Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk.
ADVERSARY:
MALWARE FAMILIES:
SMOKEDHAM, Cobalt Strike, Ngrok – S0508
ATT&CK IDS:
T1003 – OS Credential Dumping, T1012 – Query Registry, T1027 – Obfuscated Files or Information, T1033 – System Owner/User Discovery, T1078 – Valid Accounts, T1082 – System Information Discovery, T1098 – Account Manipulation, T1102 – Web Service, T1105 – Ingress Tool Transfer, T1112 – Modify Registry, T1113 – Screen Capture, T1136 – Create Account, T1140 – Deobfuscate/Decode Files or Information, T1189 – Drive-by Compromise, T1195 – Supply Chain Compromise, T1204 – User Execution, T1219 – Remote Access Software, T1486 – Data Encrypted for Impact, T1531 – Account Access Removal, T1560 – Archive Collected Data, T1566 – Phishing, T1572 – Protocol Tunneling, T1021.004 – SSH, T1021.005 – VNC, T1053.005 – Scheduled Task, T1553.002 – Code Signing, T1056.001 – Keylogging, T1059.001 – PowerShell, T1059.005 – Visual Basic, T1070.006 – Timestomp, T1071.001 – Web Protocols, T1090.004 – Domain Fronting, T1218.005 – Mshta, T1547.001 – Registry Run Keys / Startup Folder, T1562.004 – Disable or Modify System Firewall, T1573.002 – Asymmetric Cryptography, T1588.003 – Code Signing Certificates, T1588.004 – Digital Certificates, T1608.003 – Install Digital Certificate, T1195.002 – Compromise Software Supply Chain, T1003.001 – LSASS Memory, T1547.004 – Winlogon Helper DLL, T1547.009 – Shortcut Modification
0 Comments