New Tool Set Found Used Against Organizations in the Middle East, Africa and the US

MITRE Techniques

• [T1003] OS Credential Dumping – Credential dumping performed via Ntospy Network Provider DLL to harvest credentials during authentication. Quote: “…hijack the authentication process, to get access to the user credentials every time the victim attempts to authenticate to the system.”
• [T1556.008] Modify Authentication Process: Network Provider DLL – The threat registers a new Network Provider named credman to hijack credentials. Quote: “registers a new Network Provider called credman.”
• [T1027.009] Obfuscated Files or Information: Embedded Payloads – Some samples store credentials in a Microsoft Update Package-like path with plain text or encrypted paths to evade detection. Quote: “files with .msu extensions masquerade as Microsoft Update Package.”
• [T1036.005] Masquerading: Match Legitimate Name or Location – DLLs and file paths masquerade as legitimate system/Windows components (e.g., ntoskrnl.dll, .msu names). Quote: “abusing the Microsoft Update Package extension”
• [T1041] Exfiltration Over C2 Channel – Data, including emails and Roaming Profiles, exfiltrated over DNS/C2 channels and web services. Quote: “Exfiltrate confidential information”
• [T1046] Network Service Discovery – Network scanning and discovery to support C2 and data theft. Quote: “network scan”
• [T1047] Windows Management Instrumentation – Use context around MS Exchange Server environment for authentication-related activity (Windows management utilities context). Quote: “in an MS Exchange Server environment.”
• [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence achieved via scheduled tasks. Quote: “the threat was executed by using scheduled tasks.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell usage for email collection and related operations. Quote: “PowerShell snap-ins to dump the emails.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Command-line tooling used during operations (e.g., RAR/compression and scanning). Quote: “command-line RAR tool”
• [T1070.004] Indicator Removal: File Deletion – Cleanup of the environment after sessions. Quote: “clean up the environment used during the session.”
• [T1573.001] Encrypted Channel: Symmetric Cryptography – All C2 communications encrypted with a stream cipher. Quote: “encryption of all the communication messages through Program.Util.RC.”
• [T1583.001] Acquire Infrastructure: Domains – Use of numerous C2 domains (e.g., geoinfocdn[.]com, geostatcdn[.]com). Quote: “C2 domains identified”
• [T1583.002] Acquire Infrastructure: DNS Server – DNS-based C2 communication with DNS subdomains and IDNA/Punycode. Quote: “The domain names follow the pattern below”
• [T1587.001] Develop Capabilities: Malware – Tools developed/customized for this cluster (Agent Racoon, Ntospy, Mimilite). Quote: “developed capabilities: malware”
• [T1560.001] Archive Collected Data: Archive via Utility – Exfiltration of Roaming Profile via 7-Zip and certutil-based staging. Quote: “standalone version of the 7-Zip tool”
• [T1112] Modify Registry – Registry key path for credman service. Quote: “HKLMSYSTEMCurrentControlSetServicescredman”
• [T1132.001] Data Encoding: Standard Encoding – Use of IDNA/Punycode for DNS domain encoding. Quote: “IDNA domain names with Punycode encoding”
• [T1134.001] Email Collection – Exfiltration of emails from Exchange via PowerShell. Quote: “Email Collection”