T1078 – D E C E I V E R . I O

Engage Report: Glutton PHP Backdoor

Tactic: Initial Access (TA0001)
Technique: Exploit Public-Facing Application (T1190)
Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.

Tactic: Initial Access (TA0001)
Technique: Valid Accounts (T1078)
Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.

Tactic: Initial Access (TA0001)
Technique: Supply Chain Compromise (T1195)
Procedure: Distribute pre-compromised business systems embedded with the 10ader_shell backdoor through cybercrime source code forums.

Tactic: Execution (TA0002)
Technique: Command and Scripting Interpreter: PHP (T1059.004)
Procedure: Execute malicious PHP code (task_loader, init_task, client_loader, etc.) within the web application environment to carry out various malicious activities.

Tactic: Persistence (TA0003)
Technique: Server Software Component: Web Shell (T1505.003)
Procedure: Inject web shells (10ader_shell) into PHP files to maintain persistence on the compromised server.

Tactic: Persistence (TA0003)
Technique: Create or Modify System Process: Launch Daemon (T1543.003)
Procedure: Install the Winnti backdoor as a daemon process by modifying the /etc/init.d/network file.

Tactic: Command and Control (TA0011)
Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP
Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (v6.thinkphp1.com, v20.thinkphp1.com) and retrieve additional payloads.

Tactic: Command and Control (TA0011)
Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP
Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.

Tactic: Defense Evasion (TA0005)
Technique: Obfuscated Files or Information (T1027)
Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the 10ader function code in client_loader) to hinder analysis and detection.
Tactic: Collection (TA0009)
Technique: System Information Discovery (T1082)
Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.
Tactic: Exfiltration (TA0010)
Technique: Exfiltration Over C2 Channel (T1041)
Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.

Engage Report: Zloader Trojan Analysis

Zloader has been observed to utilize legitimate remote management tools like AnyDesk, TeamViewer, and Microsoft Quick Assist for initial access. Threat actors leverage social engineering tactics to convince victims to grant them remote access to their systems. Once they gain remote access, the attackers proceed to deploy Zloader.

Technique: System Access [T1078] –> Remote Services [T1021] –> Remote Desktop Protocol [T1021.001]

Brute Forcing Hunt 4 Hunt

The threat actor will use brute force and password spraying to target multiple accounts until one is successfully compromised. Once in, the threat actor will attempt to gather credentials and other information about the network to sell.

Brute Force from Iran to Critical Infrastructure

The threat actors obtain valid user and group email accounts, often through brute force methods like password spraying [T1110.003], to gain initial access to the target’s network.

Volt Typhoon Engagement

Volt Typhoon actors rely on valid accounts for persistence. They first gain initial access to a network by exploiting vulnerabilities in public-facing applications. Then, they obtain administrator credentials and maintain persistence on the network. They are known to use compromised credentials for follow-on activities, such as logging into the victim’s network via VPN.

Sea Turtle – Engagement

The Sea Turtle threat actor compromised legitimate cPanel accounts, potentially through brute force attacks or credential stuffing, to gain initial access to target systems. This allowed them to establish a foothold and conduct further malicious activities within the victim’s IT infrastructure.

To MFA or Not To MFA: How Multi-factor Authentication Saves the SMB

Credential Theft: Attackers exploit weak or reused passwords to gain access to accounts without MFA. This can be done through brute forcing, password spraying, or credential stuffing attacks.
Session Hijacking: Attackers steal session tokens to bypass MFA. This can be done through adversary-in-the-middle (AiTM) attacks or by obtaining tokens from breaches and credential dumps.

Tag: T1078

Engage Report: Glutton PHP Backdoor

Engage Report: Zloader Trojan Analysis

Brute Forcing Hunt 4 Hunt

Brute Force from Iran to Critical Infrastructure

Volt Typhoon Engagement

Sea Turtle – Engagement

To MFA or Not To MFA: How Multi-factor Authentication Saves the SMB

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense