Silent Librarian
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| TA407 | (Citation: Proofpoint TA407 September 2019)(Citation: Malwarebytes Silent Librarian October 2020) |
| COBALT DICKENS | (Citation: Secureworks COBALT DICKENS August 2018)(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Proofpoint TA407 September 2019)(Citation: Malwarebytes Silent Librarian October 2020) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ.(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Secureworks COBALT DICKENS August 2018)(Citation: Proofpoint TA407 September 2019)(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Malwarebytes Silent Librarian October 2020) |
| Enterprise | T1110 | .003 | Brute Force: Password Spraying |
Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.(Citation: DOJ Iran Indictments March 2018) |
| Enterprise | T1114 | .003 | Email Collection: Email Forwarding Rule |
Silent Librarian has set up auto forwarding rules on compromised e-mail accounts.(Citation: DOJ Iran Indictments March 2018) |
| Enterprise | T1585 | .002 | Establish Accounts: Email Accounts |
Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts.(Citation: DOJ Iran Indictments March 2018) |
| Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
Silent Librarian has collected e-mail addresses from targeted organizations from open Internet searches.(Citation: DOJ Iran Indictments March 2018) |
| .003 | Gather Victim Identity Information: Employee Names |
Silent Librarian has collected lists of names for individuals from targeted organizations.(Citation: DOJ Iran Indictments March 2018) |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.(Citation: Proofpoint TA407 September 2019)(Citation: Secureworks COBALT DICKENS September 2019) |
| .004 | Obtain Capabilities: Digital Certificates |
Silent Librarian has obtained free Let's Encrypt SSL certificates for use on their phishing pages.(Citation: Phish Labs Silent Librarian)(Citation: Secureworks COBALT DICKENS September 2019) |
||
| Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization's login page.(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Secureworks COBALT DICKENS August 2018)(Citation: Proofpoint TA407 September 2019)(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Malwarebytes Silent Librarian October 2020) |
| Enterprise | T1608 | .005 | Stage Capabilities: Link Target |
Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites.(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.