Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Inception
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Inception
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Inception

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)
ID: G0100
Associated Groups: Inception Framework, Cloud Atlas
Version: 1.1
Created: 08 May 2020
Last Modified: 12 Oct 2021

Associated Group Descriptions
Name Description
Inception Framework (Citation: Symantec Inception Framework March 2018)
Cloud Atlas (Citation: Kaspersky Cloud Atlas December 2014)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Inception has used HTTP, HTTPS, and WebDav in network communications.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Unit 42 Inception November 2018)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Inception has maintained persistence by modifying Registry run key value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\.(Citation: Kaspersky Cloud Atlas December 2014)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Inception has used PowerShell to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)
.005 Command and Scripting Interpreter: Visual Basic

Inception has used VBScript to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.(Citation: Symantec Inception Framework March 2018)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Inception has encrypted network communications with AES.(Citation: Kaspersky Cloud Atlas December 2014)
Enterprise T1588 .002 Obtain Capabilities: Tool

Inception has obtained and used open-source tools such as LaZagne.(Citation: Kaspersky Cloud Atlas August 2019)
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Inception has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)
Enterprise T1090 .003 Proxy: Multi-hop Proxy

Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.(Citation: Symantec Inception Framework March 2018)
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Inception has used malicious HTA files to drop and execute malware.(Citation: Kaspersky Cloud Atlas August 2019)
.010 System Binary Proxy Execution: Regsvr32

Inception has ensured persistence at system boot by setting the value regsvr32 %path%\ctfmonrn.dll /s.(Citation: Kaspersky Cloud Atlas December 2014)

Enterprise T1204 .002 User Execution: Malicious File

Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Kaspersky Cloud Atlas August 2019)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)

Software
ID Name References Techniques
S0441 PowerShower (Citation: Kaspersky Cloud Atlas August 2019) (Citation: Unit 42 Inception November 2018) System Information Discovery, File Deletion, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Exfiltration Over C2 Channel, Standard Encoding, Web Protocols, Modify Registry, System Network Configuration Discovery, System Owner/User Discovery, Hidden Window, Archive via Utility, Visual Basic
S0442 VBShower (Citation: Kaspersky Cloud Atlas August 2019) Visual Basic, File Deletion, Registry Run Keys / Startup Folder, Web Protocols, Ingress Tool Transfer
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: Kaspersky Cloud Atlas August 2019) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem

References

  1. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  2. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  3. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  4. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.