Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа WIRTE
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
WIRTE
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

WIRTE

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)
ID: G0090
Associated Groups: 
Version: 2.0
Created: 24 May 2019
Last Modified: 15 Apr 2022

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WIRTE has used HTTP for network communication.(Citation: Lab52 WIRTE Apr 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WIRTE has used PowerShell for script execution.(Citation: Lab52 WIRTE Apr 2019)
.005 Command and Scripting Interpreter: Visual Basic

WIRTE has used VBScript in its operations.(Citation: Lab52 WIRTE Apr 2019)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

WIRTE has named a first stage dropper `Kaspersky Update Agent` in order to appear legitimate.(Citation: Kaspersky WIRTE November 2021)
Enterprise T1588 .002 Obtain Capabilities: Tool

WIRTE has obtained and used Empire for post-exploitation activities.(Citation: Lab52 WIRTE Apr 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.(Citation: Kaspersky WIRTE November 2021)
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

WIRTE has used `regsvr32.exe` to trigger the execution of a malicious script.(Citation: Lab52 WIRTE Apr 2019)
Enterprise T1204 .002 User Execution: Malicious File

WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.(Citation: Kaspersky WIRTE November 2021)

Software
ID Name References Techniques
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: Lab52 WIRTE Apr 2019) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0679 Ferocious (Citation: Kaspersky WIRTE November 2021) Visual Basic, Peripheral Device Discovery, Security Software Discovery, Component Object Model Hijacking, PowerShell, System Checks, System Information Discovery, File Deletion, Modify Registry
S0680 LitePower (Citation: Kaspersky WIRTE November 2021) System Owner/User Discovery, Ingress Tool Transfer, Query Registry, PowerShell, Screen Capture, Native API, Web Protocols, Exfiltration Over C2 Channel, Scheduled Task, Security Software Discovery, System Information Discovery

References

  1. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  2. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.