Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа CURIUM
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
CURIUM
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

CURIUM

CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell 2019) CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
ID: G1012
Associated Groups: Crimson Sandstorm, Tortoise Shell, TA456, Yellow Liderc
Created: 13 Jan 2023
Last Modified: 02 Oct 2024

Associated Group Descriptions
Name Description
Crimson Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)
Tortoise Shell (Citation: Microsoft Threat Actor Naming July 2023)
TA456 (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Proofpoint TA456 Defense Contractor July 2021)
Yellow Liderc (Citation: PWC Yellow Liderc 2023)

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

CURIUM created domains to facilitate strategic website compromise and credential capture activities.(Citation: PWC Yellow Liderc 2023)
.003 Acquire Infrastructure: Virtual Private Server

CURIUM created virtual private server instances to facilitate use of malicious domains and other items.(Citation: PWC Yellow Liderc 2023)

.004 Acquire Infrastructure: Server

CURIUM has created dedicated servers for command and control and exfiltration purposes.(Citation: PWC Yellow Liderc 2023)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CURIUM has leveraged PowerShell scripts for initial process execution and data gathering in victim environments.(Citation: Symantec Tortoiseshell 2019)
Enterprise T1584 .006 Compromise Infrastructure: Web Services

CURIUM has compromised legitimate websites to enable strategic website compromise attacks.(Citation: PWC Yellow Liderc 2023)
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
.002 Establish Accounts: Email Accounts

CURIUM has created dedicated email accounts for use with tools such as IMAPLoader.(Citation: PWC Yellow Liderc 2023)

Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

CURIUM has used SMTPS to exfiltrate collected data from victims.(Citation: PWC Yellow Liderc 2023)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

CURIUM has used phishing with malicious attachments for initial access to victim environments.(Citation: PWC Yellow Liderc 2023)
.003 Phishing: Spearphishing via Service

CURIUM has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor Trends November 2021)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

CURIUM used malicious links to adversary-controlled resources for credential harvesting.(Citation: PWC Yellow Liderc 2023)
Enterprise T1505 .003 Server Software Component: Web Shell

CURIUM has been linked to web shells following likely server compromise as an initial access vector into victim networks.(Citation: Symantec Tortoiseshell 2019)
Enterprise T1608 .004 Stage Capabilities: Drive-by Target

CURIUM used strategic website compromise to fingerprint then target victims.(Citation: PWC Yellow Liderc 2023)
Enterprise T1204 .002 User Execution: Malicious File

CURIUM has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian Threat Actor Trends November 2021)

Software
ID Name References Techniques
S1152 IMAPLoader (Citation: PWC Yellow Liderc 2023) Create or Modify System Process, Native API, Windows Management Instrumentation, System Information Discovery, Hidden Window, AppDomainManager, Mail Protocols, Ingress Tool Transfer, Scheduled Task

References

  1. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  2. Symantec Threat Hunter Team. (2019, September 18). Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks. Retrieved May 20, 2024.
  3. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  4. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  5. Miller, J. et. al. (2021, July 28). I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona. Retrieved March 11, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.