The Gentlemen are knocking: сustom backdoors and evolving tactics

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Initial access through vulnerabilities in internet-exposed services and devices (‘exploiting vulnerabilities in online services’ and targeting VPNs/firewalls exposed to the internet).
• [T1078] Valid Accounts – Access gained using stolen, weak, leaked, or default credentials (‘use leaked or default credentials to gain access’).
• [T1018] Remote System Discovery – Internal scanning to identify active systems and services (‘NetScan and Advanced IP Scanner to scan the network’).
• [T1069.002] Permission Groups Discovery: Domain Groups – Enumerating domain groups and domain admins (‘net group “Domain Admins” /domain’ and ‘net group’).
• [T1087.002] Account Discovery: Domain Account – Enumerating Active Directory objects and computers (‘SharpADWS is used to gather detailed Active Directory information’ and ‘Get-ADComputer -Filter *’).
• [T1046] Network Service Discovery – Scanning ports and services to identify exposed services (‘discover active ports and services’).
• [T1040] Network Sniffing – Capturing network traffic with netsh and analyzing it for sensitive data (‘netsh trace start capture=yes’ and ‘reveal sensitive information such as unencrypted network activity and potential passwords’).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Using ADMIN$ and NETLOGON shares to move tools (‘saved to a shared administrative folder’ and ‘use the NETLOGON share’).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Spreading ransomware through network shares and administrative paths (‘copy itself to the NETLOGON network folder’).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Lateral movement using PsExec over remote administration channels (’employ PsExec to remotely execute the ransomware binary’).
• [T1068] Exploitation for Privilege Escalation – Using vulnerable drivers to gain elevated capabilities (‘installing a vulnerable driver and exploiting its weakness’).
• [T1562.001] Impair Defenses: Disable or Modify Tools – Disabling security products via driver abuse, registry edits, and utilities (‘disable security software’, ‘modify Windows Defender’, ‘kavrmvr.exe’).
• [T1562.006] Impair Defenses: Indicator Blocking – Intercepting and blocking system calls with kernel tools (‘can intercept and block system calls’).
• [T1059.001] Command and Scripting Interpreter: PowerShell – Using PowerShell for deployment, defense evasion, and lateral movement (‘deploy_gpo.ps1’, ‘Set-MpPreference’, ‘Invoke-WebRequest’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Executing commands through cmd.exe for reconnaissance and persistence (‘cmd.exe /c whoami’ and ‘cmd.exe /Q /c netsh trace’).
• [T1055] Process Injection – Not explicitly shown as injection, but the article describes remote execution and control via implant; no direct injection method is evidenced, so omitted if strictly limited to text.
• [T1021.001] Remote Services: Remote Desktop Protocol – Implicitly referenced through RDP log cleanup, but no direct lateral movement via RDP is described; omitted as a technique used.
• [T1202] Indirect Command Execution – The backdoor sends bytes that trigger either command execution or SOCKS proxying (‘if the response byte was c, or establishing a SOCKS proxy connection if the byte was s’).
• [T1105] Ingress Tool Transfer – Downloading PsExec from Sysinternals when absent (‘Invoke-WebRequest -Uri … PsExec.exe’).
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence via registry Run key (‘HKLM…Run’ /v ‘GupdateS’).
• [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence and privilege execution using scheduled tasks (‘UpdateUser’ and ‘TaskSystem’).
• [T1489] Service Stop – Terminating services before encryption (‘disables and stops certain services using sc.exe’).
• [T1489] Service Stop – Stopping Hyper-V virtual machines before encrypting virtual disks (‘Stop-VM -Force -TurnOff’).
• [T1112] Modify Registry – Changing Windows Defender policy settings in the registry (‘DisableAntiSpyware’ and ‘DisableRealtimeMonitoring’).
• [T1562.001] Impair Defenses: Disable or Modify System Firewall – No firewall-specific action is described; omitted.
• [T1490] Inhibit System Recovery – Deleting shadow copies to prevent restoration (‘vssadmin.exe delete shadows’ and ‘wmic.exe shadowcopy delete’).
• [T1070.001] Clear Windows Event Logs – Clearing System, Application, and Security logs (‘wevtutil.exe cl System’).
• [T1070.002] Clear Linux or Mac System Logs – Not applicable in the described Windows context; omitted.
• [T1119] Automated Collection – Using netsh capture and scripted reconnaissance to gather data at scale (‘capture=yes’ and scripted domain scanning).
• [T1027] Obfuscated Files or Information – Go obfuscator renames symbols, files, and signatures to hinder analysis (‘renames symbols, source code files, and structures’).
• [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – Embedded public keys and Base64-encoded values (‘encoded in Base64 as HvzC6Dq/…’).
• [T1486] Data Encrypted for Impact – Encrypting files using Curve25519 + XChaCha20 or AES256-GCM + RSA (‘begins encrypting files’).
• [T1491.001] Defacement: Internal Defacement – Changing wallpaper to an embedded image as part of ransom impact (‘changes the desktop wallpaper’).