Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – Malicious email attachments were used to deliver the ZIP archive containing the lure files and executable (‘The campaign distributes malicious suspected email attachments through spear phishing’).
• [T1204.002] User Execution: Malicious File – The victim must open the attached archive and run the disguised executable to trigger infection (‘Immediately after execution, this document is displayed on the user’s screen’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The sample is mapped to command execution behavior on Windows during staging and launching of the payload (‘executing it on the victim machine’).
• [T1106] Native API – The malware uses Windows APIs such as GetComputerNameExW, GetVolumeInformationW, NtWriteFile, and CreateProcessA to perform its actions (‘The malware retrieves the machine hostname using GetComputerNameExW’).
• [T1036.004] Masquerading: Match Legitimate Name or Location – The executable and documents are disguised as legitimate CAI/order-confirmation and business files (‘disguised as a legitimate order confirmation document’).
• [T1027] Obfuscated Files or Information – The payload and victim data are encrypted or otherwise obscured using XOR and multi-step decryption (‘encrypts it using a simple XOR method’).
• [T1140] Deobfuscate/Decode Files or Information – The malware decrypts the received payload and extracts it before execution (‘decrypts the payload using AES-256 in blocks’).
• [T1082] System Information Discovery – The malware gathers hostname, volume serial, and other system details to profile the victim (‘collecting system information to build a unique victim profile’).
• [T1016] System Network Configuration Discovery – It enumerates adapters and network addresses to learn the victim’s network environment (‘scans all network adapters using GetAdaptersAddresses’).
• [T1033] System Owner/User Discovery – The malware collects environment variables tied to the logged-in user and domain (‘USER – the currently logged-in username’).
• [T1083] File and Directory Discovery – The malware writes the dropped payload into user document locations and operates on file paths (‘saves the file either in one of these locations’).
• [T1071.001] Application Layer Protocol: Web Protocols – C2 communication and exfiltration occur over HTTPS and HTTP POST (‘sent to the server cdn.kleymarket.ru over HTTPS’).
• [T1090.001] Proxy: Internal Proxy – The use of an intermediary network path is indicated by the mapped proxy-related behavior in the infrastructure and ATT&CK mapping (‘Proxy: Internal Proxy’).
• [T1041] Exfiltration Over C2 Channel – Victim data is sent to the C2 server as JSON over the same channel used for command and control (‘This encrypted data is then sent to the server’).
• [T1105] Ingress Tool Transfer – The malware downloads a second-stage payload from the server and writes it to disk for execution (‘downloads a second-stage payload for execution’).