EVILNUM

“The identified campaigns delivered an updated version of the EvilNum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files…”; “The messages purported to be related to financial trading platform registration…”

“attempting to deliver multiple OneDrive URLs that contained either an ISO or .LNK attachment.”

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

“executing PowerShell via cmd.exe… downloads two different payloads…”; “PowerShell script loads C# code dynamically…”; “executes another PowerShell command… -windowstyle hidden”

“The initial stage LNK loader is responsible for executing PowerShell via cmd.exe…”

APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. ... RogueRobin uses regsvr32.exe to run a .sct file for execution.

“leveraging wscript to load the EvilNum payload, and a JavaScript payload that was ultimately installed on the user's host.”

“used financial lures to get the recipient to launch the EvilNum payload.”

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.

APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.

“decrypt a PNG… restart the infection chain”; “payload contains two encrypted blobs… decrypted to an executable… and …TMP… decrypts … to load … shellcode … final decrypted and decompressed PE file.”

“leveraging wscript to load the EvilNum payload…”

AppleSeed can call regsvr32.exe for execution. APT19 used Regsvr32 to bypass application control techniques. APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. ... Raspberry Robin uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with Tor nodes.

“These messages used a remote template document… attempting to communicate with domains to install several LNK loader components…”; “delivered Microsoft Word documents to attempt to download a remote template.”

“executed depending on what antivirus software – either Avast, AVG, or Windows Defender – is found on the host… execution chain will change to best evade detection…”

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

"APT42 has used custom malware to steal login and cookie data from common browsers." / "...extracts the web session cookie and sends it to the C2 server." / "...stole Chrome browser cookies by copying the Chrome profile directories of targeted users."

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

“executed depending on what antivirus software – either Avast, AVG, or Windows Defender – is found on the host… execution chain will change to best evade detection…”

“sends screenshots to a command-and-control server (C2).”

“downloads two different payloads from the initial host (e.g. infntio[.]com).”

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.