Open PipeItToDevNull opened 11 months ago
I am not 100% sure how we implement the registry checks, but it would be nice if HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DigitalPulse
returned a probably empty string (corresponding to the default REG_SZ), and a null if it doesn't exist
https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet-built-with-stealthy-malware-infections/
AT&T recommends looking for a "Digital Pulse" executable at "%AppData%\" or a similarly named Registry key on "HKCU\Software\Microsoft\Windows\CurrentVersion\Run." If any are present, the researchers recommend removing them.
The name of the scheduled task is "DigitalPulseUpdateTask" and should also be deleted to eliminate the chance of the client update mechanism re-introducing the infection.