SMOKEDHAM

UNC2465 now uses phishing emails to deliver DarkSide via the Smokedham .NET backdoor

sending a malicious Google Drive link delivering an archive containing an LNK downloader. More recent UNC2465 emails have used Dropbox links with a ZIP archive containing malicious LNK files

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

Multiple examples of using built-in commands for discovery, e.g., “ver >> %temp%\download” and “systeminfo >> %temp%\download”, and “cmd /c systeminfo …”.

Smokedham also supports the execution of arbitrary .NET commands

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

APT3 has been known to create or enable accounts, such as support_388945a0 . ... APT5 has created Local Administrator accounts to maintain access ... DarkGate creates a local user account, SafeMode, via net user commands.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

Operation Wocao enabled Wdigest by changing the HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest registry value from 0 (disabled) to 1 (enabled); Wizard Spider modified WDigest UseLogonCredential to 1 to force credentials to be stored in clear text in memory.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Operation Wocao enabled Wdigest by changing the HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest registry value from 0 (disabled) to 1 (enabled); Wizard Spider modified WDigest UseLogonCredential to 1 to force credentials to be stored in clear text in memory.

Smokedham also supports the execution of arbitrary .NET commands, keylogging, and screenshot generation

Operation Wocao enabled Wdigest by changing the HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest registry value from 0 (disabled) to 1 (enabled); Wizard Spider modified WDigest UseLogonCredential to 1 to force credentials to be stored in clear text in memory.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

“actors used the following commands… to enumerate user accounts: net user >> %temp%\download; net user /domain >> %temp%\download … APT1 used the commands net localgroup, net user, and net group to find accounts… APT32 enumerated administrative users using the commands net localgroup administrators … OilRig has run net user, net user /domain, net group "domain admins" /domain …”

Aquatic Panda modified the victim registry to enable the RestrictedAdmin mode feature, allowing for pass the hash behaviors to function via RDP. SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP). SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.

Smokedham also supports the execution of arbitrary .NET commands, keylogging, and screenshot generation

Smokedham also supports the execution of arbitrary .NET commands, keylogging, and screenshot generation

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

“APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads… EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads… Bumblebee has been downloaded… from OneDrive… Operation Spalax… used OneDrive and MediaFire to host payloads… Raspberry Robin… payloads… on Discord servers.”

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.