“\ windows \ microsoft. net \ framework with the following filenames : - sharedreg. dll - log. cached - netfxsbs9. hkf - uevappmonitor. exe. config these filenames have been chosen deliberately to blend in with existing files, since the directory normally contains files named shar…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1056.001Keylogging
99%
“- source keylogger ducksharp, with the main differences being that it doesn ’ t send emails or translate logged keys into the cyrillic alphabet. the malware initially checks whether a debugger is present via the isdebuggerpresent and checkremotedebuggerpresent apis ; if not, it b…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
99%
“name ( see figure 2 ). nosydoor stage 2 – appdomainmanager injection uevappmonitor. exe is a legitimate c # /. net application, which the malware copied from the c : \ windows \ system32 \ to the c : \ windows \ microsoft. net \ framework directory and used as a living - off - th…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1053.005Scheduled Task
97%
“api in the msi. dll case. nosystealer stage 3 – loader as mentioned in the nosystealer stage 2 – injector section, this stage is shellcode containing an embedded pe file that is decrypted, loaded, and executed in memory using donut ’ s reflective loader. the extracted binary is a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
96%
“. 234 [. ] 29 : 8080 - psk " 15kaf22n3b " this second set corresponds to execution of reversesocks5, where we observed powershell as the parent process. nosydownloader was also executed during this time, indicating that the sample was probably deployed with it. argument runner th…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.001Malware
95%
“##goblin are one and the same, as there is a definite difference in ttps between the two groups. notably, the erudite mogwai research does not mention the abuse of active directory group policy for malware deployment – a technique that is quite specific to longnosedgoblin ’ s ope…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1217Browser Information Discovery
95%
“##erhistory, as it, indeed, collects browser history. in the observed campaigns, the attackers used this tool to gain insight about the machines in the compromised infrastructure. based on this information, they picked a small subset of specific victims to compromise further with…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
89%
“##ydoor will process commands that are still pending in a queue and send response files regardless of what time it is. nosystealer nosystealer is used to steal browser data from microsoft edge and google chrome. as illustrated in figure 5, it has a four - stage chain of execution…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1056.001Keylogging
85%
“named nosydownloader, which executes a chain of obfuscated commands passed to a spawned powershell process as one long command line argument, meaning that the script is not stored on disk. every subsequent stage is encoded with base64, where the last one is additionally deflated …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
83%
“following exports : -?? 0cv2dllnoinject @ @ qeaa @ xz -?? 4cv2dllnoinject @ @ qeaaaeav0 @ $ $ qeav0 @ @ z -?? 4cv2dllnoinject @ @ qeaaaeav0 @ aebv0 @ @ z -? fnv2dllnoinject @ @ yahxz -? nv2dllnoinject @ @ 3ha the next - stage data is loaded from the hardcoded path c : \ programda…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
67%
“: / / www. googleapis. com / robot / v1 / metadata / x509 / dev0 - 660 % 40dev0 - 411506. iam. gserviceaccount. com ", " universe _ domain " : " googleapis. com " } figure 7. nosystealer configuration nosystealer also records errors and status messages to a google docs file named…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1056.001Keylogging
60%
“one, but multiple machines from the same entity, with the malware having been deployed via group policy. additional analysis revealed that the same victims were also afflicted with a different malicious tool distributed via group policy, this one used for collecting browser histo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1217Browser Information Discovery
55%
“web browser profiles. table 1. crafted history filenames by nosyhistorian both this tool and nosydoor have similar pdb paths and were compiled from the e : \ csharp directory, with the nosyhistorian pdb path being : e : \ csharp \ sharpmisc \ getbrowserhistory \ obj \ debug \ get…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
49%
“the compromised network. for any inquiries about our research published on welivesecurity, please contact us at threatintel @ eset. com. eset research offers private apt intelligence reports and data feeds. for any inquiries about this service, visit the eset threat intelligence …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
46%
“> < payload. payloadappend > < payload. append > the command is then decoded with base64 and decrypted via aes with key < payload. key > and initialization vector 0. all commands are described in table 2. although the command cmd _ type _ taskscheduler is mentioned in the code, i…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
ESET researchers discovered a China-aligned APT group, LongNosedGoblin, which uses Group Policy to deploy cyberespionage tools across networks of governmental institutions