Stuxnet

His work didn’t involve installing the centrifuges, but it got him where he needed to be to collect configuration information about the systems there. He apparently returned to Natanz a few times over the course of some months.

The attack used a Stuxnet worm which hampered the operation of plant's centrifuges and caused damage to them over time.

you will find all technical details about the threat’s components and data structures, as well as high-level information, including: ... Propagation methods | Virusblokada, a security company in Belarus, announced they found a new interesting malware sample using an unpatched vulnerability to spread to removable drives

Their investigation uncovered malware dating back to 2005 that was reportedly designed to manipulate software believed to be used by Iranian nuclear scientists...

The targets were employees of five Iranian companies — all of them contractors in the business of installing industrial control systems in Natanz and other facilities in Iran — who became unwitting couriers for the digital weapon.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

We also have clear indications that Stuxnet’s print spooler exploit (MS10-061) and lnk exploit (MS10-046) is used within sKyWIper as well

Flame... was the first known attack to trick users in this way by hijacking the Microsoft Windows updating tool on machines to infect computers

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

Drivers are often used to maintain access to an infected system and to hide suspicious activity from system administrators.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

you will find all technical details about the threat’s components and data structures, as well as high-level information, including: ... Injection techniques and anti-AV

Process hollowing, a technique first popularized by Stuxnet, involves executing a legitimate application in suspended mode, replacing its code with malware in memory, and then resuming execution—effectively hiding malicious activity behind a trusted process name.

The 2009 Stuxnet was built to replicate using an exploit from Flame. This indicates the two were indeed connected.

Drivers are often used to maintain access to an infected system and to hide suspicious activity from system administrators.

Drivers are often used to maintain access to an infected system and to hide suspicious activity from system administrators. A well-known example of malicious rootkit activity is Stuxnet [3], which used this functionality in order to maintain access and avoid detection.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

you will find all technical details about the threat’s components and data structures, as well as high-level information, including: ... Injection techniques and anti-AV

Process hollowing, a technique first popularized by Stuxnet, involves executing a legitimate application in suspended mode, replacing its code with malware in memory, and then resuming execution—effectively hiding malicious activity behind a trusted process name.

In the case of Stuxnet, one of the former intelligence officials said that signatures were added by the Territorial Dispute team in 2010 after Stuxnet had begun to spread uncontrollably — spreading that led to its discovery and public exposure. “There were cleanup efforts,” the official said.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Drivers are often used to maintain access to an infected system and to hide suspicious activity from system administrators.

Flame... was the first known attack to trick users in this way by hijacking the Microsoft Windows updating tool on machines to infect computers

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

And while Stuxnet and Duqu each “have variants where the kernel driver file is digitally signed using a software signing certificate,” Dell says this commonality is insufficient evidence of a connection “because compromised signing certificates can be obtained from a number of sources.”

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

Such signatures act like fingerprints for hacking groups — they can include file names or snippets of code from known malware that the advanced threat actors use repeatedly or particular changes the advanced hackers are known to make to a machine’s core operating system settings.

The Territorial Dispute scripts use digital signatures to hunt APT actors. Such signatures act like fingerprints for hacking groups — they can include file names or snippets of code from known malware that the advanced threat actors use repeatedly...

The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.

you will find all technical details about the threat’s components and data structures, as well as high-level information, including: ... Propagation methods | Virusblokada, a security company in Belarus, announced they found a new interesting malware sample using an unpatched vulnerability to spread to removable drives

We also have clear indications that Stuxnet’s print spooler exploit (MS10-061) and lnk exploit (MS10-046) is used within sKyWIper as well

BS2005 uses Base64 encoding for communication in the message body of an HTTP request... Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values... RDAT can communicate with the C2 via base32-encoded subdomains.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

Certains pays se sont dotés d'outils capables de saboter des serveurs, comme ce fut le cas en 2010 avec l'attaque d'une centrale iranienne d'enrichissement d'uranium par le virus Stuxnet

you will find all technical details about the threat’s components and data structures, as well as high-level information, including: ... Injection techniques and anti-AV