Merge PR #5192 from @whichbuffer - Add Kalambur Backdoor Curl TOR SOCKS Proxy Execution

new: Kalambur Backdoor Curl TOR SOCKS Proxy Execution

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml

@@ -0,0 +1,33 @@
+title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
+id: e99375eb-3ee0-407a-9f90-79569cc6a01c
+status: experimental
+description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
+references:
+    - https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns
+author: Arda Buyukkaya (EclecticIQ)
+date: 2025-02-11
+tags:
+    - attack.command-and-control
+    - attack.t1090
+    - attack.t1573
+    - attack.t1071.001
+    - attack.t1059.001
+    - attack.s0183
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: '\curl.exe'
+    selection_socks:
+        CommandLine|contains:
+            - 'socks5h://'
+            - 'socks5://'
+            - 'socks4a://'
+    selection_onion:
+        CommandLine|contains: '.onion'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high