COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX

MITRE Techniques

• [T1583.001 ] Acquire Infrastructure: Domains – COLDRIVER acquired domains to support the operation, including ClickFix domains and payload/C2 hosts (“…preentootmist[.]org, blintepeeste[.]org, captchanom[.]top, southprovesolutions[.]com”).
• [T1583.006 ] Acquire Infrastructure: Web Services – COLDRIVER used Google Drive to host a decoy document (“…registered and utilized Google Drive to host a decoy document”).
• [T1585.002 ] Establish Accounts: Email Accounts – COLDRIVER created the email narnobudaeva[@]gmail.com to leverage Google services (“…created the email account narnobudaeva[@]gmail.com”).
• [T1585.003 ] Establish Accounts: Cloud Accounts – COLDRIVER used the Google account narnobudaeva[@]gmail.com to host a decoy document (“…created the Google account narnobudaeva[@]gmail.com to host a decoy document on Google Drive”).
• [T1587.001 ] Develop Capabilities: Malware – COLDRIVER developed BAITSWITCH, PowerShell payloads, and the SIMPLEFIX backdoor (“…developed BAITSWITCH, PowerShell payloads, and the SIMPLEFIX backdoor”).
• [T1608.001 ] Stage Capabilities: Upload Malware – COLDRIVER uploaded BAITSWITCH and SIMPLEFIX to their C2 servers (“…uploaded BAITSWITCH and SIMPLEFIX to their C2 servers”).
• [T1608.003 ] Stage Capabilities: Install Digital Certificate – COLDRIVER installed SSL/TLS certificates on domains like captchanom.top and southprovesolutions.com (“…installed SSL/TLS certificates on their domains”).
• [T1608.005 ] Stage Capabilities: Link Target – COLDRIVER linked a decoy document and the BAITSWITCH DLL from the ClickFix page (“…staged a decoy document on Google Drive, and a BAITSWITCH DLL on captchanom[.]top, both linked from the ClickFix phishing page”).
• [T1204.004 ] User Execution: Malicious Copy and Paste – The ClickFix attack tricks users into copying a command into Run which executes the BAITSWITCH DLL via rundll32.exe (“…using social engineering to manipulate users into copying and pasting a command into the Run dialog”).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – BAITSWITCH, the stager, and SIMPLEFIX use PowerShell for staging, decryption, and C2 execution (“…BAITSWITCH DLL, stager scripts, and SIMPLEFIX are written in or used PowerShell”).
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – SIMPLEFIX executes received commands using cmd.exe /c, running utilities like whoami and ipconfig (“…executes using cmd.exe /c incorporating utilities such as whoami /all, ipconfig /all”).
• [T1037.001 ] Boot or Logon Initialization Scripts: Logon Script (Windows) – BAITSWITCH adds a UserInitMprLogonScript registry entry to execute the PowerShell stager at next logon (“…set the UserInitMprLogonScript registry key in HKCUEnvironment”).
• [T1112 ] Modify Registry – COLDRIVER modifies the registry to add a malicious PowerShell script as a logon script and to store encrypted payloads (“…modified the registry to add a malicious PowerShell script as a logon script” and “stored an AES-encrypted PowerShell script … in the registry”).
• [T1140 ] Deobfuscate/Decode Files or Information – The stager reads a Base64-encoded AES-encrypted script from the registry and decodes/decrypts it for execution (“…retrieves a Base64-encoded, AES-encrypted script from the registry, then decodes and decrypts it”).
• [T1564.003 ] Hide Artifacts: Hidden Window – The stager is launched with -WindowStyle Hidden to conceal execution (“…launched using the -WindowStyle Hidden parameter”).
• [T1218.011 ] System Binary Proxy Execution: Rundll32 – The BAITSWITCH DLL is executed via rundll32.exe after the ClickFix copy-paste action (“…executing the BAITSWITCH DLL via rundll32.exe”).
• [T1112 ] Modify Registry – COLDRIVER stores encrypted payloads and keys as binary values in registry CLSID DefaultIcon entries (“…stored an encrypted PowerShell script and its decryption key in the registry”).
• [T1205 ] Traffic Signaling – C2 servers respond only to a specific hardcoded user-agent string and return 404 otherwise (“…servers respond only to requests containing a specific hardcoded user-agent string”).
