Detection of this malware can be performed by monitoring for abnormal HTTP callouts, as well as registry modifications. The DGA used to determine the C2 of the malware uses a relatively well-patterned generation feature, which can be used to help find abnormal callouts in web logs. Likewise, the current version of the malware includes a typo in the user agent string it uses to make these callouts, allowing for a solid detection that should not have any false positives. While this is likely to be fixed quickly by the malware authors, it does allow for a quick and easy way to detect the malware in its current state. Malicious registry key modifications can be difficult to detect, due to the sheer number of them made during normal operations, but patterning the behavior and registry keys used by this malware can help find anomalous activity. Binary Defense’s Managed Detection and Response service is a great asset to assist with these types of detection needs.