The SOC files: Rumble in the jungle or APT41’s new target in Africa

MITRE Techniques

• [T1078.002] Valid Accounts: Domain Accounts – Used to move laterally with domain accounts holding local and domain admin privileges (“two domain accounts obtained from a registry dump were leveraged for lateral movement”).
• [T1190] Exploit Public-Facing Application – Utilized compromised SharePoint server as C2 and web shell CommandHandler.aspx for command execution.
• [T1059.001] Command and Scripting Interpreter: PowerShell – Usage implied by scripted commands and execution of tools.
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – cmd.exe invoked for command execution and file operations (“cmd.exe /c netstat -ano…”).
• [T1053.005] Scheduled Task/Job: Scheduled Task – Attackers created scheduled tasks to execute their tools persistently (“Scheduler tasks created by Atexec”).
• [T1047] Windows Management Instrumentation – Leveraged WMI for remote command execution and lateral movement (“executed remotely using the WMI toolkit”).
• [T1543.003] Create or Modify System Process: Windows Service – Established persistent services disguised with names like “server power” (“sc create ‘server power’ …”).
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – Malicious DLLs loaded via legitimate executables to decrypt and launch payloads (“DLL sideloading used with legitimate apps”).
• [T1505.003] Web Shell – CommandHandler.aspx web shell used on SharePoint for executing attacker commands.
• [T1505.004] IIS Components – Compromised IIS server hosted Neo-reGeorg web shell tunnels.
• [T1055] Process Injection – Loading and executing malicious code in memory (“payload launched by allocating memory and creating a new thread”).
• [T1140] Deobfuscate/Decode Files or Information – Decryption of encrypted payload files in-memory (“payload decrypted by repeatedly executing instructions”).
• [T1036] Masquerading – Use of renamed legitimate executables and services for concealment (“cookie_exporter.exe renamed to Edge.exe”).
• [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Harvested saved browser credentials using Pillager and Checkout tools.
• [T1003.002] OS Credential Dumping: Security Account Manager – Dumped SAM and SYSTEM registry hives using reg.exe and RawCopy.
• [T1570] Lateral Tool Transfer – Transferred tools over SMB to remote administrative shares (“used SMB protocol to transfer tools to administrative network share C$”).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Used for lateral movement and file transfer.
• [T1560.001] Archive Collected Data: Archive via Utility – Tools archived stolen data (e.g., Checkout archives data as CheckOutData.zip).
• [T1071.001] Application Layer Protocol: Web Protocols – Used web protocols for command and control communication and exfiltration.
• [T1090.001] Proxy: Internal Proxy – Used internal proxy servers for probing C2 availability.
• [T1572] Protocol Tunneling – Neo-ReGeorg web shell tunneled traffic from external network to internal.
• [T1048] Exfiltration Over Alternative Protocol – Data exfiltrated via SMB protocol to SharePoint server shares.
• [T1567] Exfiltration Over Web Service – Data exfiltrated using web upload handlers like upload.ashx.