Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Mustard Tempest
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Mustard Tempest
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Mustard Tempest

Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)
ID: G1020
Associated Groups: UNC1543, GOLD PRELUDE, TA569, DEV-0206
Version: 1.0
Created: 06 Dec 2023
Last Modified: 25 Mar 2024

Associated Group Descriptions
Name Description
UNC1543 (Citation: Secureworks Gold Prelude Profile)
GOLD PRELUDE (Citation: Secureworks Gold Prelude Profile)
TA569 (Citation: Secureworks Gold Prelude Profile)
DEV-0206 (Citation: Microsoft Threat Actor Naming July 2023)

Techniques Used
Domain ID Name Use
Enterprise T1583 .004 Acquire Infrastructure: Server

Mustard Tempest has acquired servers to host second-stage payloads that remain active for a period of either days, weeks, or months.(Citation: SentinelOne SocGholish Infrastructure November 2022)
.008 Acquire Infrastructure: Malvertising

Mustard Tempest has posted false advertisements including for software packages and browser updates in order to distribute malware.(Citation: Microsoft Ransomware as a Service)

Enterprise T1584 .001 Compromise Infrastructure: Domains

Mustard Tempest operates a global network of compromised websites that redirect into a traffic distribution system (TDS) to select victims for a fake browser update page.(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: Red Canary SocGholish March 2024)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Mustard Tempest has used the filename `AutoUpdater.js` to mimic legitimate update files and has also used the Cyrillic homoglyph characters С `(0xd0a1)` and а `(0xd0b0)`, to produce the filename `Сhrome.Updаte.zip`.(Citation: Red Canary SocGholish March 2024)(Citation: SocGholish-update)
Enterprise T1566 .002 Phishing: Spearphishing Link

Mustard Tempest has sent victims emails containing links to compromised websites.(Citation: SocGholish-update)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Mustard Tempest has hosted payloads on acquired second-stage servers for periods of either days, weeks, or months.(Citation: SentinelOne SocGholish Infrastructure November 2022)
.004 Stage Capabilities: Drive-by Target

Mustard Tempest has injected malicious JavaScript into compromised websites to infect victims via drive-by download.(Citation: SocGholish-update)(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)

.006 Stage Capabilities: SEO Poisoning

Mustard Tempest has poisoned search engine results to return fake software updates in order to distribute malware.(Citation: Microsoft Ransomware as a Service)(Citation: SocGholish-update)

Enterprise T1204 .001 User Execution: Malicious Link

Mustard Tempest has lured users into downloading malware through malicious links in fake advertisements and spearphishing emails.(Citation: Microsoft Ransomware as a Service)(Citation: SocGholish-update)

Software
ID Name References Techniques
S1124 SocGholish (Citation: FakeUpdates) (Citation: Microsoft Ransomware as a Service) (Citation: Red Canary SocGholish March 2024) (Citation: Secureworks Gold Prelude Profile) (Citation: SentinelOne SocGholish Infrastructure November 2022) (Citation: SocGholish-update) Windows Management Instrumentation, System Owner/User Discovery, Encrypted/Encoded File, JavaScript, Local Data Staging, Match Legitimate Resource Name or Location, Spearphishing Link, System Information Discovery, System Network Configuration Discovery, Domain Trust Discovery, Web Service, Process Discovery, System Location Discovery, Drive-by Compromise, Software Discovery, Ingress Tool Transfer, Malicious Link, Exfiltration Over Unencrypted Non-C2 Protocol, Compression
S0154 Cobalt Strike (Citation: Microsoft Ransomware as a Service) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing

References

  1. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
  4. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
  5. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
  6. Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.