The attackers leveraged WMI, Microsoft’s command-line tool, to execute commands on a remote computer, indicating a possible exploitation of external remote services for gaining initial access to the network.
Tag: T1133
Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure
T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.
Hunting the Emperor – Engage Game of Emperor
Earth Estries exploited vulnerabilities in public-facing servers, such as CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN, and CVE-2022-3236 in Sophos Firewall, to gain initial access. They then used web shells like GHOSTSPIDER and SNAPPYBEE for persistence and command and control, allowing them to maintain long-term access to the victim’s network.
Brute Forcing Hunt 4 Hunt
The threat actor will use brute force and password spraying to target multiple accounts until one is successfully compromised. Once in, the threat actor will attempt to gather credentials and other information about the network to sell.