The worst of all deceptions is self-deception
Goal: To identify attackers attempting to compromise or gain access to sensitive data within Docker containers.
Approach: Monitoring access to the deceptive container and analyzing attacker behavior. This element involves deploying a deceptive Docker container that mimics a legitimate container but contains fake or misleading data, or triggers alerts upon access.
Attackers who attempt to access or modify data within the deceptive container will be identified and their actions will be logged.
Lazarus group actors are actively targeting specific industries with tailored spearphishing attacks, utilizing trojanized remote access tools and a complex infection chain involving multiple malware stages and C2 communication for persistent access and data exfiltration.
The Lazarus group targeted employees of a nuclear-related organization with phishing emails containing malicious archive files. The emails were disguised as job opportunities at prominent aerospace and defense companies, aiming to trick the victims into opening the malicious attachments.
C.A.S actors gain initial access through the exploitation of public-facing applications, establish persistence, escalate privileges, and utilize various tools and techniques to achieve their objectives, including data exfiltration, encryption, and destruction.
Goal: To identify attackers attempting to resolve internal domain names or perform DNS tunneling.
Approach: Monitoring queries to the fake DNS server and analyzing attacker behavior.
This element involves setting up a fake DNS server that responds to specific queries with deceptive answers or redirects them to a controlled environment.
The attacker may have used the malware to check for antivirus-related processes running in the system.
Tactic: Initial Access (TA0001)
Technique: Exploit Public-Facing Application (T1190)
Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.
Tactic: Initial Access (TA0001)
Technique: Valid Accounts (T1078)
Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.
Tactic: Initial Access (TA0001)
Technique: Supply Chain Compromise (T1195)
Procedure: Distribute pre-compromised business systems embedded with the 10ader_shell backdoor through cybercrime source code forums.
Tactic: Execution (TA0002)
Technique: Command and Scripting Interpreter: PHP (T1059.004)
Procedure: Execute malicious PHP code (task_loader, init_task, client_loader, etc.) within the web application environment to carry out various malicious activities.
Tactic: Persistence (TA0003)
Technique: Server Software Component: Web Shell (T1505.003)
Procedure: Inject web shells (10ader_shell) into PHP files to maintain persistence on the compromised server.
Tactic: Persistence (TA0003)
Technique: Create or Modify System Process: Launch Daemon (T1543.003)
Procedure: Install the Winnti backdoor as a daemon process by modifying the /etc/init.d/network file.
Tactic: Command and Control (TA0011)
Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP
Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (v6.thinkphp1.com, v20.thinkphp1.com) and retrieve additional payloads.
Tactic: Command and Control (TA0011)
Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP
Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.
Tactic: Defense Evasion (TA0005)
Technique: Obfuscated Files or Information (T1027)
Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the 10ader function code in client_loader) to hinder analysis and detection.
Tactic: Collection (TA0009)
Technique: System Information Discovery (T1082)
Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.
Tactic: Exfiltration (TA0010)
Technique: Exfiltration Over C2 Channel (T1041)
Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.
Goal: To identify attackers attempting to exploit vulnerabilities in the logging system or to gather information about the system’s activity.
Approach: Monitoring the deceptive daemon for any signs of interaction or modification.
This element involves configuring a deceptive syslog daemon that listens for specific log messages and triggers deceptive responses, such as sending fake alerts or redirecting attackers to a honeypot.
Attackers who attempt to interact with or modify the deceptive daemon will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.
Goal: To identify attackers attempting to exploit vulnerabilities in the service or to gain persistence on the system.
Approach: Monitoring the fake service for any signs of interaction or modification.This element involves creating a fake systemd service that mimics a legitimate service but performs a deceptive action, such as logging login attempts, triggering alerts, or redirecting connections to a honeypot.
Attackers who attempt to interact with or modify the fake service will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.
The attacker may have used the malware to check for antivirus-related processes running in the system.