Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Mustard Tempest

Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)

ID: G1020

Associated Groups: DEV-0206, TA569, GOLD PRELUDE, UNC1543

Created: 06 Dec 2023

Last Modified: 25 Mar 2024

Name	Description
Associated Group Descriptions
DEV-0206	(Citation: Microsoft Threat Actor Naming July 2023)
TA569	(Citation: Secureworks Gold Prelude Profile)
GOLD PRELUDE	(Citation: Secureworks Gold Prelude Profile)
UNC1543	(Citation: Secureworks Gold Prelude Profile)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1583	.004	Acquire Infrastructure: Server	Mustard Tempest has acquired servers to host second-stage payloads that remain active for a period of either days, weeks, or months.(Citation: SentinelOne SocGholish Infrastructure November 2022)
		.008	Acquire Infrastructure: Malvertising	Mustard Tempest has posted false advertisements including for software packages and browser updates in order to distribute malware.(Citation: Microsoft Ransomware as a Service)
Enterprise	T1584	.001	Compromise Infrastructure: Domains	Mustard Tempest operates a global network of compromised websites that redirect into a traffic distribution system (TDS) to select victims for a fake browser update page.(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: Red Canary SocGholish March 2024)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Mustard Tempest has used the filename `AutoUpdater.js` to mimic legitimate update files and has also used the Cyrillic homoglyph characters С `(0xd0a1)` and а `(0xd0b0)`, to produce the filename `Сhrome.Updаte.zip`.(Citation: Red Canary SocGholish March 2024)(Citation: SocGholish-update)
Enterprise	T1566	.002	Phishing: Spearphishing Link	Mustard Tempest has sent victims emails containing links to compromised websites.(Citation: SocGholish-update)
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	Mustard Tempest has hosted payloads on acquired second-stage servers for periods of either days, weeks, or months.(Citation: SentinelOne SocGholish Infrastructure November 2022)
		.004	Stage Capabilities: Drive-by Target	Mustard Tempest has injected malicious JavaScript into compromised websites to infect victims via drive-by download.(Citation: SocGholish-update)(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)
		.006	Stage Capabilities: SEO Poisoning	Mustard Tempest has poisoned search engine results to return fake software updates in order to distribute malware.(Citation: Microsoft Ransomware as a Service)(Citation: SocGholish-update)
Enterprise	T1204	.001	User Execution: Malicious Link	Mustard Tempest has lured users into downloading malware through malicious links in fake advertisements and spearphishing emails.(Citation: Microsoft Ransomware as a Service)(Citation: SocGholish-update)

ID	Name	References	Techniques
Software
S1124	SocGholish	(Citation: FakeUpdates) (Citation: Microsoft Ransomware as a Service) (Citation: Red Canary SocGholish March 2024) (Citation: Secureworks Gold Prelude Profile) (Citation: SentinelOne SocGholish Infrastructure November 2022) (Citation: SocGholish-update)	System Information Discovery, System Location Discovery, Windows Management Instrumentation, Ingress Tool Transfer, Encrypted/Encoded File, Domain Trust Discovery, JavaScript, Match Legitimate Name or Location, Spearphishing Link, System Owner/User Discovery, Drive-by Compromise, Malicious Link, Software Discovery, Process Discovery, Local Data Staging, Exfiltration Over Unencrypted Non-C2 Protocol, Web Service, System Network Configuration Discovery
S0154	Cobalt Strike	(Citation: cobaltstrike manual) (Citation: Microsoft Ransomware as a Service)	Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Mustard Tempest

Associated Group Descriptions

Techniques Used

Software

References