Windshift
Associated Group Descriptions
| Name | Description |
|---|---|
| Bahamut |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Windshift has used WMI to collect information about target machines.[4] |
|
| Enterprise | T1036 | 伪装 |
Windshift has used icons mimicking MS Office files to mask malicious executables.[2] Windshift has also attempted to hide executables by changing the file extension to ".scr" to mimic Windows screensavers.[4] |
|
| .001 | Invalid Code Signature |
Windshift has used revoked certificates to sign malware.[2][1] |
||
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Windshift has created LNK files in the Startup folder to establish persistence.[4] |
| Enterprise | T1059 | .005 | 命令与脚本解释器: Visual Basic | |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Windshift has used tools that communicate with C2 over HTTP.[4] |
| Enterprise | T1189 | 浏览器攻击 |
Windshift has used compromised websites to register custom URL schemes on a remote system.[2] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Windshift has used string encoding with floating point calculations.[4] |
|
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Windshift has used links embedded in e-mails to lure victims into executing malicious code.[1] |
| .002 | 用户执行: Malicious File |
Windshift has used e-mail attachments to lure victims into executing malicious code.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
Windshift has used malware to identify the computer name of a compromised host.[4] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Windshift has used malware to identify the username on a compromised host.[4] |
|
| Enterprise | T1518 | 软件发现 |
Windshift has used malware to identify installed software.[4] |
|
| .001 | Security Software Discovery |
Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.[4] |
||
| Enterprise | T1105 | 输入工具传输 |
Windshift has used tools to deploy additional payloads to compromised hosts.[4] |
|
| Enterprise | T1057 | 进程发现 |
Windshift has used malware to enumerate active processes.[4] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.[1] |
| .002 | 钓鱼: Spearphishing Link |
Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.[1] |
||
| .003 | 钓鱼: Spearphishing via Service |
Windshift has used fake personas on social media to engage and target victims.[1] |
||
| Mobile | T1429 | Audio Capture |
Windshift has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4] |
|
| Mobile | T1533 | Data from Local System |
Windshift has exfiltrated local account data and calendar information as part of Operation ROCK.[4] |
|
| Mobile | T1407 | Download New Code at Runtime |
Windshift has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.[4] |
|
| Mobile | T1521 | .001 | Encrypted Channel: Symmetric Cryptography |
Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.[4] |
| Mobile | T1627 | .001 | Execution Guardrails: Geofencing |
Windshift has region-locked their malicious applications during their Operation BULL campaign.[4] |
| Mobile | T1420 | File and Directory Discovery |
Windshift has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4] |
|
| Mobile | T1628 | .003 | Hide Artifacts: Conceal Multimedia Files | |
| Mobile | T1417 | .001 | Input Capture: Keylogging |
Windshift has included keylogging capabilities as part of Operation ROCK.[4] |
| Mobile | T1430 | Location Tracking |
Windshift has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4] |
|
| Mobile | T1406 | Obfuscated Files or Information |
Windshift has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application’s launcher icon file.[4] |
|
| Mobile | T1636 | .003 | Protected User Data: Contact List |
Windshift has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.[4] |
| .004 | Protected User Data: SMS Messages |
Windshift has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4] |
||
| Mobile | T1632 | .001 | Subvert Trust Controls: Code Signing Policy Modification |
Windshift has installed malicious MDM profiles on iOS devices as part of Operation ROCK.[4] |
| Mobile | T1426 | System Information Discovery |
Windshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4] |
|
| Mobile | T1512 | Video Capture |
Windshift has included video recording in the malicious apps deployed as part of Operation BULL.[4] |
|
| Mobile | T1633 | .001 | Virtualization/Sandbox Evasion: System Checks |
Windshift has deployed anti-analysis capabilities during their Operation BULL campaign.[4] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0466 | WindTail | [1][2][3] | 伪装: Invalid Code Signature, 伪装, 反混淆/解码文件或信息, 命令与脚本解释器: Unix Shell, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 文件和目录发现, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 本机API, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统时间发现, 自动化收集, 隐藏伪装: Hidden Window |
References
- Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024.
- Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
- Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.