Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa – Palo Alto Networks Blog

MITRE Techniques

• [T1059.005] VBScript – In-memory VBScript implant deployed to run webshell clandestinely. “an in-memory VBscript implant deployed by the threat actor.”
• [T1505] Web Shell – Webshell clandestinely deployed on IIS/Exchange servers via the in-memory VBScript implant. “to run webshell clandestinely”
• [T1046] Network Service Discovery – Reconnaissance using Ladon, Nbtscan, portscans and Windows commands. “Ladon web scanning tool (authored by “k8gege”) … Nbtscan … Portscan … Netstat, nslookup, net, ipconfig, tasklist, quser”
• [T1134] Access Token Manipulation – Privilege escalation using Potato suite tools (e.g., JuicyPotatoNG) to create admin accounts and run elevated tools. “The main tools that were observed during the investigation were: Using those tools, the threat actor attempted to create administrative accounts, and to run various tools that require elevated privileges.”
• [T1548.001] Abuse Elevation Control: Accessibility Features – Sticky Keys abuse to obtain an elevated command prompt. “Sticky Keys Attack is Making a Comeback” … “sethc.exe” … replaced with “cmd.exe”
• [T1068] Exploitation for Privilege Escalation – IIS privilege escalation tool “Iislpe.exe” used as part of IIS PE
• [T1003] Credential Dumping – Credential dumping with Mimikatz, SAM, WDigest, NTDS.dit; includes a novel network-provider method using ntos.dll. “Mimikatz, Dumping the Sam key, Forcing WDigest to store credentials in plaintext and Dumping NTDS.dit …
• [T1021] Remote Services – Lateral movement via Yasso modules (SMB, WinRM, SSH, MSSQL). “SMB Service blowup module”, “Winrm service blowup module”, “SSH service burst module”, “MSSQL … module”
• [T1047] WMI – Additional lateral movement TTPs include WMI, Scheduled Task, WinRS and Net
• [T1114] Email Collection – Exfiltration of targeted emails via Exchange management shell exports and PSTs. “Get-MailboxExportRequest” and related commands described
• [T1059.001] PowerShell – Add PowerShell snap-ins (PSSnapins) to manage Exchange and export emails. “Add-PSSnapin … Microsoft.Exchange.Management.Powershell.E2010”
• [T1560] Archive Collected Data – Exported email data to PSTs and password-protected TIFFs for exfiltration. “output … saved into .tiff files, … compressed, password-protected and sent to the attacker’s C2”