Description: Heatmap of instances of ATT&CK techniques for an information stealer discovered in January 2023 that achieves initial access via a malicious software dependency (a Python package). Public CTI report sources are provided in Notes for each technique. Please note: the reference from the Loginsoft source lists malware infrastructure that contains derogatory terminology, including a racial slur.
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.[[Trendmicro NPM Compromise](https://app.tidalcyber.com/references/69eac1b0-1c50-4534-99e0-2d0fd738ab8f)]Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)] Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.[[Microsoft CryptUnprotectData April 2018](https://app.tidalcyber.com/references/258088ae-96c2-4520-8eb5-1a7e540a9a24)]Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.[[Proofpoint Vega Credential Stealer May 2018](https://app.tidalcyber.com/references/c52fe62f-4df4-43b0-a126-2df07dc61fc0)][[FireEye HawkEye Malware July 2017](https://app.tidalcyber.com/references/7ad228a8-5450-45ec-86fc-ea038f7c6ef7)] Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://app.tidalcyber.com/technique/9503955c-fa53-452a-b717-7e23bfb4df83).
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[[GitHub Mimikittenz July 2016](https://app.tidalcyber.com/references/2e0a95b2-3f9a-4638-9bc5-ff1f3ac2af4b)]
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d). [[CG 2014](https://app.tidalcyber.com/references/46836549-f7e9-45e1-8d89-4d25ba26dbd7)] Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. [[SRD GPP](https://app.tidalcyber.com/references/a15fff18-5d3f-4898-9e47-ec6ae7dda749)]In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)] They may also be found as parameters to deployment commands in container logs.[[Unit 42 Unsecured Docker Daemons](https://app.tidalcyber.com/references/efcbbbdd-9af1-46c2-8538-3fd22f2b67d2)] In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.[[Specter Ops – Cloud Credential Storage](https://app.tidalcyber.com/references/95d6d1ce-ceba-48ee-88c4-0fb30058bd80)]
Adversaries may use [Obfuscated Files or Information](https://app.tidalcyber.com/technique/046cc07e-8700-4536-9c5b-6ecb384f52b0) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.One such example is the use of [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043) to decode a remote access tool portable executable file that has been hidden inside a certificate file.[[Malwarebytes Targeted Attack against Saudi Arabia](https://app.tidalcyber.com/references/735647f9-9cd4-4a20-8812-4671a3358e46)] Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.[[Carbon Black Obfuscation Sept 2016](https://app.tidalcyber.com/references/bed8ae68-9738-46fb-abc9-0004fa35636a)]Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)]
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.[Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88) can be done using various common operating system utilities such as [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc)/SMB or FTP.[[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)] On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.[[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]
Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://app.tidalcyber.com/technique/af798e80-2cc5-5452-83e4-9560f08bf2d5).
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.[[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)] Custom tools may also be used to gather file and directory information and interact with the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560). Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]There are several examples of malware targeting cookies from web browsers on the local system.[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)][[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)] There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)][[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]
After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.Adversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)] The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a), or other cryptographic seed values.Once forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1)), which may bypass multi-factor and other authentication protection mechanisms.[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)][[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)][[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]