• [T1070.003 ] Indicator Removal: Clear Command History – BAITSWITCH deletes the RunMRU registry key to remove evidence of the Run dialog command (“…clears the RunMRU registry key to delete the history”).
• [T1027.011 ] Obfuscated Files or Information: Fileless Storage – COLDRIVER stored an encrypted PowerShell script and key in registry binary values (“…stored an encrypted PowerShell script and its decryption key as binary data within the registry”).
• [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – The PowerShell script is AES-encrypted and Base64-encoded in the registry (“…stored an AES-encrypted, Base64-encoded PowerShell script in the Windows registry”).
• [T1033 ] System Owner/User Discovery – SIMPLEFIX and BAITSWITCH include computer name and username in their user-agent and final C2 request (“…incorporating the computer name, username, and the machine’s UUID into the user-agent”).
• [T1082 ] System Information Discovery – COLDRIVER issues systeminfo in reconnaissance commands via SIMPLEFIX (“…sends the systeminfo command in response to SIMPLEFIX beaconing”).
• [T1135 ] Network Share Discovery – COLDRIVER issues net share via SIMPLEFIX to enumerate shares (“…sends the net share command in response to SIMPLEFIX beaconing”).
• [T1016 ] System Network Configuration Discovery – COLDRIVER issues ipconfig /all and related commands (“…sends the ipconfig /all, ipconfig /displaydns, and arp -a commands”).
• [T1016.001 ] Internet Connection Discovery – The stager uses Invoke-WebRequest -Method Head to verify connectivity before retrieving payloads (“…uses Invoke-WebRequest -Method Head to verify connectivity”).
• [T1087.001 ] Account Discovery: Local Account – COLDRIVER issues whoami /all and net user via SIMPLEFIX (“…sends the whoami /all and net user commands”).
• [T1083 ] File and Directory Discovery – A PowerShell script enumerates Documents, Downloads, Desktop, OneDrive for specified extensions (e.g., .pdf, .doc) (“…EnumerateFiles and EnumerateDirectories to search for specific file types”).
• [T1049 ] System Network Connections Discovery – COLDRIVER issues netstat -ano and net session via SIMPLEFIX (“…sends the netstat -ano and net session commands”).
• [T1057 ] Process Discovery – netstat -ano is used to list connections and PIDs (“…netstat -ano which lists active network connections and includes the process ID”).
• [T1018 ] Remote System Discovery – Commands like net session and arp -a are used to discover remote systems (“…net session, arp -a, and ipconfig /displaydns to enumerate other hosts”).
• [T1046 ] Network Service Discovery – netstat -ano used to identify local services and remote addresses (“…used to identify services running on the local host”).
• [T1124 ] System Time Discovery – systeminfo reveals time zone and boot time (“…systeminfo reveals the system’s time zone and boot time”).
• [T1005 ] Data from Local System – COLDRIVER enumerates local file directories to collect documents and archives (“…enumerate local directories such as Documents, Downloads, and Desktop for files with specific extensions”).
• [T1530 ] Data from Cloud Storage – The script enumerates OneDrive for files of interest (“…enumerate the OneDrive directory for files with specific extensions”).
• [T1071.001 ] Application Layer Protocol: Web Protocols – Stager and SIMPLEFIX use HTTPS for C2 communications and file downloads (“…use HTTPS for C2 communications and file downloads”).
• [T1104 ] Multi-Stage Channels – The campaign uses separate C2s for downloader (captchanom[.]top) and stager/backdoor (southprovesolutions[.]com) (“…multi-stage attack chain…captchanom[.]top for the downloader and southprovesolutions[.]com for stager”).
• [T1001.003 ] Data Obfuscation: Protocol or Service Impersonation – Scripts and backdoor use a user-agent string that mimics Edge (“…use a user-agent string that mimics the Edge browser”).
• [T1105 ] Ingress Tool Transfer – SIMPLEFIX supports downloading and executing binaries on command (“…supports a command (ID 1) that downloads and executes binary payloads”).
• [T1132.001 ] Data Encoding: Standard Encoding – Base64 encoding is used to store AES-encrypted PowerShell in registry (“…uses Base64 encoding to store an AES-encrypted PowerShell script in the registry”).
• [T1573.002 ] Encrypted Channel: Asymmetric Cryptography – HTTPS is used for communications across stages (“…use HTTPS for their communications”).