Windshift
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Bahamut | (Citation: SANS Windshift August 2018) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Windshift has used tools that communicate with C2 over HTTP.(Citation: BlackBerry Bahamut) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Windshift has created LNK files in the Startup folder to establish persistence.(Citation: BlackBerry Bahamut) |
| Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Windshift has used Visual Basic 6 (VB6) payloads.(Citation: BlackBerry Bahamut) |
| Enterprise | T1036 | .001 | Masquerading: Invalid Code Signature |
Windshift has used revoked certificates to sign malware.(Citation: objective-see windtail1 dec 2018)(Citation: SANS Windshift August 2018) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.(Citation: SANS Windshift August 2018) |
| .002 | Phishing: Spearphishing Link |
Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.(Citation: SANS Windshift August 2018) |
||
| .003 | Phishing: Spearphishing via Service |
Windshift has used fake personas on social media to engage and target victims.(Citation: SANS Windshift August 2018) |
||
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.(Citation: BlackBerry Bahamut) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Windshift has used links embedded in e-mails to lure victims into executing malicious code.(Citation: SANS Windshift August 2018) |
| .002 | User Execution: Malicious File |
Windshift has used e-mail attachments to lure victims into executing malicious code.(Citation: SANS Windshift August 2018) |
||
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0466 | WindTail | (Citation: objective-see windtail1 dec 2018) (Citation: objective-see windtail2 jan 2019) (Citation: SANS Windshift August 2018) | Invalid Code Signature, Native API, File and Directory Discovery, Obfuscated Files or Information, Web Protocols, Unix Shell, Automated Collection, Masquerading, Archive via Utility, Deobfuscate/Decode Files or Information, File Deletion, Exfiltration Over Unencrypted Non-C2 Protocol, Hidden Window, System Time Discovery |
References
- Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.
- The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
- Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
- Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.