The threat hunting and incident response team at Cystack has discovered and analyzed a malicious attack that might affect a number of customers in Palestine. We published the below Indicators of Compromise (IOCs) and Indicator of Attack (IOA) to assist our customers to detect and contain the threat actor (Stealthy Owl) that seems to be interested in information gathering and gaining insight
- Threat Actor: Stealthy Owl (Cystack given name)
- Type: Sophisticated Fileless Malware
- Tactic — Enterprise: Execution
- Technique — Command and Scripting Interpreter: Powershell (T1059.001)
- Platform — Targeted Platform Microsoft
- Description — Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including the discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to the remote system
Indicators of Compromise
Indicator | Type | Malware Families | Related Actors | Kill Chain |
Domain | Cobalt Strike | - | Command and Control | |
https://netsocialmedia.org/social | URL | Cobalt Strike | - | Command and Control |
89.34.111.122 | IP Address | - | - | Command and Control |
URL | Cobalt Strike | - | Command and Control |
Detection
- Monitor your outbound connections to the IOC in the table above
- Monitor your EDR solution for the detailed Indicators of Compromise and Indicators of Attack
- Monitor for unusual later movement across your infrastructure
- Monitor unusual use of privileged credentials
- Scripts
- wscript.exe //E:vbscript //B “C:\Users\Public\Documents\TPM\Tpm-UpdateSources.list"
- wscript.exe //E:vbscript //B "C:\Windows\system32\config\systemprofile\AppData\Local\Comms\UnistoreDB\\\USS.vol"
- Attack uses the following sophisticated methods to keep persistence on compromised systems
- Win Services
- Win Registries
- Win schedules
Containment and Eradication
- Block URL and IP address on firewall / Proxy
- Disable any services used to running attacker scripts
- Change administrator credentials across scope and compromised assets
- Remove the presence of any persistence techniques mentioned above
- Ensure the implementation of Segmentation and strict firewall policies to help in detection and blocking lateral movement
For any assistance or guidance please contact us - [email protected]
0 Comments