10 Things I Hate About Attribution: RomCom vs. TransferLoader

MITRE Techniques

• [T1566] Phishing – Both TA829 and UNK_GreenSec conduct phishing campaigns using email lures themed around job seeking and complaints, containing links or PDFs to malicious domains (’email bodies contain a link to an actor-controlled domain … themed around job seeking or complaints’).
• [T1071] Application Layer Protocol – Actors use HTTP(S) and TCP-based communications for C2 interactions and data exfiltration (‘C2 domains are fronted by CloudFlare … TransferLoader traffic uses custom HTTP headers as well as a TCP-based protocol’).
• [T1204] User Execution – Malware payloads use social engineering, dropping signed executables with spoofed PDF icons upon victim download (‘malware payload spoofs PDF reader’, ‘signed loader that spoofs a PDF’).
• [T1562] Impair Defenses – Use of filtering and anti-analysis techniques such as Cloudflare checks and sandbox evasion via filename validation (‘uses Cloudflare & server-side filtering’, ‘malware will only run if the strings expected remain in the filename’).
• [T1213] Data from Information Repositories – Malware uses Windows Registry to store payloads and achieve persistence (‘registry used for storing additional payloads, persistence, and validating the loader is not running in a sandbox’).
• [T1176] Browser Extensions – Use of redirectors and spoofed sites resembling OneDrive or Google Drive for infection chain (‘landing page that spoofs OneDrive or Google Drive’).
• [T1036] Masquerading – Use of signed binaries with legitimate-looking icons and filenames to evade detection (‘SlipScreen is invalidly signed and uses a PDF reader icon to convince the target to execute it’).
• [T1059] Command and Scripting Interpreter – Malware executes shell commands and network reconnaissance commands automatically (‘DustyHammock execute commands from a C2 that followed the beacon structure and automated reconnaissance commands’).