PowerLess

"we have observed wide exploitation of ... recently Log4Shell... focusing around exploitation of VMware Horizon Log4j vulnerabilities."

“Initial access continued to rely on spear phishing — delivering macro-enabled documents or malicious links …” and “Iranian-linked threat actors have commonly used phishing (T1566) as the primary vector for initial access …”

In recent years, Iranian-linked threat actors have commonly used phishing (T1566) as the primary vector for initial access, often leading to execution via user execution (T1204) of malicious files, which tend to rely on the use of command and scripting interpreters (T1059) like PowerShell (T1059.001).

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

“PowerShell and Cmd serve as the universal backbone for execution across nearly all groups”

In recent years, Iranian-linked threat actors have commonly used phishing (T1566) as the primary vector for initial access, often leading to execution via user execution (T1204) of malicious files

"ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration."; "Agent Tesla can encrypt data with 3DES..."; "APT32's backdoor has used...RC4 encryption before exfiltration."; "Epic encrypts collected data using a public key framework..."; "Some variants encrypt...with AES and encode it with base64..."; "Prikormka...encrypts it with Blowfish."; "VERMIN encrypts the collected files using 3-DES."; "Zebrocy...RC4...as well as AES...and hexadecimal for encoding"

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

The content references collection of credential material from local systems, including "Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies," "GALLIUM collected ... password hashes from the SAM hive in the Registry," and "Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors."

Operation MidnightEclipse stole saved cookies and login data from targeted systems; IceApple can collect files, passwords, and other data from a compromised host; RedLine Stealer collected chat logs and files associated with chat services.

PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines. QakBot can use esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge.

APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

"AppleSeed has compressed collected data before exfiltration."; "APT28 used a publicly available tool to gather and compress multiple documents..."; "Aria-body has used ZIP to compress data..."; "Cadelspy...compress stolen data into a .cab file."; "Daserf hides collected data in password-protected .rar archives."; "FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration."; "Lazarus Group has compressed exfiltrated data with RAR...archive specified directories in .zip format"; "XCSSET will compress entire ~/Desktop folders..."

Finally, for command and control and exfiltration, Iranian-linked groups most commonly rely on application layer protocols (T1071), such as HTTP

Reverse Shell #1 uses WebClient UploadFile/DownloadString to "www.microsoft-updateserver[.]cf"; also notes webhook.site for output exfil.

“BellaCiao (a dropper delivering tailored implants based on victim geolocation)” and “PowerLess (a PowerShell backdoor…)”

“APT29 has used multiple layers of encryption within malware to protect C2 communication… BITTER has encrypted their C2 communications… MacMa has used TLS encryption… Magic Hound has used an encrypted http proxy in C2 communications… gh0st RAT has encrypted TCP communications…”

“APT29 has used multiple layers of encryption within malware to protect C2 communication… BITTER has encrypted their C2 communications… Emotet has encrypted data before sending to the C2 server… gh0st RAT has encrypted TCP communications to evade detection… Gomir uses a custom encryption algorithm…”