TTP Tuesday: APT29 - Operation Ghost
Decode and execute steganographic payloads
15 March 2022
For this week’s TTP Tuesday we are releasing a new APT29 themed chain based on Operation Ghost, a campaign against embassies in the United States. ESET has identified and attributed the attack to APT29. This operation stands out due to its length (assumed to have lasted at minimum 6 years) and sophisticated evasion techniques.
Steganography: Stealth through obscurity
This week's kill chain focused on the staging process of APT29’s malware (collectively referred to as the Dukes). The malware used in this operation consisted of 4 stages. Steganography was used in the first two stages to store payloads and commands for the C2. We emulated this staging process by encoding Schism (a fully modular Python based HTTP agent) into a PNG file, running a decoder to obtain its contents, and executing Schism. We hope this kill chain will demonstrate defense evasion techniques by adversaries.
Check it out on the Prelude chains website.
Watch a demonstration:
Staying up to date
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Get our products
Download Prelude Operator: https://www.prelude.org
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Join our community
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
Follow our team