Spica

IRON FRONTIER is a Russian threat group that conducts targeted spearphishing against military and government organizations, journalists, and think tanks in Europe, the United States, and Russia's near abroad.

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

"During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines" and "Spica can use an obfuscated PowerShell command to create a scheduled task for persistence."

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

"During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines" and "Spica can use an obfuscated PowerShell command to create a scheduled task for persistence."

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

"During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines" and "Spica can use an obfuscated PowerShell command to create a scheduled task for persistence."

Examples include "APT29 has used encoded PowerShell scripts...", "Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell", "During C0021, the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file", and "Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender."

APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

"...used custom malware to steal login and cookie data from common browsers..."; "...extracts the web session cookie and sends it to the C2 server..."; "...stole Chrome browser cookies by copying the Chrome profile directories..."

Multiple malware and groups are described as zipping/archiving/packing collected data prior to exfiltration (e.g., "used ZIP to compress data gathered on a compromised host", "packs collected data into a password protected archive", "archived victim's data prior to exfiltration").

"Mythic supports WebSocket and TCP-based C2 profiles." / "Spica can use JSON over WebSockets for C2 communications."