Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент STARWHALE
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
STARWHALE
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

STARWHALE

STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)
ID: S1037
Associated Software: CANOPY
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 18 Aug 2022
Last Modified: 14 Oct 2022

Associated Software Descriptions
Name Description
CANOPY (Citation: DHS CISA AA22-055A MuddyWater February 2022)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

STARWHALE has the ability to contact actor-controlled C2 servers via HTTP.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM` registry key.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Mandiant UNC3313 Feb 2022)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

STARWHALE has the ability to execute commands via `cmd.exe`.(Citation: Mandiant UNC3313 Feb 2022)
.005 Command and Scripting Interpreter: Visual Basic

STARWHALE can use the VBScript function `GetRef` as part of its persistence mechanism.(Citation: Mandiant UNC3313 Feb 2022)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: `sc create Windowscarpstss binpath= "cmd.exe /c cscript.exe c:\\windows\\system32\\w7_1.wsf humpback_whale" start= "auto" obj= "LocalSystem"`.(Citation: Mandiant UNC3313 Feb 2022)
Enterprise T1132 .001 Data Encoding: Standard Encoding

STARWHALE has the ability to hex-encode collected data from an infected host.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Enterprise T1074 .001 Data Staged: Local Data Staging

STARWHALE has stored collected data in a file called `stari.txt`.(Citation: Mandiant UNC3313 Feb 2022)
Enterprise T1204 .002 User Execution: Malicious File

STARWHALE has relied on victims opening a malicious Excel file for execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022)

Groups That Use This Software
ID Name References
G0069 MuddyWater

(Citation: DHS CISA AA22-055A MuddyWater February 2022)

References

  1. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  2. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.