Operation Escaneo: Infrastructure Exposure, TTP Analysis, and Attribution Assessment of an Advanced Intrusion Campaign Against Mexican Federal Agencies and Financial Institutions

MITRE Techniques

• [T1595.001 ] Active Scanning: Scanning IP Blocks – Used for high-velocity subdomain enumeration and broad discovery across targets using subfinder, assetfinder, findomain, gobuster, dnsx, and naabu (‘parallelised subdomain enumeration’, ‘naabu port scanning at 5,000 pps’).
• [T1595.002 ] Active Scanning: Vulnerability Scanning – Automated CVE and misconfiguration scanning with Nuclei and dalfox (‘Nuclei fed all discovered URLs’, ‘dalfox automated XSS hunting’).
• [T1592 ] Gather Victim Host Information – Fingerprinted live hosts and technology stacks using httpx and whatweb (‘fingerprint live hosts’, ‘technology-stack fingerprinting’).
• [T1589.001 ] Gather Victim Identity Information: Credentials – Extracted credentials and secrets from repositories with regex-based scanning (‘extracting AWS keys, JWTs, bearer tokens, Base64 secrets, LDAP strings and SAP credentials’).
• [T1593.002 ] Search Open Websites/Domains: Search Engines – Used LinkFinder to uncover hidden endpoints and admin panels (‘JavaScript endpoint extraction … to uncover hidden APIs and administrative panels’).
• [T1590.001 ] Gather Victim Network Information: Domain Properties – Mapped DNS and subdomains using brute forcing and resolution (‘Subdomain brute-forcing … DNS resolution mapping across government and corporate domains’).
• [T1587.001 ] Develop Capabilities: Malware – Built custom tooling including Kimera, Xortigate variants, SMB handlers, and ZipSlip droppers (‘Custom Kimera V1/V2 … custom SMB protocol handlers’).
• [T1588.006 ] Obtain Capabilities: Vulnerabilities – Pre-staged exploit chains for Fortinet, Ivanti, Zerologon, EternalBlue, and SMBGhost (‘Pre-staged CVE-specific exploit chains’).
• [T1583.003 ] Acquire Infrastructure: Virtual Private Server – Used a DigitalOcean VPS as primary C2, relay, and staging server (‘62.171.185.97 used as the primary C2’).
• [T1608.001 ] Stage Capabilities: Upload Malware – Staged payloads and exploit tooling on the server (‘Centralized exploit armory … chunked payload delivery’).
• [T1190 ] Exploit Public-Facing Application – Exploited Fortinet, Ivanti, GhostCat, GeoServer, Oracle, and SAP services (‘FortiGate SSL-VPN exploitation’, ‘SAP RFC abuse’).
• [T1133 ] External Remote Services – Used harvested credentials and configuration dumps for VPN and RDP access (‘credential-based VPN access’, ‘RDP access via harvested credentials’).
• [T1566.002 ] Phishing: Spearphishing Link – Maintained credential-harvesting phishing pages for tax and document-management users (‘Custom phishing pages targeting tax-authority employees’).
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Ran OS commands through DBMS_SCHEDULER, SAP RFC, and webshells (‘executing OS commands’, ‘Bash webshells’).
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – Triggered Java execution via GeoServer WFS injection and JSP webshells (‘Runtime.getRuntime() execution’).
• [T1059.008 ] Command and Scripting Interpreter: Network Device CLI – Injected TCL scripts and configured GRE tunnels on Cisco routers (‘Cisco IOS TCL script injection’).
• [T1072 ] Software Deployment Tools – Used SAP function modules to execute OS commands (‘SXPG_CALL_SYSTEM and SXPG_COMMAND_INSERT’).
• [T1203 ] Exploitation for Client Execution – Delivered ysoserial Java deserialization payloads to vulnerable Java servers (‘CommonsCollections5 Java deserialization payload’).
• [T1569.002 ] System Services: Service Execution – Achieved Oracle scheduler-based command execution (‘DBMS_SCHEDULER job-based command execution’).
