Boggy Serpens Threat Assessment

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – Delivery of malicious Office documents with embedded macros to targets. (‘the lure document was blurred in order to deceive targets into clicking “Enable Content,” thereby triggering the execution of the embedded macro.’)
• [T1204.002 ] User Execution: Malicious File – Coercion of users to enable Office macros to launch droppers and payloads. (‘Once the user clicks “Enable Content,” the VBA macro’s initial routine is to delete this overlay and reveal the clear, legible document underneath.’)
• [T1078 ] Valid Accounts – Hijacking and misuse of legitimate internal and government mailboxes to bypass filters and deliver lures. (‘Boggy Serpens systematically hijacked official government and corporate accounts to bypass standard email filtering’)
• [T1218 ] Living Off The Land / Signed Binary Proxy Execution – Abuse of legitimate RMM tools and publicly available utilities to facilitate access and lateral movement. (‘abusing legitimate remote monitoring and management (RMM) tools like Atera, ScreenConnect and SimpleHelp, alongside publicly available utilities such as LaZagne and CrackMapExec.’)
• [T1055 ] Process Injection – Use of RunPE/process hollowing in the intermediate stager to execute Rust payloads in memory. (‘The stager decrypts the final Rust payload using a hardcoded XOR key and executes it in memory using process hollowing (RunPE).’)
• [T1547.001 ] Registry Run Keys / Startup Folder – Persistence by registering file associations and dropping startup files to ensure execution on reboot. (‘The payload registers the nonexistent .wdlp extension in the HKCUSoftwareClasses.wdlp registry… The malware drops a file named Oregon.wdlp into the startup folder’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications over HTTP/S for Nuso and BlackBeard beaconing and command semantics driven by HTTP status codes. (‘Nuso beacons over HTTP/S’ and ‘communicates with stratioai[.]org using the reqwest Rust crate.’)
• [T1102 ] Web Service – Use of Telegram Bot API as a C2 channel for LampoRAT. (‘The malware leverages the Telegram Bot API for command and control… hardcoded bot token (8398566164:AAEJbk6EOirZ_…)’)
• [T1497.001 ] Virtualization / Sandbox Evasion – Anti-analysis techniques and time-loop stalling to detect and evade research environments and automated analysis. (’employs multiple anti-analysis techniques to detect research environments’ and ‘a mathematical “time-loop” (function laylay) that forces the CPU to execute over 100 million operations’)
• [T1003 ] Credential Dumping – Use of credential dumping tools and techniques as part of early operational tradecraft. (‘publicly available utilities such as LaZagne and CrackMapExec’)
• [T1041 ] Exfiltration Over C2 Channel – Exfiltration of system information via custom HTTP headers and encrypted payloads to C2 servers. (‘exfiltrating system information via bit-rotated custom headers like X-Computer-Name and X-Username’ and AES-256-GCM encryption for system data)