Magic Hound
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Charming Kitten | (Citation: ClearSky Charming Kitten Dec 2017)(Citation: Eweek Newscaster and Charming Kitten May 2014)(Citation: ClearSky Kittens Back 2 Oct 2019)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022) |
| APT35 | (Citation: FireEye APT35 2018)(Citation: Certfa Charming Kitten January 2021)(Citation: Check Point APT35 CharmPower January 2022) |
| ITG18 | (Citation: IBM ITG18 2020) |
| Phosphorus | (Citation: Microsoft Phosphorus Mar 2019)(Citation: Microsoft Phosphorus Oct 2020)(Citation: US District Court of DC Phosphorus Complaint 2019)(Citation: Certfa Charming Kitten January 2021)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022) |
| TA453 | (Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Check Point APT35 CharmPower January 2022) |
| COBALT ILLUSION | (Citation: Secureworks COBALT ILLUSION Threat Profile) |
| Newscaster | Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .003 | Account Discovery: Email Account |
Magic Hound has used Powershell to discover email accounts.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1098 | .002 | Account Manipulation: Additional Email Delegate Permissions |
Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.(Citation: FireEye APT35 2018) |
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Magic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.(Citation: Certfa Charming Kitten January 2021) |
| .006 | Acquire Infrastructure: Web Services |
Magic Hound has acquired Amazon S3 buckets to use in C2.(Citation: Check Point APT35 CharmPower January 2022) |
||
| Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to Log4j (CVE-2021-44228).(Citation: Check Point APT35 CharmPower January 2022) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Magic Hound malware has used HTTP for C2.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Magic Hound malware has used Registry Run keys to establish persistence.(Citation: Unit 42 Magic Hound Feb 2017) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Magic Hound has used PowerShell for execution and privilege escalation.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Magic Hound has used the command-line interface.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
Magic Hound malware has used VBS scripts for execution.(Citation: Unit 42 Magic Hound Feb 2017) |
||
| Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.(Citation: IBM ITG18 2020) |
| Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
Magic Hound has used compromised domains to host links targeted to specific phishing victims.(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 July2021)(Citation: Certfa Charming Kitten January 2021) |
| Enterprise | T1136 | .001 | Create Account: Local Account |
Magic Hound has created a user named `DefaultAccount` on compromised machines and assigned it to the Administrators and Remote Desktop Users groups.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Magic Hound used FireMalv, custom-developed malware, which collected passwords from the Firefox browser storage.(Citation: Check Point Rocket Kitten) |
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Magic Hound has collected .PST archives.(Citation: FireEye APT35 2018) |
| .002 | Email Collection: Remote Email Collection |
Magic Hound has exported emails from compromised Exchange servers.(Citation: DFIR Report APT35 ProxyShell March 2022) |
||
| Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Magic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.(Citation: ClearSky Kittens Back 3 August 2020) |
| .002 | Establish Accounts: Email Accounts |
Magic Hound has established email accounts using fake personas for spearphishing operations.(Citation: IBM ITG18 2020)(Citation: Proofpoint TA453 March 2021) |
||
| Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites.(Citation: IBM ITG18 2020) |
| .002 | Gather Victim Identity Information: Email Addresses |
Magic Hound has acquired the personal email addresses of some individuals they intend to target.(Citation: Proofpoint TA453 July2021) |
||
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.(Citation: Unit 42 Magic Hound Feb 2017) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| .004 | Impair Defenses: Disable or Modify System Firewall |
Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic - `"netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389`.(Citation: DFIR Report APT35 ProxyShell March 2022) |
||
| Enterprise | T1070 | .003 | Indicator Removal: Clear Command History |
Magic Hound has removed mailbox export requests from compromised Exchange servers.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| .004 | Indicator Removal: File Deletion |
Magic Hound has deleted and overwrote files to cover tracks.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Magic Hound malware is capable of keylogging.(Citation: Unit 42 Magic Hound Feb 2017) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Magic Hound has used the name dllhost.exe to mask a malicious tool used in C2.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Magic Hound has stolen domain credentials by dumping LSASS process memory with comsvcs.dll and from a Microsoft Active Directory Domain Controller using Mimikatz.(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Magic Hound has obtained and used open-source penetration testing tools like Havij, sqlmap, Metasploit, and Mimikatz.(Citation: Check Point Rocket Kitten)(Citation: FireEye APT35 2018)(Citation: Check Point APT35 CharmPower January 2022) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Magic Hound has used personalized spearphishing attachments.(Citation: Check Point Rocket Kitten) |
| .002 | Phishing: Spearphishing Link |
Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.(Citation: Secureworks Cobalt Gypsy Feb 2017)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021) |
||
| .003 | Phishing: Spearphishing via Service |
Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.(Citation: SecureWorks Mia Ash July 2017)(Citation: Microsoft Phosphorus Mar 2019)(Citation: ClearSky Kittens Back 3 August 2020) |
||
| Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Magic Hound has used SMS and email messages with links designed to steal credentials.(Citation: Certfa Charming Kitten January 2021)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Magic Hound has used Remote Desktop Services on targeted systems.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Magic Hound has used scheduled tasks to establish persistence.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Magic Hound has used multiple web shells to gain execution.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Magic Hound has attempted to lure victims into opening malicious links embedded in emails.(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021) |
| .002 | User Execution: Malicious File |
Magic Hound has lured victims into executing malicious files.(Citation: FireEye Operation Saffron Rose 2013) |
||
| .002 | User Execution: Malicious File |
Magic Hound has attempted to lure victims into opening malicious email attachments.(Citation: ClearSky Kittens Back 3 August 2020) |
||
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Magic Hound malware can use a SOAP Web service to communicate with its C2 server.(Citation: Unit 42 Magic Hound Feb 2017) |
References
- Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
- DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.
- Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
- Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
- ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
- Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.
- Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
- Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.
- Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.
- ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.
- Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.
- Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.
- US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.