• [T1505.003 ] Server Software Component: Web Shell – Deployed Neo-reGeorg and multiple PHP/JSP/CFM shells for persistence (‘Neo-reGeorg JSPX/JSP webshells’).
• [T1572 ] Protocol Tunneling – Used Neo-reGeorg, Chisel, and GRE tunnels for layered tunneling (‘TCP-over-HTTP reverse-proxy tunnelling’, ‘GRE tunnel configured on a compromised Cisco router’).
• [T1546 ] Event Triggered Execution – Used malicious ZIP archives and ZipSlip extraction to deploy webshells (‘deploying webshells when extracted’).
• [T1068 ] Exploitation for Privilege Escalation – Used PwnKit and FortiOS heap grooming for root/privileged code execution (‘PwnKit CVE-2021-4034’).
• [T1210 ] Exploitation of Remote Services – Leveraged Zerologon, EternalBlue, SMBGhost, SambaCry, and MS08-067 for escalation and movement (‘confirm domain-controller compromise’).
• [T1078.002 ] Valid Accounts: Domain Accounts – Used domain admin and harvested credentials for access and movement (‘domain-admin accounts’).
• [T1562.003 ] Impair Defenses: Impair Command History Logging – Suppressed forensic artifacts and cleaned up commands (‘post-exploitation cleanup’).
• [T1036.005 ] Masquerading: Match Legitimate Name or Location – Used LNK files mimicking N-able RMM components (‘mimicking the N-able RMM agent’).
• [T1027 ] Obfuscated Files or Information – Hid payloads with Base64, AES encryption, chunking, and custom encoding (‘Base64-encoded payloads’, ‘AES-encrypted Neo-reGeorg webshell channel’).
• [T1090.002 ] Proxy: External Proxy – Routed traffic through external SOCKS5 relays and proxychains (‘Multi-port SOCKS5 relay’).
• [T1550.002 ] Use Alternate Authentication Material: Pass the Hash – Used Impacket tools for credential-free lateral movement (‘psexec.py, wmiexec.py and ntlmrelayx.py’).
• [T1205 ] Traffic Signaling – Bypassed WAFs with spoofed headers, user agents, and encoding tricks (‘X-Forwarded-For localhost spoofing’, ‘double URL encoding’).
• [T1140 ] Deobfuscate/Decode Files or Information – Decrypted FortiGate, WebLogic, and Oracle credentials/configuration (‘FortiGate AES-CBC configuration decryption’).
• [T1003.001 ] OS Credential Dumping: LSASS Memory – Used secretsdump and captured NTLM hashes (‘NTLM-hash interception’).
• [T1558.003 ] Steal or Forge Kerberos Tickets: Kerberoasting – Retrieved service-account hashes with GetUserSPNs.py (‘Kerberoastable service-account hashes’).
• [T1552.001 ] Unsecured Credentials: Credentials in Files – Found cleartext credentials in configuration and text files (‘FortiGate configuration extraction’, ‘pgpass.conf’).
• [T1552.005 ] Unsecured Credentials: Cloud Instance Metadata API – Extracted cloud secrets and tokens from source code repositories (‘AWS access keys, Azure secrets and JWT tokens’).
• [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Collected Chrome credential stores (‘Login Data and Login Data For Account SQLite databases’).
• [T1110.002 ] Brute Force: Password Spraying – Used automated spray and cracking tools against victim accounts (‘aggressive_spray.py, fast_brute.sh’).
• [T1212 ] Exploitation for Credential Access – Read passwd/shadow files and exfiltrated SSL private keys through database functions (‘read /etc/passwd and /etc/shadow without OS root’).
• [T1082 ] System Information Discovery – Retrieved OS and system details using SAP and Oracle commands (‘CHECK_OS and DIR_LIST command execution’).
• [T1016 ] System Network Configuration Discovery – Extracted topology, routing tables, and subnet layouts from FortiGate and Cisco configs (‘full network topology, routing tables and internal subnet layouts’).
• [T1018 ] Remote System Discovery – Scanned subnets and ports to identify reachable systems (‘scanning the 10.39.x.x subnet’).
