Description
[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access for the download of additional malware including LockBit, [WastedLocker](https://attack.mitre.org/software/S0612), and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)
Techniques Used (TTPs)
- T1583.008 — Malvertising (resource-development)
- T1608.001 — Upload Malware (resource-development)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1566.002 — Spearphishing Link (initial-access)
- T1584.001 — Domains (resource-development)
- T1608.006 — SEO Poisoning (resource-development)
- T1608.004 — Drive-by Target (resource-development)
- T1189 — Drive-by Compromise (initial-access)
- T1204.001 — Malicious Link (execution)
- T1082 — System Information Discovery (discovery)
- T1583.004 — Server (resource-development)
- T1105 — Ingress Tool Transfer (command-and-control)
Total TTPs: 12
Malware & Tools
Malware: Cobalt Strike, SocGholish