WarzoneRAT

Scattered Spider’s powerful initial access tactics ... include phone calls, SMS phishing, email phishing, MFA fatigue attacks, and SIM swapping. The domains used for email and SMS phishing abuse the Okta and Zoho ServiceDesk brands combined with the target’s name to make them appear legitimate.

The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.

persistence_autorun_tasks Installs itself for autorun at Windows startup ... uses_windows_utilities_to_create_scheduled_task Uses Windows utilities to create a scheduled task

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

suspicious_command_tools Uses suspicious command line tools or Windows utilities ... cmdline_obfuscation Appears to use command line obfuscation ... cmdline_terminate Executed a command line with /C or /R argument to terminate command shell on completion

createtoolhelp32snapshot_module_enumeration Enumerates the modules from a process (may be used to locate base addresses in process injection)

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

persistence_autorun_tasks Installs itself for autorun at Windows startup ... uses_windows_utilities_to_create_scheduled_task Uses Windows utilities to create a scheduled task

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

persistence_autorun Installs itself for autorun at Windows startup

persistence_autorun_tasks Installs itself for autorun at Windows startup ... uses_windows_utilities_to_create_scheduled_task Uses Windows utilities to create a scheduled task

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

persistence_autorun Installs itself for autorun at Windows startup

WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.

Avaddon modifies several registry keys for persistence and UAC bypass. LockBit 2.0 can create Registry keys to bypass UAC and for persistence. Lokibot has modified the Registry as part of its UAC bypass process.

multiple_useragents Network activity contains more than one unique useragent ... network_fake_useragent Fake User-Agent detected

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

deletes_executed_files Deletes executed files from disk ... deletes_self Deletes its original binary from disk ... anomalous_deletefile Anomalous file deletion behavior detected (10+)

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

antivm_generic_system Checks the system manufacturer, likely for anti-virtualization ... antisandbox_sboxie_libs Detects Sandboxie through the presence of a library ... antivm_generic_diskreg Checks the presence of disk drives in the registry, possibly for anti-virtualization ... antivm_checks_available_memory Checks available memory

queries_keyboard_layout Queries the keyboard layout ... queries_locale_api Queries the computer locale ... queries_computer_name Queries computer hostname ... queries_user_name Queries the username ... language_check_registry Checks system language via registry key

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows. APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. APT28 has used the WindowStyle parameter to conceal PowerShell windows.

persistence_ads Attempts to interact with an Alternate Data Stream (ADS)

antidebug_windows Checks for the presence of known windows from debuggers and forensic tools ... antidebug_guardpages Guard pages use detected - possible anti-debugging ... antidebug_setunhandledexceptionfilter SetUnhandledExceptionFilter detected

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

removes_zoneid_ads Attempts to remove evidence of file being downloaded from the Internet

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

CAPE detected injection into a browser process, likely for Man-In-Browser (MITB) infostealing

Scattered Spider also conducts phishing attacks to install malware like the WarZone RAT, Raccoon Stealer, and Vidar Stealer, to steal from compromised systems login credentials, cookies, and other data useful in the attack.

infostealer_browser Steals private information from local Internet browsers ... infostealer_cookies Touches a file containing cookies, possibly for information gathering ... infostealer_ftp Harvests credentials from local FTP client softwares ... registry_credential_store_access Accessed credential storage registry keys ... credential_access_via_windows_credential_history Attempts to access Users Windows Credential History File that is used by Microsoft’s DPAPI

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

enumerates_running_processes Enumerates running processes ... process_interest Expresses interest in specific running processes

recon_fingerprint Collects information to fingerprint the system ... recon_programs Collects information about installed applications

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

antivm_generic_system Checks the system manufacturer, likely for anti-virtualization ... antisandbox_sboxie_libs Detects Sandboxie through the presence of a library ... antivm_generic_diskreg Checks the presence of disk drives in the registry, possibly for anti-virtualization ... antivm_checks_available_memory Checks available memory

queries_keyboard_layout Queries the keyboard layout ... queries_locale_api Queries the computer locale ... queries_computer_name Queries computer hostname ... queries_user_name Queries the username ... language_check_registry Checks system language via registry key

antidebug_windows Checks for the presence of known windows from debuggers and forensic tools ... antidebug_guardpages Guard pages use detected - possible anti-debugging ... antidebug_setunhandledexceptionfilter SetUnhandledExceptionFilter detected

uses_remote_desktop_session Connects to/from or queries a remote desktop session

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

CAPE detected injection into a browser process, likely for Man-In-Browser (MITB) infostealing

Agent Tesla can access the victim’s webcam and record video. AsyncRAT can record screen content on targeted systems. Bandook has modules that are capable of capturing video from a victim's webcam. ... ZxShell has a command to perform video device spying.

http_request Performs HTTP requests potentially not found in PCAP ... recon_beacon A process sent information about the computer to a remote location.

Representative examples include "APT33 has utilized PowerShell to download files from the C2 server and run various scripts," "QakBot can use PowerShell to download and execute payloads," and "TrickBot has been known to use PowerShell to download new payloads."

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

enumerates_physical_drives Enumerates physical drives ... physical_drive_access Attempted to write directly to a physical drive

antiav_detectfile Attempts to identify installed AV products by installation directory ... antiav_servicestop Attempts to stop active services ... disables_windowsupdate Attempts to disable Windows Auto Updates ... antiav_avast_libs Detects Avast Antivirus through the presence of a library