T1543.003 – D E C E I V E R . I O

Engage Report: Glutton PHP Backdoor

Tactic: Initial Access (TA0001)
Technique: Exploit Public-Facing Application (T1190)
Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.

Tactic: Initial Access (TA0001)
Technique: Valid Accounts (T1078)
Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.

Tactic: Initial Access (TA0001)
Technique: Supply Chain Compromise (T1195)
Procedure: Distribute pre-compromised business systems embedded with the 10ader_shell backdoor through cybercrime source code forums.

Tactic: Execution (TA0002)
Technique: Command and Scripting Interpreter: PHP (T1059.004)
Procedure: Execute malicious PHP code (task_loader, init_task, client_loader, etc.) within the web application environment to carry out various malicious activities.

Tactic: Persistence (TA0003)
Technique: Server Software Component: Web Shell (T1505.003)
Procedure: Inject web shells (10ader_shell) into PHP files to maintain persistence on the compromised server.

Tactic: Persistence (TA0003)
Technique: Create or Modify System Process: Launch Daemon (T1543.003)
Procedure: Install the Winnti backdoor as a daemon process by modifying the /etc/init.d/network file.

Tactic: Command and Control (TA0011)
Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP
Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (v6.thinkphp1.com, v20.thinkphp1.com) and retrieve additional payloads.

Tactic: Command and Control (TA0011)
Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP
Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.

Tactic: Defense Evasion (TA0005)
Technique: Obfuscated Files or Information (T1027)
Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the 10ader function code in client_loader) to hinder analysis and detection.
Tactic: Collection (TA0009)
Technique: System Information Discovery (T1082)
Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.
Tactic: Exfiltration (TA0010)
Technique: Exfiltration Over C2 Channel (T1041)
Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.

Hunt: Snowblind – The Invisible Hand of Secret Blizzard

A sophisticated attacker, potentially the “Secret Blizzard” group, has gained access to the network and is actively attempting to establish persistence, evade detection, escalate privileges, and collect sensitive data. They are likely using custom malware with advanced anti-analysis capabilities and are targeting specific systems and data.

RomCom – Firefox and Windows Exec Duo

T1189 – RomCom actors created a fake website that redirects the potential victim to a server hosting exploits for a Firefox zero-day vulnerability (CVE-2024-9680) and a Windows zero-day vulnerability (CVE-2024-49039). The exploit chain requires no user interaction; if a victim using a vulnerable browser visits the fake website, the vulnerabilities are triggered, and the RomCom backdoor is installed on the victim’s computer.

T1190 – The attackers exploit a use-after-free vulnerability (CVE-2024-9680) in the Firefox browser to gain initial code execution within the browser’s sandboxed environment.

T1068 – After gaining code execution in the browser, the attackers leverage a Windows vulnerability (CVE-2024-49039) to escape the Firefox sandbox and gain elevated privileges on the victim’s system.

T1059.003 – The attackers execute PowerShell code to download and execute the next stage of the attack, which includes the RomCom backdoor.

T1543.003 – A scheduled task named “firefox.exe” is created to maintain persistent access to the compromised system. This task executes the RomCom backdoor at regular intervals.

T1071.001 – The RomCom backdoor communicates with its command-and-control (C2) server using HTTPS, allowing the attackers to remotely control the compromised system.

Tag: T1543.003

Engage Report: Glutton PHP Backdoor

Hunt: Snowblind – The Invisible Hand of Secret Blizzard

RomCom – Firefox and Windows Exec Duo

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense