Imminent Monitor

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

TA2541 uses themes related to aviation, transportation, and travel. When Proofpoint first started tracking this actor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload. The group pivoted, and now they more frequently send messages with links to cloud services such as Google Drive hosting the payload.

When Proofpoint first started tracking this actor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload... Proofpoint has also observed this actor leverage attachments in emails. For example, the threat actor may send compressed executables such as RAR attachments with an embedded executable containing URL to CDNs hosting the malware payload.

In recent campaigns, Proofpoint observed this group using Google Drive URLs in emails that lead to an obfuscated Visual Basic Script (VBS) file.

TA2541 has also established persistence by creating scheduled tasks... In recent campaigns, vjw0rm and STRRAT also leveraged task creation... Scheduled Task: schtasks.exe /Create /TN "Updates\BQVIiVtepLtz" /XML C:\Users\[User]\AppData\Local\Temp\tmp7CF8.tmp

APT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.

If executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub. The threat actor executes PowerShell into various Windows processes and queries Windows Management Instrumentation (WMI) for security products such as antivirus and firewall software, and attempts to disable built-in security protections.

In recent campaigns, Proofpoint observed this group using Google Drive URLs in emails that lead to an obfuscated Visual Basic Script (VBS) file.

"Native API" (listed under AsyncRAT, Imminent Monitor, NETWIRE, njRAT, WarzoneRAT)

TA2541 has also established persistence by creating scheduled tasks... In recent campaigns, vjw0rm and STRRAT also leveraged task creation... Scheduled Task: schtasks.exe /Create /TN "Updates\BQVIiVtepLtz" /XML C:\Users\[User]\AppData\Local\Temp\tmp7CF8.tmp

TA2541 has also established persistence by creating scheduled tasks and adding entries in the registry... Registry: Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost Data: C:\Users[User]\AppData\Roaming\server\server.exe

TA2541 has also established persistence by creating scheduled tasks... In recent campaigns, vjw0rm and STRRAT also leveraged task creation... Scheduled Task: schtasks.exe /Create /TN "Updates\BQVIiVtepLtz" /XML C:\Users\[User]\AppData\Local\Temp\tmp7CF8.tmp

TA2541 has also established persistence by creating scheduled tasks and adding entries in the registry... Registry: Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost Data: C:\Users[User]\AppData\Roaming\server\server.exe

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.

"Input Capture: Keylogging" (listed under Agent Tesla, AsyncRAT, Imminent Monitor, jRAT, NETWIRE, njRAT, Revenge RAT, WarzoneRAT)

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

"File and Directory Discovery" (listed under Imminent Monitor, jRAT, NETWIRE, njRAT, WarzoneRAT)

gh0st RAT is able to open a remote shell to execute commands. Imminent Monitor has a CommandPromptPacket... for creating a remote shell... Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.

"Input Capture: Keylogging" (listed under Agent Tesla, AsyncRAT, Imminent Monitor, jRAT, NETWIRE, njRAT, Revenge RAT, WarzoneRAT)

"Audio Capture" (listed under Imminent Monitor, jRAT, Revenge RAT)

Agent Tesla can access the victim’s webcam and record video. AsyncRAT can record screen content on targeted systems. Bandook has modules that are capable of capturing video from a victim's webcam. ... ZxShell has a command to perform video device spying.

TA2541 uses Virtual Private Servers as part of their email sending infrastructure and frequently uses Dynamic DNS (DDNS) for C2 infrastructure.

If executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub.

Bonadan can create bind and reverse shells on the infected system. gh0st RAT is able to open a remote shell to execute commands. Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

"Resource Hijacking: Compute Hijacking" (listed under Imminent Monitor)

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.

"Impair Defenses: Disable or Modify Tools" (listed under Agent Tesla, Imminent Monitor, WarzoneRAT)