Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Small Sieve
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Small Sieve
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Small Sieve

Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022) Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.(Citation: Mandiant UNC3313 Feb 2022)
ID: S1035
Associated Software: GRAMDOOR
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 16 Aug 2022
Last Modified: 14 Oct 2022

Associated Software Descriptions
Name Description
GRAMDOOR (Citation: Mandiant UNC3313 Feb 2022)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Small Sieve has the ability to add itself to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift` for persistence.(Citation: NCSC GCHQ Small Sieve Jan 2022)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Small Sieve can use `cmd.exe` to execute commands on a victim's system.(Citation: NCSC GCHQ Small Sieve Jan 2022)
.006 Command and Scripting Interpreter: Python

Small Sieve can use Python scripts to execute commands.(Citation: NCSC GCHQ Small Sieve Jan 2022)

Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

Small Sieve can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Small Sieve can use variations of Microsoft and Outlook spellings, such as "Microsift", in its file names to avoid detection.(Citation: NCSC GCHQ Small Sieve Jan 2022)
Enterprise T1102 .002 Web Service: Bidirectional Communication

Small Sieve has the ability to use the Telegram Bot API from Telegram Messenger to send and receive messages.(Citation: NCSC GCHQ Small Sieve Jan 2022)

Groups That Use This Software
ID Name References
G0069 MuddyWater

(Citation: DHS CISA AA22-055A MuddyWater February 2022) (Citation: NCSC GCHQ Small Sieve Jan 2022)

References

  1. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  2. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  3. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.