
Warp Panda’s Operation BrickStorm
Indicators of Compromise
No domains found for this campaign
APT Groups1
Summary of Actor:UTA0178 is a sophisticated ransomware group known for targeting high-value assets and demanding significant ransoms. They have a reputation for quickly adapting their tactics and technology to bypass security measures. Their operations demonstrate a high level of coordination and technical acumen. General Features:UTA0178 is adept at utilizing multiple attack vectors, including phishing, software vulnerabilities, and insider threats. They frequently employ double extortion techniques, threatening to release stolen data if the ransom isn't paid. Their malware is often customized to evade detection. Related Other Groups: Group A,Group B,Group C Indicators of Attack (IoA): Unusual network traffic Unauthorized access attempts Unexpected system shutdowns Communication with known malicious IP addresses Recent Activities and Trends: Latest Campaigns : UTA0178 recently conducted a significant campaign against financial institutions, leveraging CVE-2021-34527 to gain initial access and deploy their ransomware. They have also been linked to attacks on healthcare organizations during the COVID-19 pandemic, exploiting vulnerabilities in remote work infrastructure. Emerging Trends : UTA0178 has shown a growing interest in targeting supply chain networks, rather than individual companies directly. They've also begun to incorporate more sophisticated evasion techniques, such as advanced obfuscation methods in their malware code to avoid detection by traditional antivirus solutions.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1003 - OS Credential Dumping
ID | Name | Analytic ID | Analytic Description |
Credential Dumping via Sensitive Memory and Registry Access Correlation | Processes accessing LSASS memory or SAM registry hives outside of trusted security tools, often followed by file creation or lateral movement. Detects unauthorized access to sensitive OS subsystems for credential extraction. | ||
Processes opening /proc//mem or /proc//maps targeting credential-storing services like sshd or login. Behavior often includes high privilege escalation and memory inspection tools such as gcore or gdb. | |||
Unsigned processes accessing system memory or launching known credential scraping tools (e.g., osascript, dylib injections) to access the Keychain or sensitive memory regions. |
T1021 - Remote Services
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity | Logon via RDP or WMI by a user account followed by uncommon command execution, file manipulation, or lateral network connections. | ||
SSH session from new source IP followed by interactive shell or privilege escalation (e.g., sudo, su) and outbound lateral connection. | |||
Remote login via ARD or SSH followed by screensharingd process activity or modification of TCC-protected files. | |||
Use of cloud-based bastion or VM console session followed by commands that initiate outbound SSH or RDP sessions from the cloud instance to other environments. | |||
vSphere API logins (vimService) or SSH to ESXi host followed by unauthorized shell commands or lateral remote logins from the ESXi host. |
T1036 - Masquerading
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy | Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage. | ||
Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop. | |||
Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup. | |||
Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs. | |||
Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds. |
T1037 - Boot or Logon Initialization Scripts
ID | Name | Analytic ID | Analytic Description |
Monitoring modification and execution of user or system logon scripts such as in registry Run keys or startup folders. | |||
Detection of changes or execution of shell initialization scripts like .bashrc, .profile, or /etc/profile for persistence. | |||
Monitoring for modification and execution of login hook scripts or LaunchAgents/LaunchDaemons used for persistence. | |||
Detection of modification to ESXi rc.local.d or rc scripts that are used to execute on boot. | |||
Detection of changes to device startup-config files that include boot scripts or scheduled execution routines. |
T1041 - Exfiltration Over C2 Channel
ID | Name | Analytic ID | Analytic Description |
Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access. | |||
Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads. | |||
Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios. | |||
Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa. |
T1071 - Application Layer Protocol
ID | Name | Analytic ID | Analytic Description |
Detection of Command and Control Over Application Layer Protocols | Detects suspicious usage of common application-layer protocols (e.g., HTTP, HTTPS, DNS, SMB) by abnormal processes, with high outbound byte counts or irregular ports, possibly indicating command and control or data exfiltration. | ||
Detects suspicious curl, wget, or custom socket traffic that leverages DNS, HTTPS, or IRC-style protocols with unbalanced traffic or beacon-like intervals. | |||
Detects applications using abnormal protocols or high volume traffic not previously associated with the process image, such as Automator or AppleScript invoking curl or python sockets. | |||
Detects application-layer tunneling or unauthorized app protocols like DNS-over-HTTPS, embedded C2 in TLS/HTTP headers, or misused SMB traffic crossing VLANs. |
T1078 - Valid Accounts
ID | Name | Analytic ID | Analytic Description |
Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints. | |||
Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns. | |||
Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity. | |||
Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures. | |||
Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs. |
T1083 - File and Directory Discovery
ID | Name | Analytic ID | Analytic Description |
