Operation BarrelFire: NoisyBear targets entities linked to Kazakhstan’s Oil & Gas Sector.

MITRE Techniques

• [T1589.002 ] Gather Victim Identity Information: Email Addresses – attacker used a compromised business email of a KMG finance employee to send spear-phishing messages (‘a compromised business email was used to deliver a malicious ZIP file’).
• [T1204.002 ] User Execution: Malicious File – targets were instructed to open a ZIP and execute the LNK file График зарплат which launched the infection chain (‘open a file known as График зарплат which translates to Salary Schedule’).
• [T1078.002 ] Valid Accounts: Domain Accounts – the campaign leveraged a compromised internal business email account to send malicious messages (‘the threat actor used a compromised business email of an individual working in Finance Department of KazMunaiGas’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – multiple PowerShell loaders (support.ps1, a.ps1) were used to execute and load payloads and perform AMSI bypass and in-memory operations (‘downloaded PowerShell loaders, which we have dubbed as DOWNSHELL’).
• [T1059.000 ] Command and Scripting Interpreter (other) – batch scripts (123.bat, it.bat) were used to orchestrate downloading and execution of PowerShell loaders (‘downloading PowerShell Loaders … once they are downloaded, it then sleeps’).
• [T1562 ] Impair Defenses – AMSI tampering via reflection was employed to flip an internal AMSI initialization flag preventing scanning (‘resolves the internal type System.Management.Automation.AmsiUtils … changing or flipping this flag convinces PowerShell that the AMSI has failed to initialize’).
• [T1027.007 ] Dynamic API Resolution – script dynamically retrieved function addresses from loaded modules using unsafe native methods to call WinAPI without Add-Type/DllImport (‘LookUpFunc dynamically retrieves the memory address of any exported function … without using traditional DllImport or Add-Type’).
• [T1027.013 ] Encrypted/Encoded File – payloads and scripts used obfuscation/concatenation techniques to evade static detection (‘uses a little operand shenanigan to avoid static signature detection, but concatenation of the string literals’).
• [T1055.003 ] Thread Execution Hijacking – DLL implant performed thread-context hijacking on a suspended rundll32.exe primary thread to execute injected shellcode (‘calls GetThreadContext … SetThreadContext, and finally calls ResumeThread so execution continues at the injected shellcode’).
• [T1620 ] Reflective Code Loading – PowerShell-based reflective loading techniques and commented reflective DLL injection (PowerSploit) were observed to load code into target processes without touching disk (‘some part of this is commented, which performs Reflective DLL injection into remote process … using PowerSploit’).
• [T1218.011 ] System Binary Proxy Execution: Rundll32 – the implant spawned rundll32.exe in suspended mode as the host for code injection and execution (‘it spawns a rundll32.exe process in a suspended manner’).
• [T1105 ] Ingress Tool Transfer – initial downloader stages retrieved batch and PowerShell scripts and additional tooling from remote servers (e.g., 77[.]239[.]125[.]41) (‘it downloads a malicious batch script known as 123.bat, from a remote-server … support.ps1 and a.ps1’).
• [T1567.002 ] Exfiltration to Cloud Storage – exfiltration technique listed in report’s MITRE mapping (no detailed steps in text but included in campaign mapping) (‘Exfiltration to Cloud Storage’).