Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. WIRTE

WIRTE

WIRTE is a threat group that has been active since at least August 2018.WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.[1][2]

ID: G0090
Contributors: Lab52 by S2 Grupo
Version: 2.0
Created: 24 May 2019
Last Modified: 16 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.001Application Layer Protocol:Web Protocols

WIRTE has used HTTP for network communication.[1]

EnterpriseT1059.001Command and Scripting Interpreter:PowerShell

WIRTE has used PowerShell for script execution.[1]

.005Command and Scripting Interpreter:Visual Basic

WIRTE has used VBScript in its operations.[1]

EnterpriseT1140Deobfuscate/Decode Files or Information

WIRTE has used Base64 to decode malicious VBS script.[1]

EnterpriseT1105Ingress Tool Transfer

WIRTE has downloaded PowerShell code from the C2 server to be executed.[1]

EnterpriseT1036.005Masquerading:Match Legitimate Resource Name or Location

WIRTE has named a first stage dropperKaspersky Update Agent in order to appear legitimate.[2]

EnterpriseT1571Non-Standard Port

WIRTE has used HTTPS over ports 2083 and 2087 for C2.[2]

EnterpriseT1588.002Obtain Capabilities:Tool

WIRTE has obtained and usedEmpire for post-exploitation activities.[1]

EnterpriseT1566.001Phishing:Spearphishing Attachment

WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.[2]

EnterpriseT1218.010System Binary Proxy Execution:Regsvr32

WIRTE has usedregsvr32.exe to trigger the execution of a malicious script.[1]

EnterpriseT1204.002User Execution:Malicious File

WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.[2]

Software

IDNameReferencesTechniques
S0363Empire[1]Abuse Elevation Control Mechanism:Bypass User Account Control,Access Token Manipulation:SID-History Injection,Access Token Manipulation,Access Token Manipulation:Create Process with Token,Account Discovery:Domain Account,Account Discovery:Local Account,Adversary-in-the-Middle:LLMNR/NBT-NS Poisoning and SMB Relay,Application Layer Protocol:Web Protocols,Archive Collected Data,Automated Collection,Automated Exfiltration,Boot or Logon Autostart Execution:Security Support Provider,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Boot or Logon Autostart Execution:Shortcut Modification,Browser Information Discovery,Clipboard Data,Command and Scripting Interpreter:PowerShell,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter,Create Account:Local Account,Create Account:Domain Account,Create or Modify System Process:Windows Service,Credentials from Password Stores:Keychain,Credentials from Password Stores:Credentials from Web Browsers,Domain or Tenant Policy Modification:Group Policy Modification,Domain Trust Discovery,Email Collection:Local Email Collection,Encrypted Channel:Asymmetric Cryptography,Event Triggered Execution:Accessibility Features,Exfiltration Over C2 Channel,Exfiltration Over Web Service:Exfiltration to Code Repository,Exfiltration Over Web Service:Exfiltration to Cloud Storage,Exploitation for Privilege Escalation,Exploitation of Remote Services,File and Directory Discovery,Group Policy Discovery,Hijack Execution Flow:Path Interception by Unquoted Path,Hijack Execution Flow:Path Interception by Search Order Hijacking,Hijack Execution Flow:Path Interception by PATH Environment Variable,Hijack Execution Flow:Dylib Hijacking,Hijack Execution Flow:DLL,Indicator Removal:Timestomp,Ingress Tool Transfer,Input Capture:Keylogging,Input Capture:Credential API Hooking,Native API,Network Service Discovery,Network Share Discovery,Network Sniffing,Obfuscated Files or Information:Command Obfuscation,OS Credential Dumping:LSASS Memory,Process Discovery,Process Injection,Remote Services:Distributed Component Object Model,Remote Services:SSH,Scheduled Task/Job:Scheduled Task,Screen Capture,Software Discovery:Security Software Discovery,Steal or Forge Kerberos Tickets:Kerberoasting,Steal or Forge Kerberos Tickets:Golden Ticket,Steal or Forge Kerberos Tickets:Silver Ticket,System Information Discovery,System Network Configuration Discovery,System Network Connections Discovery,System Owner/User Discovery,System Services:Service Execution,Trusted Developer Utilities Proxy Execution:MSBuild,Unsecured Credentials:Credentials In Files,Unsecured Credentials:Private Keys,Use Alternate Authentication Material:Pass the Hash,Video Capture,Web Service:Bidirectional Communication,Windows Management Instrumentation
S0679Ferocious[2]Command and Scripting Interpreter:Visual Basic,Command and Scripting Interpreter:PowerShell,Event Triggered Execution:Component Object Model Hijacking,Indicator Removal:File Deletion,Modify Registry,Peripheral Device Discovery,Software Discovery:Security Software Discovery,System Information Discovery,Virtualization/Sandbox Evasion:System Checks
S0680LitePower[2]Application Layer Protocol:Web Protocols,Command and Scripting Interpreter:PowerShell,Exfiltration Over C2 Channel,Ingress Tool Transfer,Local Storage Discovery,Native API,Query Registry,Scheduled Task/Job:Scheduled Task,Screen Capture,Software Discovery:Security Software Discovery,System Information Discovery,System Owner/User Discovery

References

×
[8]ページ先頭
©2009-2026 Movatter.jp