TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Smuggler’s Gambit | Huntress

2024-05-23 · Read original ↗

ATT&CK techniques detected

15 predictions
T1583.001Domains
96%
"? hxxps : / / rnsnno. szyby [. ] pro / hxxps : / / rnsnno. kycmaxcapital [. ] pro / hxxps : / / rnsnno. 2398 - ns [. ] pro / all three of these urls use the same subdomain and the same top - level domain, but different domain names. additional research unveiled that the three dom…"
T1566.002Spearphishing Link
91%
"we can confidently rule out evilginx, however, due to the differences in the lure pattern, url parameter pattern, and existence of keyed payload html files. it is possible that this is one of the newer phishing as a service frameworks, but more research is needed to draw a conclu…"
T1557Adversary-in-the-Middle
83%
"##ize that this infrastructure is presenting an iframe that transparently proxies login requests. injecting an arbitrary user into the shady domain ’ s url parameters and seeing the resulting login page was enough to prove that this is a proxy, not a site clone. in other words, t…"
T1557Adversary-in-the-Middle
64%
"/? eymmdgau & qrc = [ base64 encoded email of the target ] we were able to successfully coerce the suspicious infrastructure to produce a new login page specific to one of our testbed users by injecting the username into the? qrc = url parameter : now we ’ re cooking on a convect…"
T1566.002Spearphishing Link
59%
"smuggler ’ s gambit | huntress tl ; dr huntress uncovered the infrastructure of a mass phishing campaign including potentially novel tradecraft that combines html smuggling, injected iframes, and session theft via transparent proxy. this technique allows an attacker to steal cred…"
T1583.001Domains
56%
"the shady stuff we catch when we are looking out for you? feel free to start a trial with us! appendix att & ck indicators of compromise additional domains note : these domains are not all confirmed to be malicious and many of them are legitimate services. these listed domains we…"
T1111Multi-Factor Authentication Interception
55%
"##ize that this infrastructure is presenting an iframe that transparently proxies login requests. injecting an arbitrary user into the shady domain ’ s url parameters and seeing the resulting login page was enough to prove that this is a proxy, not a site clone. in other words, t…"
T1556.006Multi-Factor Authentication
54%
"##ize that this infrastructure is presenting an iframe that transparently proxies login requests. injecting an arbitrary user into the shady domain ’ s url parameters and seeing the resulting login page was enough to prove that this is a proxy, not a site clone. in other words, t…"
T1566.001Spearphishing Attachment
53%
"nothing special, besides using the latin slashed o unicode character in the two o ’ s of the word “ outlook ” : < html lang = " en " > < title > outløøk < / title > < / html > - the block of base64 encoded text used in the second document. write ( ) call, however, is paydirt from…"
T1027.006HTML Smuggling
50%
"an html file. when the victim opens the html file on their endpoint, the html and javascript of the file serve an embedded payload to the user via their web browser. this payload is often encoded or encrypted and dynamically reassembled within the browser, then served to the user…"
T1189Drive-by Compromise
39%
"example landing page used for web app demonstration. more detective work by our fearless soc leader max rogers and cti analyst ` tp5 ` uncovered several more interesting entities associated with one of the three identified suspicious domains ( rnsnno. szyby [. ] pro ). by examini…"
T1556.006Multi-Factor Authentication
38%
"stolen by the adversary in the middle. - this allows the attacker to log in as that user by injecting the stolen token into their own browser, bypassing the requirement for mfa and authenticating as the victim. tl ; dr : this has the hallmarks of an mfa - bypass adversary in the …"
T1557.001Name Resolution Poisoning and SMB Relay
36%
"##ize that this infrastructure is presenting an iframe that transparently proxies login requests. injecting an arbitrary user into the shady domain ’ s url parameters and seeing the resulting login page was enough to prove that this is a proxy, not a site clone. in other words, t…"
T1555Credentials from Password Stores
34%
"##htfplb [. ] local login. live [. ] com ooc - g2. tm - 4. office [. ] com outlook. ms - acdc. office [. ] com outlook. office365 [. ] com part - 0039. t - 0009. t - msedge [. ] net passwordreset. microsoftonline [. ] com r3. i. lencr [. ] org r4. res. office365 [. ] com rnsnno. …"
T1111Multi-Factor Authentication Interception
33%
"sees the outlook login portal that prompts them for their password. interestingly, the username prompt has already been pre - filled with a targeted user ’ s email address, so all they have to do is input their password. but the question remains : how is this weaponizable? closer…"

Summary

Blowing the lid off of interesting adversary-in-the-middle tradecraft observed in the Huntress partner identities.