• [T1069.002 ] Permission Groups Discovery: Domain Groups – Enumerated AD groups and privileged roles (‘identifying SQL service users, Citrix administrators and CyberArk vault operators’).
• [T1087.002 ] Account Discovery: Domain Account – Reconstructed hierarchy from account attributes and SAP roles (‘PasswordLastSet and LastLogon attribute correlation’).
• [T1135 ] Network Share Discovery – Probed SMB shares across internal subnets (‘SMB port-445 probing across the 10.8.7.0/24 subnet’).
• [T1526 ] Cloud Service Discovery – Assessed VMware AirWatch MDM for exploitation opportunities (‘authentication bypass’).
• [T1046 ] Network Service Discovery – Performed high-speed port scanning and service validation (‘naabu port scanning’).
• [T1021.002 ] Remote Services: SMB/Windows Admin Shares – Used PsExec and Impacket for remote execution over SMB (‘psexec.py and smbexec.py’).
• [T1021.001 ] Remote Services: Remote Desktop Protocol – Used harvested RDP credentials and config files for movement (‘default.rdp, users_rdp.txt and pass_rdp.txt’).
• [T1090.001 ] Proxy: Internal Proxy – Used SOCKS5 pivots and Chisel to access internal subnets (‘SOCKS5 pivot through 165.22.184.26:5571’).
• [T1080 ] Taint Shared Content – Staged router-to-router pivoting and TFTP-based configuration staging (‘router-to-router pivot using rt01_telnet_rt02.py’).
• [T1213 ] Data from Information Repositories – Accessed document repositories and Zabbix macros for credentials (‘SeedDMS phishing’, ‘Zabbix global-macro extraction’).
• [T1005 ] Data from Local System – Read local files and database outputs from victim systems (‘Oracle UTL_FILE reading output files from /tmp’).
• [T1119 ] Automated Collection – Automated bulk extraction from Oracle and SAP data sources (‘dump_batch.sh iterating through Oracle tables’).
• [T1114 ] Email Collection – Extracted email infrastructure passwords and credentials (‘Zimbra password extraction’).
• [T1185 ] Browser Session Hijacking – Abused CORS and session tokens to hijack authenticated sessions (‘req.withCredentials=true CORS abuse’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – Used HTTP POST-based Neo-reGeorg C2 and web-like callbacks (‘reverse shells on ports 80, 443 and 8080’).
• [T1090.003 ] Proxy: Multi-hop Proxy – Built a layered proxy chain through VPS, relay, and internal nodes (‘Layered architecture using a public VPS’).
• [T1132.002 ] Data Encoding: Non-Standard Encoding – Used BLV and custom Base64 encoding in C2 traffic (‘Binary Length Value encoding’).
• [T1001.001 ] Data Obfuscation: Junk Data – Hid payloads with AES-encrypted channels and compressed inner payloads (‘GZIP-compressed inner payload’).
• [T1048.003 ] Exfiltration Over Alternative Protocol – Streamed SSL keys and metadata over Netcat, Wget, and PostgreSQL pipelines (‘streaming SSL private keys to 62.171.185.97:8888’).
• [T1030 ] Data Transfer Size Limits – Fragmented binaries into small chunks to evade detection (‘ELF binary divided into approximately 3.9 KB fragments’).
• [T1567 ] Exfiltration Over Web Service – Exfiltrated through SOCKS5-tunnelled services and callback mechanisms (‘SOCKS5-tunnelled exfiltration’).
• [T1041 ] Exfiltration Over C2 Channel – Used Oracle spooling, TFTP retrieval, and C2 channels for data removal (‘compressed 407 MB BloodHound Active Directory dataset exfiltration’).
• [T1485 ] Data Destruction – Altered MySQL configuration to bypass authentication and enable unrestricted manipulation (‘skip-grant-tables injection’).
• [T1491 ] Defacement / Web Content Manipulation – Used archive-dropping techniques to re-establish access and manipulate web content (’embedding a JSP webshell in a path-traversal structure’).
• [T1565.001 ] Data Manipulation: Stored Data Manipulation – Injected commands and altered procurement workflows using stolen credentials (‘manipulation of procurement workflows’).