UPSTYLE
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .006 | Command and Scripting Interpreter: Python |
UPSTYLE is a Python-based application.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024) |
Enterprise | T1001 | .001 | Data Obfuscation: Junk Data |
UPSTYLE retrieves a non-existent webpage from the command and control server then parses commands from the resulting error logs to decode commands to the web shell.(Citation: Volexity UPSTYLE 2024) |
Enterprise | T1070 | .002 | Indicator Removal: Clear Linux or Mac System Logs |
UPSTYLE clears error logs after reading embedded commands for execution.(Citation: Volexity UPSTYLE 2024) |
.004 | Indicator Removal: File Deletion |
UPSTYLE removes `bootstrap.min.css` after parsing command and control instructions, restoring the file to its original state.(Citation: Volexity UPSTYLE 2024) |
||
.006 | Indicator Removal: Timestomp |
UPSTYLE restores timestamps to original values following modification.(Citation: Volexity UPSTYLE 2024) |
||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
UPSTYLE stores primary content as base64-encoded objects.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024) |
Enterprise | T1102 | .003 | Web Service: One-Way Communication |
UPSTYLE parses encoded commands from error logs after attempting to resolve a non-existing webpage from the command and control server.(Citation: Volexity UPSTYLE 2024) |
References
- Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025.
- Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.