PowerLess

"we have observed wide exploitation of ... recently Log4Shell... focusing around exploitation of VMware Horizon Log4j vulnerabilities."

“Initial access continued to rely on spear phishing — delivering macro-enabled documents or malicious links …” and “Iranian-linked threat actors have commonly used phishing (T1566) as the primary vector for initial access …”

TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands... Typically, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly, and then runs further commands by means of PS reverse shells.

Typically, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly, and then runs further commands by means of PS reverse shells, executed via the Tomcat process.

“PowerShell and Cmd serve as the universal backbone for execution across nearly all groups”

TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement.

In recent years, Iranian-linked threat actors have commonly used phishing (T1566) as the primary vector for initial access, often leading to execution via user execution (T1204) of malicious files

The backdoor drops an additional executable file to %ProgramData%\Installed Packages\InteropServices.exe and registers it as a service named “InteropServices”.

"ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration."; "Agent Tesla can encrypt data with 3DES..."; "APT32's backdoor has used...RC4 encryption before exfiltration."; "Epic encrypts collected data using a public key framework..."; "Some variants encrypt...with AES and encode it with base64..."; "Prikormka...encrypts it with Blowfish."; "VERMIN encrypts the collected files using 3-DES."; "Zebrocy...RC4...as well as AES...and hexadecimal for encoding"

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

The content references collection of credential material from local systems, including "Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies," "GALLIUM collected ... password hashes from the SAM hive in the Registry," and "Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors."

Operation MidnightEclipse stole saved cookies and login data from targeted systems; IceApple can collect files, passwords, and other data from a compromised host; RedLine Stealer collected chat logs and files associated with chat services.

PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines. QakBot can use esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge.

APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

"AppleSeed has compressed collected data before exfiltration."; "APT28 used a publicly available tool to gather and compress multiple documents..."; "Aria-body has used ZIP to compress data..."; "Cadelspy...compress stolen data into a .cab file."; "Daserf hides collected data in password-protected .rar archives."; "FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration."; "Lazarus Group has compressed exfiltrated data with RAR...archive specified directories in .zip format"; "XCSSET will compress entire ~/Desktop folders..."

Finally, for command and control and exfiltration, Iranian-linked groups most commonly rely on application layer protocols (T1071), such as HTTP

Reverse Shell #1 uses WebClient UploadFile/DownloadString to "www.microsoft-updateserver[.]cf"; also notes webhook.site for output exfil.

In this example, the threat actor attempted to download ngrok to a compromised VMware Horizon server.

This domain was also used to host a zip file ... containing a custom backdoor ... The dropped executable contains an obfuscated version of the reverse shell as described above, beaconing to the same C2 server.

“APT29 has used multiple layers of encryption within malware to protect C2 communication… BITTER has encrypted their C2 communications… MacMa has used TLS encryption… Magic Hound has used an encrypted http proxy in C2 communications… gh0st RAT has encrypted TCP communications…”

“APT29 has used multiple layers of encryption within malware to protect C2 communication… BITTER has encrypted their C2 communications… Emotet has encrypted data before sending to the C2 server… gh0st RAT has encrypted TCP communications to evade detection… Gomir uses a custom encryption algorithm…”