Dragonfly 2.0
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| IRON LIBERTY | (Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY) |
| DYMALLOY | (Citation: Dragos DYMALLOY ) |
| Berserk Bear | (Citation: Fortune Dragonfly 2.0 Sept 2017) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller.(Citation: US-CERT TA18-074A) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Dragonfly 2.0 added the registry value ntdll to the Registry Run key to establish persistence.(Citation: US-CERT TA18-074A) |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Dragonfly 2.0 manipulated .lnk files to gather user credentials in conjunction with Forced Authentication.(Citation: US-CERT TA18-074A) |
||
| Enterprise | T1110 | .002 | Brute Force: Password Cracking |
Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Kali Hydra) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Dragonfly 2.0 used PowerShell scripts for execution.(Citation: US-CERT TA18-074A)(Citation: Symantec Dragonfly Sept 2017)(Citation: US-CERT APT Energy Oct 2017) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
||
| .006 | Command and Scripting Interpreter: Python |
Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
||
| Enterprise | T1136 | .001 | Create Account: Local Account |
Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Dragonfly 2.0 created a directory named "out" in the user's %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A) |
| Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
Dragonfly 2.0 accessed email accounts using Outlook Web Access.(Citation: US-CERT APT Energy Oct 2017) |
| Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
Dragonfly 2.0 has disabled host-based firewalls. The group has also globally opened port 3389.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| .004 | Indicator Removal: File Deletion |
Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
||
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| .003 | OS Credential Dumping: NTDS |
Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers. (Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Core Security Impacket) |
||
| .004 | OS Credential Dumping: LSA Secrets |
Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Core Security Impacket) |
||
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| .002 | Phishing: Spearphishing Link |
Dragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.(Citation: US-CERT TA18-074A) |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Dragonfly 2.0 moved laterally via RDP.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Dragonfly 2.0 commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| .002 | User Execution: Malicious File |
Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open attachments.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
||
References
- Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017.
- Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
- Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.
- Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.
- Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020.
- Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.