Common TTPs of attacks against industrial organizations. Implants for uploading data | Kaspersky ICS CERT

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – “Threat actors used lure documents to deploy off-the-shelf spyware.”
• [T1204.002] User Execution: Malicious File – “A system is infected when the user runs the malware believing it to be a legitimate document.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – “Uses cmd.exe to execute multiple commands.”
• [T1106] Native API – “Uses CreateProcessW function to execute Windows Command Line.”
• [T1053.005] Scheduled Task/Job: Scheduled Task – “Malware is executed via a Windows task created by the threat actor.”
• [T1547.001] Registry Run Keys / Startup Folder – “Malware achieves persistence by adding itself to the Registry as a startup program.”
• [T1543.003] Create or Modify System Process: Windows Service – “Installs itself as a service to achieve persistence.”
• [T140] Deobfuscate/Decode Files or Information – “Uses an RC4 key to decrypt the malware configuration as well as communication.”
• [T1055.002] Process Injection: Portable Executable Injection – “Malware injects itself into various legitimate processes upon execution (msiexec.exe, svchost.exe).”
• [T1497.001] System Checks – “Employs various system checks to detect and avoid virtualization and analysis environments.”
• [T1497.003] Time Based Evasion – “Employs various time-based methods to detect virtualization and analysis environments.”
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – “Threat actors abused a legitimate application binary to load a malicious DLL.”
• [T1083] File and Directory Discovery – “The malware attempts to discover files of various types (.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .eml).”
• [T1016] System Network Configuration Discovery – “Threat actors use the netstat and ipconfig utilities to get local network interface configuration and enumerate open ports.”
• [T1033] System Owner/User Discovery – “Threat actors use the systeminfo, whoami, and net utilities to get information about the user and the infected system.”
• [T1057] Process Discovery – “Threat actors use tasklist to enumerate running processes.”
• [T1071.001] Application Layer Protocol: Web Protocols – “Malware uses HTTPS and raw TCP for communication with C2.”
• [T1573.001] Encrypted Channel: Symmetric Cryptography – “Malware uses RC4 and SSL TLS v3 (by libssl.dll) to encrypt communication.”
• [T1003.004] OS Credential Dumping: Cached Domain Credentials – “Threat actors use Mimikatz and Reg to extract cached credentials.”
• [T1041] Exfiltration Over C2 Channel – “Threat actors exfiltrate data using Dropbox, Yandex Disk, Yandex email and temporary file sharing services as a C2 channel.”