Inception
Associated Group Descriptions |
|
Name | Description |
---|---|
Cloud Atlas | (Citation: Kaspersky Cloud Atlas December 2014) |
Inception Framework | (Citation: Symantec Inception Framework March 2018) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Inception has used HTTP, HTTPS, and WebDav in network communications.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Unit 42 Inception November 2018) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Inception has maintained persistence by modifying Registry run key value
|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Inception has used PowerShell to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014) |
.005 | Command and Scripting Interpreter: Visual Basic |
Inception has used VBScript to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.(Citation: Symantec Inception Framework March 2018) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Inception has encrypted network communications with AES.(Citation: Kaspersky Cloud Atlas December 2014) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.(Citation: Kaspersky Cloud Atlas December 2014) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Inception has obtained and used open-source tools such as LaZagne.(Citation: Kaspersky Cloud Atlas August 2019) |
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Inception has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019) |
Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.(Citation: Symantec Inception Framework March 2018) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Inception has used malicious HTA files to drop and execute malware.(Citation: Kaspersky Cloud Atlas August 2019) |
.010 | System Binary Proxy Execution: Regsvr32 |
Inception has ensured persistence at system boot by setting the value |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Kaspersky Cloud Atlas August 2019)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018) |
Software |
|||
ID | Name | References | Techniques |
---|---|---|---|
S0441 | PowerShower | (Citation: Kaspersky Cloud Atlas August 2019) (Citation: Unit 42 Inception November 2018) | System Information Discovery, File Deletion, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Exfiltration Over C2 Channel, Standard Encoding, Web Protocols, Modify Registry, System Network Configuration Discovery, System Owner/User Discovery, Hidden Window, Archive via Utility, Visual Basic |
S0442 | VBShower | (Citation: Kaspersky Cloud Atlas August 2019) | Visual Basic, File Deletion, Registry Run Keys / Startup Folder, Web Protocols, Ingress Tool Transfer |
S0349 | LaZagne | (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) (Citation: Kaspersky Cloud Atlas August 2019) | Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem |
References
- GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
- Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
- Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.