Welcome to New York: Exploring TA453’s Foray into LNKs and Mac Malware | Proofpoint US

MITRE Techniques

• [T1566.002] Spearphishing Link – Initial contact via a benign email that delivered a malicious Google Script link redirecting to a Dropbox host. – “delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL.”
• [T1059.001] PowerShell – The LNK in the RAR used PowerShell to download additional stages from a cloud hosting provider. – “LNK enclosed in the RAR used PowerShell to download additional stages from a cloud hosting provider.”
• [T1105] Ingress Tool Transfer – Downloading additional payloads from cloud hosting during the infection chain. – “download base64 encoded content from a .txt file” ( Borjol/GorjolEcho flow).
• [T1027] Obfuscated/Compressed Files and Information – Obfuscated PowerShell to call out to the cloud hosting provider. – “obfuscated PowerShell to call out to the cloud hosting provider.”
• [T1132] Data Encoding – Exfiltration uses base64 encoding as part of the data pipeline. – “encoded in base64 and then saved to result.txt for exfiltration.”
• [T1518.001] Software Discovery – NokNok information modules gather installed software for exfiltration. – “list installed Applications which are then base64 encoded for exfiltration.”
• [T1082] System Information Discovery – NokNok Informations module retrieves OS version, uptime, installed software. – “to retrieve information about the system’s software, specifically the SPSoftwareDataType … and installed software.”
• [T1016] System Network Configuration Discovery – NokNok Informations/other modules gather network information via ifconfig. – “uses ifconfig to gather network information.”
• [T1057] Process Discovery – NokNok Processes module uses ps -aux to list running processes. – “The Processes module uses ps-aux to gather a list of all currently running processes.”
• [T1547.001] Boot or Logon Autostart Execution – Persistence via a StartUp entry. – “establishes persistence through putting a copy of the initial stages in a StartUp entry.”
• [T1036] Masquerading – Mac/Malware masquerades as legitimate software (RUSI VPN solution and Finder GUI). – “masquerading as a RUSI VPN solution and share drive GUI.”
• [T1059.004] Command and Scripting Interpreter (macOS Bash/AppleScript) – AppleScript and Bash-based macOS infection chain. – “executes an Apple script file, which uses curl to download a file” and “bash script dubbed NokNok.”
• [T1071.001] Web Protocols – GorjolEcho C2 channel uses HTTPS for C2 communications. – “GorjolEcho starts by displaying a decoy PDF … exfiltrating information to the C2 … over AES encrypted HTTPS.”
• [T1041] Exfiltration Over C2 Channel – Collected data is encrypted/encoded and sent to C2. – “exfiltrating information to the C2.”