Recursive Enumeration of Files and Directories Across Privilege Contexts | Execution of file enumeration commands (e.g., 'dir', 'tree') from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations. | ||
Use of file enumeration commands (e.g., 'ls', 'find', 'locate') executed by suspicious users or scripts accessing broad file hierarchies or restricted directories. | |||
Execution of file or directory discovery commands (e.g., 'ls', 'find') from terminal or script-based tooling, especially outside normal user workflows. | |||
Execution of esxcli commands to enumerate datastore, configuration files, or directory structures by unauthorized or remote users. | |||
Execution of file discovery commands (e.g., 'dir', 'show flash', 'nvram:') from CLI interfaces, especially by unauthorized users or from abnormal source IPs. |
T1090 - Proxy
ID | Name | Analytic ID | Analytic Description |
Detection of Proxy Infrastructure Setup and Traffic Bridging | Suspicious process spawning (e.g., rundll32, svchost, powershell, or netsh) followed by network connection creation to internal hosts or uncommon external endpoints on high or non-standard ports. | ||
User-space tools (e.g., socat, ncat, iptables, ssh) used in non-standard ways to establish reverse shells, port-forwarding, or inter-host connections. Often chained with uncommon outbound destinations or SSH tunnels. | |||
AppleScript, LaunchAgents, or remote login services (ssh, networksetup) establishing proxy tunnels or dynamic port forwards to external IPs or alternate local hosts. | |||
Direct use of nc, socat, or reverse tunnel scripts initiated by abnormal user contexts or unauthorized VIBs initiating connections from hypervisor to external systems. | |||
Dynamic or static port forwarding rules added to route traffic through an internal host, or configuration changes to proxy firewall rules not aligned with baselined policy. |
T1105 - Ingress Tool Transfer
ID | Name | Analytic ID | Analytic Description |
Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded). | |||
Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk. | |||
Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories. | |||
Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories. | |||
Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks. |
T1505 - Server Software Component
ID | Name | Analytic ID | Analytic Description |
Installation of malicious IIS/Apache/SQL server modules that later execute command-line interpreters or establish outbound connections. | |||
Abuse of extensible server modules (e.g., Apache, Nginx, Tomcat) to load rogue plugins that initiate bash, connect to C2, or spawn reverse shells. | |||
Malicious use of webserver plugins (e.g., for nginx, PHP, Node.js) that execute AppleScript or open network sockets. | |||
Use of ESXi web interface plugins or vSphere extensions to embed persistent malicious scripts or services. |
T1548 - Abuse Elevation Control Mechanism
ID | Name | Analytic ID | Analytic Description |
Detection Strategy for Abuse Elevation Control Mechanism (T1548) | Correlate registry modifications (e.g., UAC bypass registry keys), unusual parent-child process relationships (e.g., control.exe spawning cmd.exe), and unsigned elevated process executions with non-standard tokens or elevation flags. | ||
Monitor audit logs for setuid/setgid bit changes, executions where UID ≠ EUID (indicative of sudo or privilege escalation), and high-integrity binaries launched by unprivileged users. | |||
Detect execution of /usr/libexec/security_authtrampoline or use of AuthorizationExecuteWithPrivileges API, and monitor process lineage for unusual launches of GUI apps with escalated privileges. | |||
Monitor for unexpected privilege elevation operations via SAML assertion manipulation, role injection, or changes to identity mappings that result in access escalation. | |||
Detect sudden privilege escalations such as IAM role changes, user-assigned privilege boundaries, or elevation via assumed roles beyond normal behavior. |
T1574 - Hijack Execution Flow
ID | Name | Analytic ID | Analytic Description |
Detection Strategy for Hijack Execution Flow across OS platforms. | Unusual modifications to service binary paths, registry keys, or DLL load paths resulting in alternate execution flow. Defender observes registry key modifications, suspicious file writes into system directories, and processes loading libraries from abnormal paths. | ||
Adversary manipulation of shared library paths, environment variables, or replacement of service binaries. Defender observes suspicious modifications in /etc/ld.so.preload, service config changes, or file writes replacing existing executables. | |||
Abuse of DYLD_INSERT_LIBRARIES or hijacking framework paths for malicious libraries. Defender observes processes invoking abnormal dylibs, modified plist files, or persistence entries pointing to altered binaries. |
T1531 - Account Access Removal
ID | Name | Analytic ID | Analytic Description |
Correlated user account modification (reset, disable, deletion) events with anomalous process lineage (e.g., PowerShell or net.exe from an interactive session), especially outside of IT admin change windows or by non-admin users. | |||
Password changes or account deletions via 'passwd', 'userdel', or 'chage' preceded by interactive shell or remote command execution from non-privileged accounts. | |||
Execution of dscl or sysadminctl commands to disable, delete, or modify users combined with anomalous process ancestry or terminal session launch. | |||
Invocation of esxcli 'system account remove' from vCLI, SSH, or vSphere API with anomalous user access or outside maintenance windows. | |||
O365 UnifiedAuditLog entries for Remove-Mailbox or Set-Mailbox with account disable or delete actions correlated with suspicious login locations or MFA bypass. | |||
Deletion or disablement of user accounts in platforms like Okta, Salesforce, or Zoom with anomalies in admin session attributes or mass actions within short duration. |
T1080 - Taint Shared Content
ID | Name | Analytic ID | Analytic Description |
Detects adversary tampering of shared directories via file drops (e.g., malicious LNK, EXE, VBS) followed by user execution or suspicious network activity. | |||
