STARWHALE
Associated Software Descriptions |
|
Name | Description |
---|---|
CANOPY | (Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
STARWHALE has the ability to contact actor-controlled C2 servers via HTTP.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM` registry key.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Mandiant UNC3313 Feb 2022) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
STARWHALE has the ability to execute commands via `cmd.exe`.(Citation: Mandiant UNC3313 Feb 2022) |
.005 | Command and Scripting Interpreter: Visual Basic |
STARWHALE can use the VBScript function `GetRef` as part of its persistence mechanism.(Citation: Mandiant UNC3313 Feb 2022) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: `sc create Windowscarpstss binpath= "cmd.exe /c cscript.exe c:\\windows\\system32\\w7_1.wsf humpback_whale" start= "auto" obj= "LocalSystem"`.(Citation: Mandiant UNC3313 Feb 2022) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
STARWHALE has the ability to hex-encode collected data from an infected host.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
STARWHALE has stored collected data in a file called `stari.txt`.(Citation: Mandiant UNC3313 Feb 2022) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
STARWHALE has been obfuscated with hex-encoded strings.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
STARWHALE has relied on victims opening a malicious Excel file for execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0069 | MuddyWater |
(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
References
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.