The attacker may have used the malware to check for antivirus-related processes running in the system.
Tag: T1027
Engage Report: Glutton PHP Backdoor
-
Tactic: Initial Access (TA0001)
-
Technique: Exploit Public-Facing Application (T1190)
-
Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.
-
Tactic: Initial Access (TA0001)
-
Technique: Valid Accounts (T1078)
-
Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.
-
Tactic: Initial Access (TA0001)
-
Technique: Supply Chain Compromise (T1195)
-
Procedure: Distribute pre-compromised business systems embedded with the
10ader_shellbackdoor through cybercrime source code forums.
-
Tactic: Execution (TA0002)
-
Technique: Command and Scripting Interpreter: PHP (T1059.004)
-
Procedure: Execute malicious PHP code (
task_loader,init_task,client_loader, etc.) within the web application environment to carry out various malicious activities.
-
Tactic: Persistence (TA0003)
-
Technique: Server Software Component: Web Shell (T1505.003)
-
Procedure: Inject web shells (
10ader_shell) into PHP files to maintain persistence on the compromised server.
-
Tactic: Persistence (TA0003)
-
Technique: Create or Modify System Process: Launch Daemon (T1543.003)
-
Procedure: Install the Winnti backdoor as a daemon process by modifying the
/etc/init.d/networkfile.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP
-
Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (
v6.thinkphp1.com,v20.thinkphp1.com) and retrieve additional payloads.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP
-
Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.
-
Tactic: Defense Evasion (TA0005)
-
Technique: Obfuscated Files or Information (T1027)
-
Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the
10aderfunction code inclient_loader) to hinder analysis and detection. -
Tactic: Collection (TA0009)
-
Technique: System Information Discovery (T1082)
-
Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.
-
Tactic: Exfiltration (TA0010)
-
Technique: Exfiltration Over C2 Channel (T1041)
-
Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.
Exploitation of Firefox and Windows zero-day vulnerabilities
The RomCom threat actors are actively exploiting Firefox and Windows zero-day vulnerabilities to compromise systems, escalate privileges, establish persistence, and exfiltrate sensitive data.
Lazarus Lure in Yacht club
The Lazarus group is conducting a spearphishing campaign targeting individuals involved in the maritime industry, particularly yacht and luxury vessel sales, using malicious attachments to deliver malware.
China shopping for Black Friday Gains
SilkSpecter actors are targeting online shoppers during the Black Friday period with spearphishing emails containing malicious attachments. These attachments likely contain obfuscated malware designed to evade detection and exfiltrate sensitive information like credit card details.
Game of Emperor
The threat actor has gained initial access and is utilizing various defense evasion techniques to avoid detection while establishing persistence and maintaining control.
COLDRIVER – SPICA malware
APT group Coldriver uses spearphishing to deliver malware via PDFs as lure documents.
Campaign against Russian Opposition
The attacker may use phishing emails with malicious attachments to deliver and execute a malicious tool, such as a reverse shell, on the victim’s machine. The tool will likely use web protocols to communicate with the attacker’s C2 server.