Water Barghest actively scans the internet for vulnerable IoT devices, particularly those with known vulnerabilities or default credentials. Upon identifying a vulnerable device, they exploit it to gain initial access. This may involve exploiting vulnerabilities in web interfaces, using default or weak credentials, or leveraging unpatched software flaws.
Author: m3c4n1sm0
Ursnif Trojan – Stealthy Memory Execution
T1566.001 – Attackers send emails containing a malicious LNK file disguised as a PDF document, likely targeting business professionals in the United States.
T1140 – The LNK file uses certutil.exe to decode a Base64-encoded payload.
T1562.004 – The malware uses PowerShell commands to disable Windows Defender.
T1059.003 – The decoded payload is executed using cmd.exe, leading to the execution of the Ursnif banking Trojan.
T1071.001 – The malware establishes communication with a command-and-control (C2) server using web protocols, likely HTTP or HTTPS.
T1041 – The malware exfiltrates stolen sensitive information, such as banking credentials and personal data, to the C2 server.
Ursnif Banking Trojan
The Ursnif banking trojan may be present in the environment, utilizing memory injection techniques to evade detection and maintain persistence.
COLDRIVER – SPICA malware
APT group Coldriver uses spearphishing to deliver malware via PDFs as lure documents.
COLDRIVER – UNC4057, Star Blizzard and Callisto
The attacker, impersonating experts or affiliates, sends a phishing link or document containing a link to a “decryption” utility. This utility is malware (SPICA backdoor) that gives the attacker access to the victim’s machine. The malware establishes persistence, communicates with a C2 server using JSON over WebSockets, and then collects and exfiltrates data.
Deceptive Browser Extension
Goal: Gather information about web-based attacks by deploying a deceptive browser extension.
Approach: Collecting data on attacker activity through a deceptive browser extension.
This element involves creating a browser extension that mimics legitimate functionality but secretly collects information about attacker activity.
Process-Specific API Call Manipulation
Goal: Disrupt malware operation by manipulating API calls made by specific processes.
Approach: Intercepting and altering API calls to disrupt malicious activity.
This element involves monitoring API calls made by specific processes and selectively manipulating their responses to disrupt malware operation.
Linux Kernel Module Deception
Goal: Detect rootkit activity by presenting a deceptive view of kernel modules.
Approach: Monitoring kernel module activity for anomalies.
This element involves creating a deceptive kernel module that mimics legitimate modules but provides false information when queried by malicious actors.
Deception for Insider Threat Detection
Goal: To detect and mitigate insider threats using deceptive techniques.
Approach: Detecting malicious activities by insiders using deception.
This element involves deploying deception assets and techniques to detect and deter malicious insiders. It may include creating fake files, documents, or credentials that are designed to attract insider attention.
Deception-as-a-Service (DaaS) Platform
Goal: To offer a comprehensive platform for deploying and managing deception campaigns.
Approach: Planning and designing deception strategies based on organizational needs.
This element provides a centralized platform for deploying and managing deception campaigns. It includes tools for creating and customizing deception assets, deploying them across the network, and monitoring their interactions with adversaries.