Bootkitty is a UEFI bootkit that is executed early in the boot process, before the operating system is loaded. It installs hooks to intercept and modify the normal boot process, allowing it to persist even if the operating system is reinstalled or updated. The bootkit specifically targets the GRUB bootloader and the Linux kernel, patching them in memory to disable security checks and load malicious code.
Category: Engage Reports
Brute Force from Iran to Critical Infrastructure
The threat actors obtain valid user and group email accounts, often through brute force methods like password spraying [T1110.003], to gain initial access to the target’s network.
Nsocks Botnet Activity
The Nsocks botnet leverages vulnerabilities in specific Internet-facing applications, such as VMWare Horizon servers with a known critical vulnerability (CVE-2021-21972). Once compromised, the attacker uses a custom protocol over TCP for command and control (C2) communication. This protocol involves various commands to manage the botnet, including downloading and executing files, launching DDoS attacks, and stealing credentials.
Inside Water Barghests Rapid Exploit
Water Barghest actively scans the internet for vulnerable IoT devices, particularly those with known vulnerabilities or default credentials. Upon identifying a vulnerable device, they exploit it to gain initial access. This may involve exploiting vulnerabilities in web interfaces, using default or weak credentials, or leveraging unpatched software flaws.
Ursnif Trojan – Stealthy Memory Execution
T1566.001 – Attackers send emails containing a malicious LNK file disguised as a PDF document, likely targeting business professionals in the United States.
T1140 – The LNK file uses certutil.exe to decode a Base64-encoded payload.
T1562.004 – The malware uses PowerShell commands to disable Windows Defender.
T1059.003 – The decoded payload is executed using cmd.exe, leading to the execution of the Ursnif banking Trojan.
T1071.001 – The malware establishes communication with a command-and-control (C2) server using web protocols, likely HTTP or HTTPS.
T1041 – The malware exfiltrates stolen sensitive information, such as banking credentials and personal data, to the C2 server.
COLDRIVER – UNC4057, Star Blizzard and Callisto
The attacker, impersonating experts or affiliates, sends a phishing link or document containing a link to a “decryption” utility. This utility is malware (SPICA backdoor) that gives the attacker access to the victim’s machine. The malware establishes persistence, communicates with a C2 server using JSON over WebSockets, and then collects and exfiltrates data.
The Bear and the Shell
T1566.001 – Procedure: The adversary sent spearphishing emails to individuals and organizations critical of the Russian government, using lures such as NASA job offers and articles from independent Russian media outlets. The emails contained malicious ZIP files with LNK files disguised as PDFs. When opened, these executed a PowerShell script to install a reverse shell.
T1059.001 – Procedure: The LNK file, when opened, executes a PowerShell script that decodes and executes a Base64-encoded command. This command downloads and installs the HTTP-Shell, a multiplatform reverse shell.
T1036 – Procedure: The adversary used a NASA-themed lure and designed the command-and-control server to resemble a legitimate PDF editing site to avoid detection.
T1071.001 – Procedure: The HTTP-Shell uses web protocols (HTTP) to communicate with the command-and-control server, enabling the adversary to send commands and receive data.
T1041 – Procedure: The HTTP-Shell allows the adversary to upload and download files, likely facilitating the exfiltration of data from the victim’s machine over the established command-and-control channel.
Sea Turtle – Engagement
The Sea Turtle threat actor compromised legitimate cPanel accounts, potentially through brute force attacks or credential stuffing, to gain initial access to target systems. This allowed them to establish a foothold and conduct further malicious activities within the victim’s IT infrastructure.
Extracting CrossC2 Configurations
The CrossC2 framework generates obfuscated Cobalt Strike payloads for Unix-like systems. These payloads contain encrypted configurations and potentially Malleable C2 profiles within an appended overlay. The payload itself may be packed with UPX and further obfuscated with techniques like LLVM string encryption. The configurations are encrypted using AES-128 CBC with a hardcoded key and IV.
To MFA or Not To MFA: How Multi-factor Authentication Saves the SMB
- Credential Theft: Attackers exploit weak or reused passwords to gain access to accounts without MFA. This can be done through brute forcing, password spraying, or credential stuffing attacks.
- Session Hijacking: Attackers steal session tokens to bypass MFA. This can be done through adversary-in-the-middle (AiTM) attacks or by obtaining tokens from breaches and credential dumps.