UPPERCUT

"the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor" / "Microsoft Word documents ... being attached to spear phishing emails"

While Trend Micro reported Windows Management Instrumentation (WMI) and explorer.exe as the execution proxy pair for ANEL, we unearthed another pair: WMI and wlrmdr.exe (Windows logon reminder).

The LNK file runs cmd.exe with a set of PowerShell commands to drop additional files...

The LNK file runs cmd.exe with a set of PowerShell commands to drop additional files...

"Microsoft Word documents containing a malicious VBA macro"

"Once the password (delivered in the body of the email) is entered, the users are presented with a document that will request users to enable the malicious macro"

MirrorFace relied on the target to run a malicious LNK file that deploys ANEL.

MirrorFace side-loads ANEL by dropping a malicious library and a legitimate executable (e.g., ScnCfg32.Exe )

During Operation AkaiRyū, MirrorFace loaded malicious Word templates containing VBA code leading to installation of UPPERCUT.

ANEL uses one of the startup directories for persistence.

ANEL uses one of the startup directories for persistence.

MirrorFace used a so-called double file extension, .docx.lnk , to deceive its target.

HiddenFace reads external modules from an AES-encrypted file.

MirrorFace used wlrmdr.exe as an execution proxy to run ANEL.

"An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload." / "menuPass has used certutil in a macro to decode base64-encoded content..." / "OilRig ... used certutil to decode base64-encoded files on victims."

MirrorFace used Word template injection to run malicious VBA code.

MirrorFace side-loads ANEL by dropping a malicious library and a legitimate executable (e.g., ScnCfg32.Exe )

MirrorFace has abused a known Microsoft digital signature verification issues to append encrypted data to digital signatures that still appear to be validly signed. During Operation AkaiRyū, MirrorFace abused a signed McAfee executable to load UPPERCUT.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").

ANEL supports basic commands for file manipulation, payload execution, and taking a screenshot.

Examples include: "ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header," "UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers," and "GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2."

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

ANEL uses base64 to encode data sent to the C&C server.

HiddenFace communicates with its C&C server over an encrypted channel.

"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.