From 0a34bc4d50ae5be38315f5bd2b18ff3bb5b8be7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arda=20B=C3=BCy=C3=BCkkaya?=
 <42712921+whichbuffer@users.noreply.github.com>
Date: Mon, 17 Feb 2025 12:33:20 +0100
Subject: [PATCH] Merge PR #5192 from @whichbuffer - Add `Kalambur Backdoor
 Curl TOR SOCKS Proxy Execution`

new: Kalambur Backdoor Curl TOR SOCKS Proxy Execution

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
---
 ...on_win_malware_kalambur_curl_socks_tor.yml | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml

diff --git a/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml b/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml
new file mode 100644
index 000000000..f127888cc
--- /dev/null
+++ b/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml
@@ -0,0 +1,33 @@
+title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
+id: e99375eb-3ee0-407a-9f90-79569cc6a01c
+status: experimental
+description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
+references:
+    - https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns
+author: Arda Buyukkaya (EclecticIQ)
+date: 2025-02-11
+tags:
+    - attack.command-and-control
+    - attack.t1090
+    - attack.t1573
+    - attack.t1071.001
+    - attack.t1059.001
+    - attack.s0183
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: '\curl.exe'
+    selection_socks:
+        CommandLine|contains:
+            - 'socks5h://'
+            - 'socks5://'
+            - 'socks4a://'
+    selection_onion:
+        CommandLine|contains: '.onion'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high