Magic Hound
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Charming Kitten | (Citation: ClearSky Charming Kitten Dec 2017)(Citation: Eweek Newscaster and Charming Kitten May 2014)(Citation: ClearSky Kittens Back 2 Oct 2019)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022) |
| APT35 | (Citation: FireEye APT35 2018)(Citation: Certfa Charming Kitten January 2021)(Citation: Check Point APT35 CharmPower January 2022) |
| ITG18 | (Citation: IBM ITG18 2020) |
| Phosphorus | (Citation: Microsoft Phosphorus Mar 2019)(Citation: Microsoft Phosphorus Oct 2020)(Citation: US District Court of DC Phosphorus Complaint 2019)(Citation: Certfa Charming Kitten January 2021)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022) |
| Mint Sandstorm | (Citation: Microsoft Threat Actor Naming July 2023) |
| TA453 | (Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Check Point APT35 CharmPower January 2022) |
| COBALT ILLUSION | (Citation: Secureworks COBALT ILLUSION Threat Profile) |
| Newscaster | Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .003 | Account Discovery: Email Account |
Magic Hound has used Powershell to discover email accounts.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1098 | .002 | Account Manipulation: Additional Email Delegate Permissions |
Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.(Citation: FireEye APT35 2018) |
| .007 | Account Manipulation: Additional Local or Domain Groups |
Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.(Citation: DFIR Report APT35 ProxyShell March 2022) |
||
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Magic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.(Citation: Certfa Charming Kitten January 2021) |
| .006 | Acquire Infrastructure: Web Services |
Magic Hound has acquired Amazon S3 buckets to use in C2.(Citation: Check Point APT35 CharmPower January 2022) |
||
| Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to CVE-2021-44228 in Log4j and ProxyShell vulnerabilities; CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in on-premises MS Exchange Servers; and CVE-2018-13379 in Fortinet FortiOS SSL VPNs.(Citation: Check Point APT35 CharmPower January 2022)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Magic Hound has used HTTP for C2.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Magic Hound malware has used Registry Run keys to establish persistence.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Magic Hound has used PowerShell for execution and privilege escalation.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Magic Hound has used the command-line interface for code execution.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
Magic Hound malware has used VBS scripts for execution.(Citation: Unit 42 Magic Hound Feb 2017) |
||
| Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.(Citation: IBM ITG18 2020) |
| Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
Magic Hound has used compromised domains to host links targeted to specific phishing victims.(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 July2021)(Citation: Certfa Charming Kitten January 2021)(Citation: Google Iran Threats October 2021) |
| Enterprise | T1136 | .001 | Create Account: Local Account |
Magic Hound has created local accounts named `help` and `DefaultAccount` on compromised machines.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Magic Hound used FireMalv, custom-developed malware, which collected passwords from the Firefox browser storage.(Citation: Check Point Rocket Kitten) |
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Magic Hound has collected .PST archives.(Citation: FireEye APT35 2018) |
| .002 | Email Collection: Remote Email Collection |
Magic Hound has exported emails from compromised Exchange servers including through use of the cmdlet `New-MailboxExportRequest.`(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
||
| Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Magic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.(Citation: ClearSky Kittens Back 3 August 2020) |
| .002 | Establish Accounts: Email Accounts |
Magic Hound has established email accounts using fake personas for spearphishing operations.(Citation: IBM ITG18 2020)(Citation: Proofpoint TA453 March 2021) |
||
| Enterprise | T1592 | .002 | Gather Victim Host Information: Software |
Magic Hound has captured the user-agent strings from visitors to their phishing sites.(Citation: Google Iran Threats October 2021) |
| Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites. Magic Hound has also collected credentials from over 900 Fortinet VPN servers in the US, Europe, and Israel.(Citation: IBM ITG18 2020)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
| .002 | Gather Victim Identity Information: Email Addresses |
Magic Hound has identified high-value email accounts in academia, journalism, NGO's, foreign policy, and national security for targeting.(Citation: Proofpoint TA453 July2021)(Citation: Google Iran Threats October 2021) |
||
| Enterprise | T1590 | .005 | Gather Victim Network Information: IP Addresses |
Magic Hound has captured the IP addresses of visitors to their phishing sites.(Citation: Google Iran Threats October 2021) |
| Enterprise | T1591 | .001 | Gather Victim Org Information: Determine Physical Locations |
Magic Hound has collected location information from visitors to their phishing sites.(Citation: Google Iran Threats October 2021) |
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.(Citation: Unit 42 Magic Hound Feb 2017) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| .002 | Impair Defenses: Disable Windows Event Logging |
