Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers

  • SilkSpecter used spearphishing emails with malicious attachments (T1566) to target Black Friday shoppers.
  • The attachments likely contained malware, which, when executed, established a connection to the threat actor’s command-and-control (C2) server using common protocols like HTTP or HTTPS (T1071).
  • This allowed the attackers to steal sensitive information like credit card details and personally identifiable information (PII) and send it back to their C2 server (T1041).

Subject: Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers

Tactics: TA0011 Command and Control, TA0010 Exfiltration, TA0001 Initial Access

Technique: T1071 Application Layer Protocol, T1041 Exfiltration Over C2 Channel, T1566.001 Phishing: Spearphishing Attachment

Procedure:

  • SilkSpecter used spearphishing emails with malicious attachments (T1566) to target Black Friday shoppers.
  • The attachments likely contained malware, which, when executed, established a connection to the threat actor’s command-and-control (C2) server using common protocols like HTTP or HTTPS (T1071).
  • This allowed the attackers to steal sensitive information like credit card details and personally identifiable information (PII) and send it back to their C2 server (T1041).

Vulnerability: EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked., EAV0006 When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data.

Engagement Opportunity:

  • Honeypot: Deploy a honeypot designed to mimic a typical online shopper’s environment, complete with decoy credit card information and PII. This can lure the attackers and allow for the study of their tools, techniques, and infrastructure.
  • Network Monitoring: Enhance network monitoring to detect suspicious outbound connections, especially those communicating with known or suspected C2 servers. This can help identify and block SilkSpecter’s activities in real-time.

Threat Actor: SilkSpecter (Financially Motivated Chinese Threat Actor)

Threat Objective:

Financial gain through the theft of credit card details, PII, and other sensitive information.

Deception Opportunity:

  • Decoy Data: Seed the honeypot with decoy data that appears valuable but is actually fake. This can waste the attacker’s time and resources, and potentially deter them from further attacks.
  • False Flag Operation: Create a fake online store that appears vulnerable and attracts the attacker’s attention. This can be used to gather intelligence on their methods and disrupt their operations.

Sensor Data Placement: Application

Observable Level: Core to Sub-Technique or Technique

Scoring Rationale:

  • The spearphishing attachment is specific to the attacker’s tools, but the application layer protocol used for C2 communication might be common across different malware families.
  • Exfiltration over the C2 channel is a fundamental aspect of this attack and is therefore more difficult for the attacker to modify.

Observable Level:

  • Spearphishing Attachment (T1566): Core to Adversary-Brought Tool
  • Application Layer Protocol (T1071): Core to Some Implementations of (Sub-)Technique
  • Exfiltration Over C2 Channel (T1041): Core to Sub-Technique or Technique

Link to Report:

Link to Report II.:

Additional Comments:

The report highlights the increasing sophistication of financially motivated threat actors and the need for proactive measures to protect against their attacks.

Possible elements: Deception-as-a-Service (DaaS) Platform, Deceptive Document Watermarks, Deceptive Metadata in Multimedia Files, Embedded Honeytokens, Poisoned Scripts

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# SilkSpecter Attack Graph

: Initial Access (TA0001) - Spearphishing Attachment (T1566) - Email with malicious attachment (Core to Adversary-Brought Tool)[1]
: Command and Control (TA0011) - Application Layer Protocol (T1071) - Communicate with C2 server using HTTP/HTTPS (Core to Some Implementations of (Sub-)Technique)
: Exfiltration (TA0010) - Exfiltration Over C2 Channel (T1041) - Exfiltrate stolen data over C2 channel (Core to Sub-Technique or Technique)

1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# SilkSpecter Pseudocode

function Initial_Access_Spearphishing_Attachment(target_email):
# Craft spearphishing email with malicious attachment
# Send email to target_email
return malware_payload

function Command_and_Control_Application_Layer_Protocol(malware_payload):
# Execute malware_payload
# Establish HTTP/HTTPS connection with C2 server
return C2_communication_module

function Exfiltration_Exfiltration_Over_C2_Channel(C2_communication_module):
# Steal sensitive data (credit card details, PII)
# Send stolen data to C2 server over HTTP/HTTPS
return success

Leave a Reply