1. Home
  2. Groups
  3. Magic Hound

Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

ID: G0059
Associated Groups: TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, Mint Sandstorm
Contributors: Anastasios Pingios; Bryan Lee; Daniyal Naeem, BT Security
Version: 6.1
Created: 16 January 2018
Last Modified: 10 July 2024

Associated Group Descriptions

Name Description
TA453

[6][5][7]
COBALT ILLUSION

[4]
Charming Kitten

[8][9][10][2][6][7]
ITG18

[11]
Phosphorus

[12][13][14][3][6][7]
Newscaster

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).[15][1]
APT35

[1][3][7]
Mint Sandstorm

[16]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Magic Hound has used a tool to run cmd /c wmic computersystem get domain for discovery.[17]
Enterprise T1595 .002 主动扫描: Vulnerability Scanning

Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to CVE-2021-44228 in Log4j and ProxyShell vulnerabilities; CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in on-premises MS Exchange Servers; and CVE-2018-13379 in Fortinet FortiOS SSL VPNs.[7][18]
Enterprise T1005 从本地系统获取数据

Magic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.[17][19]
Enterprise T1090 代理

Magic Hound has used Fast Reverse Proxy (FRP) for RDP traffic.[19]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Magic Hound has named a malicious script CacheTask.bat to mimic a legitimate task.[19]
.005 伪装: Match Legitimate Name or Location

Magic Hound has used dllhost.exe to mask Fast Reverse Proxy (FRP) and MicrosoftOutLookUpdater.exe for Plink.[17][19][18]
.010 伪装: Masquerade Account Name

Magic Hound has created local accounts named help and DefaultAccount on compromised machines.[17][18]
Enterprise T1598 .003 信息钓鱼: Spearphishing Link

Magic Hound has used SMS and email messages with links designed to steal credentials or track victims.[3][2][6][5][20][18]
Enterprise T1112 修改注册表

Magic Hound has modified Registry settings for security tools.[17]
Enterprise T1136 .001 创建账户: Local Account

Magic Hound has created local accounts named help and DefaultAccount on compromised machines.[17][18]
Enterprise T1190 利用公开应用程序漏洞

Magic Hound has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via "ProxyShell" (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379).[7][17][21][19][18][22]
Enterprise T1573 加密通道

Magic Hound has used an encrypted http proxy in C2 communications.[19]
Enterprise T1572 协议隧道

Magic Hound has used Plink to tunnel RDP over SSH.[19]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Magic Hound malware has used Registry Run keys to establish persistence.[15][19][18]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Magic Hound has used PowerShell for execution and privilege escalation.[15][1][17][19][18]
.003 命令与脚本解释器: Windows Command Shell

Magic Hound has used the command-line interface for code execution.[15][17][19]
.005 命令与脚本解释器: Visual Basic

Magic Hound malware has used VBS scripts for execution.[15]
Enterprise T1482 域信任发现

Magic Hound has used a web shell to execute nltest /trusted_domains to identify trust relationships.[19]
Enterprise T1584 .001 基础设施妥协: Domains

Magic Hound has used compromised domains to host links targeted to specific phishing victims.[2][5][3][20]
Enterprise T1562 妨碍防御

Magic Hound has disabled LSA protection on compromised hosts using "reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f.[17]
.001 Disable or Modify Tools

Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads.[17]
.002 Disable Windows Event Logging

Magic Hound has executed scripts to disable the event log service.[19]
.004 Disable or Modify System Firewall

Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic - "netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389.[17][19]
Enterprise T1113 屏幕捕获

Magic Hound malware can take a screenshot and upload the file to its C2 server.[15]
Enterprise T1071 应用层协议

Magic Hound malware has used IRC for C2.[15][19]
.001 Web Protocols

Magic Hound has used HTTP for C2.[15][17][19]
Enterprise T1585 .001 建立账户: Social Media Accounts

Magic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.[2]
.002 建立账户: Email Accounts

Magic Hound has established email accounts using fake personas for spearphishing operations.[11][6]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.[1][17][19]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Magic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using Mimikatz.[1][17][19][18]
Enterprise T1592 .002 收集受害者主机信息: Software

Magic Hound has captured the user-agent strings from visitors to their phishing sites.[20]
Enterprise T1591 .001 收集受害者组织信息: Determine Physical Locations

Magic Hound has collected location information from visitors to their phishing sites.[20]
Enterprise T1590 .005 收集受害者网络信息: IP Addresses

Magic Hound has captured the IP addresses of visitors to their phishing sites.[20]
Enterprise T1589 收集受害者身份信息

Magic Hound has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations.[5]
.001 Credentials

Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites. Magic Hound has also collected credentials from over 900 Fortinet VPN servers in the US, Europe, and Israel.[11][18]
.002 Email Addresses

Magic Hound has identified high-value email accounts in academia, journalism, NGO's, foreign policy, and national security for targeting.[5][20]
Enterprise T1486 数据加密以实现影响

Magic Hound has used BitLocker and DiskCryptor to encrypt targeted workstations. [19][18]
Enterprise T1083 文件和目录发现

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[15]
Enterprise T1078 .001 有效账户: Default Accounts

Magic Hound enabled and used the default system managed account, DefaultAccount, via "powershell.exe" /c net user DefaultAccount /active:yes to connect to a targeted Exchange server over RDP.[19]
.002 有效账户: Domain Accounts

Magic Hound has used domain administrator accounts after dumping LSASS process memory.[19]
Enterprise T1505 .003 服务器软件组件: Web Shell

Magic Hound has used multiple web shells to gain execution.[17][19]
Enterprise T1570 横向工具传输

Magic Hound has copied tools within a compromised network using RDP.[19]
Enterprise T1189 浏览器攻击

Magic Hound has conducted watering-hole attacks through media and magazine websites.[2]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

Magic Hound has used base64-encoded commands.[15][18]
.013 混淆文件或信息: Encrypted/Encoded File

Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.[15][18]
Enterprise T1204 .001 用户执行: Malicious Link

Magic Hound has attempted to lure victims into opening malicious links embedded in emails.[2][3]
.002 用户执行: Malicious File

Magic Hound has attempted to lure victims into opening malicious email attachments.[2]
Enterprise T1114 电子邮件收集

Magic Hound has compromised email credentials in order to steal sensitive data.[3]
.001 Local Email Collection

Magic Hound has collected .PST archives.[1]
.002 Remote Email Collection

Magic Hound has exported emails from compromised Exchange servers including through use of the cmdlet New-MailboxExportRequest.[17][19]
Enterprise T1070 .003 移除指标: Clear Command History

Magic Hound has removed mailbox export requests from compromised Exchange servers.[17]
.004 移除指标: File Deletion

Magic Hound has deleted and overwrote files to cover tracks.[15][1][19]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.[17]
Enterprise T1082 系统信息发现

Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[15][17][19]
Enterprise T1033 系统所有者/用户发现

Magic Hound malware has obtained the victim username and sent it to the C2 server.[15][17][19]
Enterprise T1049 系统网络连接发现

Magic Hound has used quser.exe to identify existing RDP connections.[17]
Enterprise T1016 系统网络配置发现

Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[15][17][19]
.001 Internet Connection Discovery

Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.[19]

.002 Wi-Fi Discovery

Magic Hound has collected names and passwords of all Wi-Fi networks to which a device has previously connected.[7]
Enterprise T1102 .002 网络服务: Bidirectional Communication

Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[15]
Enterprise T1046 网络服务发现

Magic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.[19]
Enterprise T1583 .001 获取基础设施: Domains

Magic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.[3]
.006 获取基础设施: Web Services

Magic Hound has acquired Amazon S3 buckets to use in C2.[7]
Enterprise T1588 .002 获取能力: Tool

Magic Hound has obtained and used tools like Havij, sqlmap, Metasploit, Mimikatz, and Plink.[23][1][7][19][18]
Enterprise T1087 .003 账号发现: Email Account

Magic Hound has used Powershell to discover email accounts.[17]
Enterprise T1586 .002 账号妥协: Email Accounts

Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.[11]
Enterprise T1098 .002 账号操控: Additional Email Delegate Permissions

Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.[1]

.007 账号操控: Additional Local or Domain Groups

Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.[17]
Enterprise T1105 输入工具传输

Magic Hound has downloaded additional code and files from servers onto victims.[15][17][19][18]
Enterprise T1056 .001 输入捕获: Keylogging

Magic Hound malware is capable of keylogging.[15]
Enterprise T1057 进程发现

Magic Hound malware can list running processes.[15]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Magic Hound has used Remote Desktop Services to copy tools on targeted systems.[17][19]
Enterprise T1018 远程系统发现

Magic Hound has used Ping for discovery on targeted networks.[19]
Enterprise T1567 通过网络服务渗出

Magic Hound has used the Telegram API sendMessage to relay data on compromised devices.[20]
Enterprise T1566 .002 钓鱼: Spearphishing Link

Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.[24][2][3][18]
.003 钓鱼: Spearphishing via Service

Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.[25][12][2]
Enterprise T1564 .003 隐藏伪装: Hidden Window

Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.[15]
Enterprise T1571 非标准端口

Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.[15][19]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Magic Hound has used scheduled tasks to establish persistence and execution.[17][19]

Software

ID Name References Techniques
S0674 CharmPower [7] Windows管理规范, 从本地系统获取数据, 修改注册表, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 回退信道, 屏幕捕获, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 查询注册表, 移除指标: File Deletion, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络服务: Dead Drop Resolver, 网络服务, 软件发现, 输入工具传输, 进程发现, 通过C2信道渗出
S0186 DownPaper [8] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 查询注册表, 系统信息发现, 系统所有者/用户发现
S1144 FRP [19] 代理, 代理: Multi-hop Proxy, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 命令与脚本解释器: JavaScript, 应用层协议: Web Protocols, 系统网络连接发现, 网络服务发现, 非应用层协议
S0357 Impacket [19] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0100 ipconfig [17][19] 系统网络配置发现
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [17][19] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0108 netsh [17] 事件触发执行: Netsh Helper DLL, 代理, 妨碍防御: Disable or Modify System Firewall, 软件发现: Security Software Discovery
S0097 Ping [19] 远程系统发现
S1012 PowerLess [21] 从本地系统获取数据, 加密通道, 反混淆/解码文件或信息, 命令与脚本解释器: PowerShell, 归档收集数据, 数据分段: Local Data Staging, 浏览器信息发现, 输入工具传输, 输入捕获: Keylogging
S0029 PsExec [1] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0192 Pupy [15][1][24] 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 使用备用认证材料: Pass the Ticket, 创建或修改系统进程: Systemd Service, 创建账户: Domain Account, 创建账户: Local Account, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: XDG Autostart Entries, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: LSA Secrets, 文件和目录发现, 未加密凭证: Credentials In Files, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Clear Windows Event Logs, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 虚拟化/沙盒规避: System Checks, 视频捕获, 访问令牌操控: Token Impersonation/Theft, 账号发现: Local Account, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 远程服务: Remote Desktop Protocol, 通过C2信道渗出, 音频捕获
S0096 Systeminfo [19] 系统信息发现

References

  1. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  2. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
  3. Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
  4. Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.
  5. Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.
  6. Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.
  7. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  8. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  9. Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.
  10. ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.
  11. Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.
  12. Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.
  13. Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.
  1. US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.
  2. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  4. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  5. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  6. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  7. Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023.
  8. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  9. Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.
  10. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  11. Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
  12. Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.