Collect, Exfiltrate, Sleep, Repeat

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The intrusion began with a malicious macro embedded in a Word document. “The intrusion began with the execution of a malicious macro within a Word document.”
• [T1059.005] Visual Basic for Applications – The attack used a VBA macro embedded in Word to drop and run additional components. “The intrusion began with the execution of a malicious macro within a Word document.”
• [T1059.001] PowerShell – The implant was fully implemented in PowerShell and used Script.ps1/temp.ps1 to drive actions. “The implant was fully implemented using PowerShell.”
• [T1053.005] Scheduled Task/Job – Persistence via scheduled tasks was created to execute components (Updater.vbs, Script.ps1). “installed persistence through a scheduled task.”
• [T1112] Modify Registry – The keylogger used a registry key (UpdateReg) to store keystroke data. “registry key is where the keylogger saved captured keystrokes.”
• [T1113] Screen Capture – The attacker captured desktop screenshots with a PowerShell-based script (sc.ps1). “sc.ps1 contains PowerShell code to capture a screenshot of the system.”
• [T1056.001] Keyboard Input Capture (Keylogging) – The keylogger components include module.exe (renamed AutoHotkey) and module.ahk. “The keylogger itself was comprised of an executable, module.exe, which was a renamed AutoHotkey binary.”
• [T1560.001] Archive Collected Data – Keystroke logs and discovery data were compressed (makecab) before exfiltration. “makecab …”
• [T1573.001] Encrypted Channel – C2 communications encrypted (AES-CBC) between victim and server. “AES encrypted PowerShell command example:”
• [T1071.001] Web Protocols – C2 traffic used HTTP GET/POST to a remote host. “ET MALWARE TA452 Related Backdoor Activity (GET)/(POST)”; “First communication to the C2 … get”
• [T1082] System Information Discovery – Discovery included system info checks (Get-ComputerInfo, Defender status). “Get-ComputerInfo | out-string” and “Get-MpComputerStatus”
• [T1069.002] Domain Account Discovery – LDAP-based domain account enumeration via Convert-LDAPProperty. “retrieve information on domain accounts.”
• [T1033] System Owner/User Discovery – Enumerated current user context (whoami, environment variables). “Get information on current user” and “ls $env:temp”
• [T1049] System Network Connections Discovery – Network discovery via Get-NetTCPConnection. “Get-NetTCPConnection | Out-String”
• [T1083] File and Directory Discovery – Enumerated files and directories (Get-ChildItem …). “Enumerate files”
• [T1112] Modify Registry (again, for keylogger data storage) – see above
• [T1110] Keylogging (additional mapping) – captures keystrokes to logFileuyovaqv.bin (XOR encoded). “The readkey.ps1 file grabbed the keystrokes from the KeypressValue registry key, XOR’s the data…”