Magic Hound | APT Profile

Description

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)

Techniques Used (TTPs)

T1056.001 — Keylogging (collection, credential-access)
T1567 — Exfiltration Over Web Service (exfiltration)
T1589.001 — Credentials (reconnaissance)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1059.001 — PowerShell (execution)
T1016.002 — Wi-Fi Discovery (discovery)
T1588.002 — Tool (resource-development)
T1584.001 — Domains (resource-development)
T1059.003 — Windows Command Shell (execution)
T1572 — Protocol Tunneling (command-and-control)
T1585.002 — Email Accounts (resource-development)
T1591.001 — Determine Physical Locations (reconnaissance)
T1071 — Application Layer Protocol (command-and-control)
T1071.001 — Web Protocols (command-and-control)
T1486 — Data Encrypted for Impact (impact)
T1016.001 — Internet Connection Discovery (discovery)
T1586.002 — Email Accounts (resource-development)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1592.002 — Software (reconnaissance)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1087.003 — Email Account (discovery)
T1105 — Ingress Tool Transfer (command-and-control)
T1190 — Exploit Public-Facing Application (initial-access)
T1204.002 — Malicious File (execution)
T1218.011 — Rundll32 (defense-evasion)
T1027.010 — Command Obfuscation (defense-evasion)
T1046 — Network Service Discovery (discovery)
T1590.005 — IP Addresses (reconnaissance)
T1113 — Screen Capture (collection)
T1573 — Encrypted Channel (command-and-control)
T1059.005 — Visual Basic (execution)
T1595.002 — Vulnerability Scanning (reconnaissance)
T1036.010 — Masquerade Account Name (defense-evasion)
T1589.002 — Email Addresses (reconnaissance)
T1204.001 — Malicious Link (execution)
T1102.002 — Bidirectional Communication (command-and-control)
T1033 — System Owner/User Discovery (discovery)
T1098.002 — Additional Email Delegate Permissions (persistence, privilege-escalation)
T1070.004 — File Deletion (defense-evasion)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1566.002 — Spearphishing Link (initial-access)
T1078.001 — Default Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1083 — File and Directory Discovery (discovery)
T1016 — System Network Configuration Discovery (discovery)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1098.007 — Additional Local or Domain Groups (persistence, privilege-escalation)
T1598.003 — Spearphishing Link (reconnaissance)
T1562.002 — Disable Windows Event Logging (defense-evasion)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1049 — System Network Connections Discovery (discovery)
T1114 — Email Collection (collection)
T1003.001 — LSASS Memory (credential-access)
T1570 — Lateral Tool Transfer (lateral-movement)
T1136.001 — Local Account (persistence)
T1057 — Process Discovery (discovery)
T1562.004 — Disable or Modify System Firewall (defense-evasion)
T1114.002 — Remote Email Collection (collection)
T1571 — Non-Standard Port (command-and-control)
T1070.003 — Clear Command History (defense-evasion)
T1082 — System Information Discovery (discovery)
T1114.001 — Local Email Collection (collection)
T1505.003 — Web Shell (persistence)
T1090 — Proxy (command-and-control)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1583.001 — Domains (resource-development)
T1018 — Remote System Discovery (discovery)
T1112 — Modify Registry (defense-evasion, persistence)
T1482 — Domain Trust Discovery (discovery)
T1589 — Gather Victim Identity Information (reconnaissance)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1566.003 — Spearphishing via Service (initial-access)
T1560.001 — Archive via Utility (collection)
T1585.001 — Social Media Accounts (resource-development)
T1564.003 — Hidden Window (defense-evasion)
T1562 — Impair Defenses (defense-evasion)
T1005 — Data from Local System (collection)
T1047 — Windows Management Instrumentation (execution)
T1583.006 — Web Services (resource-development)
T1189 — Drive-by Compromise (initial-access)

Total TTPs: 79

Malware & Tools

Malware: CharmPower, DownPaper, PowerLess

Tools: FRP, Impacket, Mimikatz, Net, Ping, PsExec, Pupy, Systeminfo, ipconfig, netsh

← Return to Home ← Back to APT Search