Ahmed Sonbol

Detecting Tendrit variants using Security Analytics

Blog Post created by Ahmed Sonbol Employee on May 9, 2016

Tendrit is a backdoor malware family that has been used in targeted attacks since 2011. The malware is known to spread through phishing campaigns that use holiday themes to lure the victims into running their payload. In this blog post we will discuss how to detect its beaconing activity using RSA Security Analytics.

 

Once it infects a victim machine, this Tendrit variant start to collect data about the victim machine like its hostname, username, MAC address and OS version. The collected data is encoded and sent to the C2 server via a GET request as shown in the screenshot below:

 

tendrit-session.png

 

The network behavior is the same across Tendrit samples:

 

tendrit-investigator.png

 

Assuming the appropriate meta keys are enabled, the following query can be used to detect Tendrit network activity:

          service = 80 && action = 'get' && filename = 'css.ashx' && query begins 'nly='

 

Scan results for a Tendrit variant can be viewed here.

Outcomes