Magic Hound has executed scripts to disable the event log service.(Citation: DFIR Phosphorus November 2021) |
||
| .004 | Impair Defenses: Disable or Modify System Firewall |
Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic - `"netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389`.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
||
| Enterprise | T1070 | .003 | Indicator Removal: Clear Command History |
Magic Hound has removed mailbox export requests from compromised Exchange servers.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| .004 | Indicator Removal: File Deletion |
Magic Hound has deleted and overwrote files to cover tracks.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)(Citation: DFIR Phosphorus November 2021) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Magic Hound malware is capable of keylogging.(Citation: Unit 42 Magic Hound Feb 2017) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Magic Hound has named a malicious script CacheTask.bat to mimic a legitimate task.(Citation: DFIR Phosphorus November 2021) |
| .005 | Masquerading: Match Legitimate Name or Location |
Magic Hound has used `dllhost.exe` to mask Fast Reverse Proxy (FRP) and `MicrosoftOutLookUpdater.exe` for Plink.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
||
| .010 | Masquerading: Masquerade Account Name |
Magic Hound has created local accounts named `help` and `DefaultAccount` on compromised machines.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Magic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using Mimikatz.(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
| Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
Magic Hound has used base64-encoded commands.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Magic Hound has obtained and used tools like Havij, sqlmap, Metasploit, Mimikatz, and Plink.(Citation: Check Point Rocket Kitten)(Citation: FireEye APT35 2018)(Citation: Check Point APT35 CharmPower January 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Magic Hound has used personalized spearphishing attachments.(Citation: Check Point Rocket Kitten) |
| .002 | Phishing: Spearphishing Link |
Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.(Citation: Secureworks Cobalt Gypsy Feb 2017)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
||
| .003 | Phishing: Spearphishing via Service |
Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.(Citation: SecureWorks Mia Ash July 2017)(Citation: Microsoft Phosphorus Mar 2019)(Citation: ClearSky Kittens Back 3 August 2020) |
||
| Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Magic Hound has used SMS and email messages with links designed to steal credentials or track victims.(Citation: Certfa Charming Kitten January 2021)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Google Iran Threats October 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Magic Hound has used Remote Desktop Services to copy tools on targeted systems.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Magic Hound has used scheduled tasks to establish persistence and execution.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Magic Hound has used multiple web shells to gain execution.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.(Citation: DFIR Report APT35 ProxyShell March 2022) |
| Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.(Citation: DFIR Phosphorus November 2021) |
| .002 | System Network Configuration Discovery: Wi-Fi Discovery |
Magic Hound has collected names and passwords of all Wi-Fi networks to which a device has previously connected.(Citation: Check Point APT35 CharmPower January 2022) |
||
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Magic Hound has attempted to lure victims into opening malicious links embedded in emails.(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021) |
| .002 | User Execution: Malicious File |
Magic Hound has lured victims into executing malicious files.(Citation: FireEye Operation Saffron Rose 2013) |
||
| .002 | User Execution: Malicious File |
Magic Hound has attempted to lure victims into opening malicious email attachments.(Citation: ClearSky Kittens Back 3 August 2020) |
||
| Enterprise | T1078 | .001 | Valid Accounts: Default Accounts |
Magic Hound enabled and used the default system managed account, DefaultAccount, via `"powershell.exe" /c net user DefaultAccount /active:yes` to connect to a targeted Exchange server over RDP.(Citation: DFIR Phosphorus November 2021) |
| .002 | Valid Accounts: Domain Accounts |
Magic Hound has used domain administrator accounts after dumping LSASS process memory.(Citation: DFIR Phosphorus November 2021) |
||
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Magic Hound malware can use a SOAP Web service to communicate with its C2 server.(Citation: Unit 42 Magic Hound Feb 2017) |
References
- Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023.
- MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
- Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
- ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
- Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.
- Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.
- Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
- Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.
- Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.
- Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.
- ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.
- Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.
- US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.