- Threat actors scan for publicly exposed FortiGate firewall management interfaces.
- They exploit a probable zero-day vulnerability (later identified as CVE-2024-55591) to gain unauthorized access.
- Threat actors establish
jsconsolesessions, often spoofing IP addresses like loopback addresses or public DNS resolvers. - They make various configuration changes, create new admin accounts, and enable SSL VPN access.
Category: Engage Reports
Engage Report: Double-Tap Campaign – Espionage in Central Asia
- A malicious macro in the initial Word document creates a second blank document and weaponizes it with another malicious macro.
- The second macro creates a scheduled task named “SettingsService Dispatch” using
RegisterTaskDefinition. - This task executes an HTA file containing the HATVIBE backdoor every four minutes using
mshta.exe.
Engage Report: SCATTERED SPIDER Ransomware Operations in the Cloud
- Compromise a privileged account within the victim tenant (e.g., Global Administrator or Security Administrator).
- Establish inbound synchronization from an attacker-controlled tenant to the victim tenant.
- Provision malicious accounts within the victim tenant as needed.
- Maintain persistence and potentially move laterally across connected tenants.
Engage Report: LATRODECTUS
LATRODECTUS malware utilizes scheduled tasks for persistence, executing a copy of itself and establishing a foothold in the compromised system.
Engage Report: Real phishing is only two step phishing
Threat actors initiate the attack by sending phishing emails from compromised accounts. These emails often contain a Microsoft Visio (.vsdx) file hosted on SharePoint, which is used to deliver malicious URLs.
EU Phishing Campaign
The threat actors utilized phishing emails with attached PDF documents or embedded HTML links. These emails targeted European companies and organizations, aiming to harvest account credentials and take over the victim’s Microsoft Azure cloud infrastructure.
Engage Report: TA397 RATs War
TA397 utilizes a malicious shortcut (LNK) file embedded within a RAR archive. This LNK file, when activated, executes PowerShell code that creates a scheduled task on the victim’s machine. This scheduled task enables the download and execution of additional payloads, establishing persistence on the compromised system.
Engage Report: FLUX#CONSOLE
The threat actors utilize Microsoft Common Console Document (MSC) files to execute malicious JavaScript code. These MSC files are designed to mimic the appearance of PDF documents, deceiving users into opening them. Upon execution, the embedded JavaScript code facilitates the download and execution of a backdoor payload.
Engage Report for Lazarus new malware
The Lazarus group targeted employees of a nuclear-related organization with phishing emails containing malicious archive files. The emails were disguised as job opportunities at prominent aerospace and defense companies, aiming to trick the victims into opening the malicious attachments.
Engage Report: Glutton PHP Backdoor
-
Tactic: Initial Access (TA0001)
-
Technique: Exploit Public-Facing Application (T1190)
-
Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.
-
Tactic: Initial Access (TA0001)
-
Technique: Valid Accounts (T1078)
-
Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.
-
Tactic: Initial Access (TA0001)
-
Technique: Supply Chain Compromise (T1195)
-
Procedure: Distribute pre-compromised business systems embedded with the
10ader_shellbackdoor through cybercrime source code forums.
-
Tactic: Execution (TA0002)
-
Technique: Command and Scripting Interpreter: PHP (T1059.004)
-
Procedure: Execute malicious PHP code (
task_loader,init_task,client_loader, etc.) within the web application environment to carry out various malicious activities.
-
Tactic: Persistence (TA0003)
-
Technique: Server Software Component: Web Shell (T1505.003)
-
Procedure: Inject web shells (
10ader_shell) into PHP files to maintain persistence on the compromised server.
-
Tactic: Persistence (TA0003)
-
Technique: Create or Modify System Process: Launch Daemon (T1543.003)
-
Procedure: Install the Winnti backdoor as a daemon process by modifying the
/etc/init.d/networkfile.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP
-
Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (
v6.thinkphp1.com,v20.thinkphp1.com) and retrieve additional payloads.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP
-
Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.
-
Tactic: Defense Evasion (TA0005)
-
Technique: Obfuscated Files or Information (T1027)
-
Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the
10aderfunction code inclient_loader) to hinder analysis and detection. -
Tactic: Collection (TA0009)
-
Technique: System Information Discovery (T1082)
-
Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.
-
Tactic: Exfiltration (TA0010)
-
Technique: Exfiltration Over C2 Channel (T1041)
-
Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.