”
RF_THREATACTOR = “Red Delta”
RF_THREATACTOR_ID = “en_T6N”
String:
$func = “winimConverterVarObjectToPtrObject”
situation:
uint16be(0) == 0x4d5a
File size < 500KB
and pe.number_of_exports == 2
and pe.exports(“HidD_GetHidGuid”)
and pe.exports(“NimMain”)
and $func
}
YARA rules to detect MSI executables used to load PlugX:
Rule APT_CN_RedDelta_MSI_Aug24 {
Meta:
Author = “MGUT, Insikt Group, Recorded Future”
Date = “2024-09-06”
description = “Detects RedDelta MSI files used to load PlugX via DLL hijacking”
Version = “1.0”
hash = “30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19”
hash = “2d884fd8cfa585adec7407059064672d06a6f4bdc28cf4893c01262ef15ddb99”
RF_THREATACTOR = “Red Delta”
RF_THREATACTOR_ID = “en_T6N”
String:
$s1 = “TARGETDIR(%LOCALAPPDATA)”
$s2 = “\\LDeviceDetectionHelper.exe”
$s3 = “hid.dll”
situation:
uint32be(0) == 0xd0cf11e0 and all of them
}
YARA rules for detecting LNK files used to load PlugX (applicable to infection chains starting in 2023):
Rule APT_CN_RedDelta_LNK_Oct23 {
Meta:
Author = “Mkelly, Insikt Group, Recorded Future”
Date = “2023-10-13”
description = “Detects RedDelta LNK files used to retrieve and install .msi files via Powershell”
Version = “1.0”
hash = “a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129”
hash = “74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1”
RF_THREATACTOR = “Red Delta”
RF_THREATACTOR_ID = “en_T6N”
String:
$s1 = “install.InstallProduct” width
$s2 = “install=New-Object” width
$s3 = “install.uilevel = 2” width
$s4 = “REMOVE=ALL” wide
situation:
uint16(0) == 0x004c
File size < 5MB
and three of them
}