Detects script or binary modification within shared NFS/SMB directories followed by process execution from those paths. | |||
Detects modification of shared network folders via .app bundles or scripting files with hidden extensions (e.g., double extensions like docx.app). | |||
Detects upload of malicious or unusual file types into cloud-shared folders, followed by user downloads or interactions. | |||
Detects embedded macros or scripts added to shared documents or use of external references to execute code. |
T1140 - Deobfuscate/Decode Files or Information
ID | Name | Analytic ID | Analytic Description |
Detect Adversary Deobfuscation or Decoding of Files and Payloads | An adversary leverages built-in tools such as certutil.exe, powershell.exe, or copy.exe to decode, reassemble, or extract hidden malicious content from obfuscated containers or encoded formats. The decoding utility often spawns shortly after file staging or download and may be chained with script interpreters or further payload execution. | ||
The adversary uses native utilities like base64, gzip, tar, or openssl to decode, decompress, or decrypt files that were previously staged or downloaded. These tools may be chained with curl/wget and executed via bash/zsh, often to extract an embedded payload or reverse shell script. | |||
The adversary invokes built-in scripting or decoding tools like base64, plutil, or AppleScript-based utilities to decode files embedded in staging artifacts. Decoding often occurs post-download or as part of post-exploitation payload deployment via zsh, python, or osascript. |
T1106 - Native API
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls | Unusual or suspicious processes loading critical native API DLLs (e.g., ntdll.dll, kernel32.dll) followed by direct syscall behavior, memory manipulation, or hollowing. | ||
Userland processes invoking syscall-heavy libraries (libc, glibc) followed by fork, mmap, or ptrace behavior commonly associated with code injection or memory manipulation. | |||
Execution of processes that link to CoreServices or Foundation APIs followed by creation of memory regions, code execution, or abnormal library injection. |
T1547 - Boot or Logon Autostart Execution
ID | Name | Analytic ID | Analytic Description |
Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup | |||
Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot | |||
Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon |
T1573 - Encrypted Channel
ID | Name | Analytic ID | Analytic Description |
Detection Strategy for Encrypted Channel across OS Platforms | Processes that normally do not initiate network connections establishing outbound encrypted TLS/SSL sessions, especially with asymmetric traffic volumes (client sending more than receiving) or non-standard certificate chains. Defender observations correlate process creation with unexpected network encryption libraries being loaded. | ||
Processes like curl, wget, python, socat, or custom binaries initiating TLS/SSL sessions to non-standard destinations. Defender sees abnormal syscalls for connect(), loading of libssl libraries, and persistent outbound encrypted traffic from daemons not normally communicating externally. | |||
Applications or launchd jobs initiating encrypted TLS traffic to rare external hosts. Defender observes unified logs showing ssl/TLS API calls by processes not baseline-approved, and payload entropy suggesting encrypted C2 sessions. | |||
VMware management daemons or guest processes initiating encrypted connections outside expected vCenter, update servers, or internal comms. Defender identifies hostd or vpxa initiating outbound TLS flows with uncommon destinations. | |||
Unusual TLS tunnels through ports not normally encrypted (e.g., TLS on port 8080, 53). Defender sees NetFlow/IPFIX or packet inspection indicating high-entropy traffic volumes and asymmetric client/server exchange ratios. |
T1059 - Command and Scripting Interpreter
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of Command and Scripting Interpreter Abuse | Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events. | ||
Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh. | |||
Detects launch of command-line interpreters via Terminal, Automator, or hidden osascript, especially when parent process lineage deviates from user-initiated applications. | |||
Detects use of 'esxcli system' or direct interpreter commands (e.g., busybox shell) invoked from SSH or host terminal unexpectedly. | |||
Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via enable mode or scripting-capable sessions used by uncommon accounts or from unknown IPs. |
T1027 - Obfuscated Files or Information
ID | Name | Analytic ID | Analytic Description |
Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation. | |||
Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration. | |||
Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes. | |||
Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams. | |||
Detects encoded PowerCLI or Base64-encoded payloads staged via datastore uploads or shell access (e.g., ESXi Shell or backdoored VIBs). |
T1095 - Non-Application Layer Protocol
ID | Name | Analytic ID | Analytic Description |
Anomalous use of ICMP or UDP by non-network service processes for data exfiltration or remote control, especially if traffic bypasses proxy infrastructure or shows unusual flow patterns. | |||
ICMP or raw socket traffic generated by user-mode processes like bash, Python, or nc, typically using ping, hping3, or crafted packets via libpcap or scapy. | |||
Unsigned binaries or interpreted scripts initiating non-standard protocols (ICMP, UDP, SOCKS) outside of baseline network behavior. | |||
VMCI (Virtual Machine Communication Interface) traffic between guest and host, or between VMs, originating from non-management tools or unauthorized binaries. | |||
Non-standard port/protocol pairings or low-entropy ICMP traffic resembling tunneling patterns (e.g., fixed-size pings with delays). |