MITRE ATT&CK - Преступная группа SilverTerrier

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)

ID: G0083

Associated Groups:

Version: 1.1

Created: 29 Jan 2019

Last Modified: 19 May 2020

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	SilverTerrier uses HTTP for C2 communications.(Citation: Unit42 SilverTerrier 2018)
		.002	Application Layer Protocol: File Transfer Protocols	SilverTerrier uses FTP for C2 communications.(Citation: Unit42 SilverTerrier 2018)
		.003	Application Layer Protocol: Mail Protocols	SilverTerrier uses SMTP for C2 communications.(Citation: Unit42 SilverTerrier 2018)

ID	Name	References	Techniques
Software
S0198	NETWIRE	(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: McAfee Netwire Mar 2015) (Citation: Unit42 SilverTerrier 2018)	Proxy, Registry Run Keys / Startup Folder, Software Packing, Symmetric Cryptography, Archive via Custom Method, Malicious File, Malicious Link, Automated Collection, XDG Autostart Entries, Visual Basic, Obfuscated Files or Information, PowerShell, Process Injection, Cron, File and Directory Discovery, Process Discovery, Unix Shell, System Network Connections Discovery, Archive Collected Data, Credentials from Web Browsers, Spearphishing Link, Plist Modification, Credentials from Password Stores, Match Legitimate Name or Location, Web Service, Hidden Files and Directories, Application Window Discovery, Windows Command Shell, Invalid Code Signature, Keylogging, Native API, Scheduled Task, Screen Capture, Login Items, System Network Configuration Discovery, Web Protocols, Process Hollowing, Modify Registry, System Information Discovery, Spearphishing Attachment, Local Data Staging, Non-Application Layer Protocol, Encrypted Channel, Launch Agent, Ingress Tool Transfer
S0334	DarkComet	(Citation: DarkKomet) (Citation: FYNLOS) (Citation: Fynloski) (Citation: Krademok) (Citation: Malwarebytes DarkComet March 2018) (Citation: TrendMicro DarkComet Sept 2014) (Citation: Unit42 SilverTerrier 2018)	Command and Scripting Interpreter, Clipboard Data, Video Capture, System Information Discovery, Ingress Tool Transfer, Process Discovery, Windows Command Shell, Disable or Modify System Firewall, Remote Desktop Protocol, Registry Run Keys / Startup Folder, Web Protocols, Audio Capture, Disable or Modify Tools, Software Packing, Modify Registry, Keylogging, System Owner/User Discovery, Match Legitimate Name or Location
S0336	NanoCore	(Citation: Cofense NanoCore Mar 2018) (Citation: DigiTrust NanoCore Jan 2017) (Citation: PaloAlto NanoCore Feb 2016) (Citation: Unit 42 Gorgon Group Aug 2018) (Citation: Unit42 SilverTerrier 2018)	Ingress Tool Transfer, Windows Command Shell, System Network Configuration Discovery, Video Capture, Disable or Modify System Firewall, Obfuscated Files or Information, Audio Capture, Visual Basic, Keylogging, Modify Registry, Symmetric Cryptography, Disable or Modify Tools, Registry Run Keys / Startup Folder, Uncommonly Used Port
S0447	Lokibot	(Citation: CISA Lokibot September 2020) (Citation: Infoblox Lokibot January 2019) (Citation: Morphisec Lokibot April 2020) (Citation: Talos Lokibot Jan 2021) (Citation: Unit42 SilverTerrier 2018)	Visual Basic, Spearphishing Attachment, Software Packing, Obfuscated Files or Information, Deobfuscate/Decode Files or Information, Credentials from Password Stores, Reflective Code Loading, Process Hollowing, System Owner/User Discovery, File and Directory Discovery, Keylogging, Windows Command Shell, Modify Registry, Scheduled Task, Time Based Evasion, Exfiltration Over C2 Channel, Scheduled Task/Job, Bypass User Account Control, System Information Discovery, Native API, Hidden Files and Directories, PowerShell, System Network Configuration Discovery, File Deletion, Malicious File, Web Protocols, Ingress Tool Transfer, Credentials from Web Browsers
S0331	Agent Tesla	(Citation: Bitdefender Agent Tesla April 2020) (Citation: DigiTrust Agent Tesla Jan 2017) (Citation: Fortinet Agent Tesla April 2018) (Citation: Malwarebytes Agent Tesla April 2020) (Citation: Talos Agent Tesla Oct 2018) (Citation: Unit42 SilverTerrier 2018)	Process Injection, Virtualization/Sandbox Evasion, Clipboard Data, Spearphishing Attachment, Screen Capture, Local Account, Registry Run Keys / Startup Folder, Credentials In Files, Windows Management Instrumentation, Malicious File, Exploitation for Client Execution, System Network Configuration Discovery, Regsvcs/Regasm, System Time Discovery, System Owner/User Discovery, Ingress Tool Transfer, Process Discovery, Credentials from Web Browsers, Video Capture, Obfuscated Files or Information, Browser Session Hijacking, Web Protocols, Exfiltration Over Unencrypted Non-C2 Protocol, Hidden Window, Keylogging, Scheduled Task, Hidden Files and Directories, Deobfuscate/Decode Files or Information, Credentials from Password Stores, System Information Discovery, Disable or Modify Tools, Archive Collected Data, Mail Protocols, Modify Registry, Uncommonly Used Port, Process Hollowing, Credentials in Registry

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

SilverTerrier

Associated Group Descriptions

Techniques Used

Software

References