TTP Tuesday: APT29 (Cozy Bear) - 2015 Pentagon Hack
Phish for Initial Access and Exfiltrate Data
We hope you all enjoyed our last theme, which was based on the Conti ransomware. In case you missed the last part of the chain, you can see it here.
This week we are releasing the first part of our next theme which is focused on APT29 (Cozy Bear). Unlike the last theme where we focused on each stage, this theme’s chains will each focus on a single APT29 attack. For this week, the attack we focused on is the 2015 Pentagon Attack. Due to the sensitivity of the target, there isn’t much information regarding the attack, other than initial access was gained via phishing. Possibly due to coincidence, FireEye released a report on one of APT29’s malware pieces called HAMMERTOSS right around the same time.
Currently, phishing can be kind of complex in Operator, since the focus is typically emulating an attacker that is already on the system. This leaves us in a scenario where we use a TTP telling the agent to drop an email on the system, this email then spawns a new agent that calls back into Operator. Hopefully, the first TTP in this chain will make phishing more relaxing as it gives the ability to send a phishing email via SMTP directly from an Operator agent, this should also allow defenders to collect some network indicators for email tracking and tracing. This TTP is modular and could easily be incorporated in other chains requiring a phishing email.
The payload that is downloaded from the phishing email is based on some of the techniques detailed in FireEye’s HAMMERTOSS report. The malware will download an image from a public GitHub repository, this image uses steganography to embed a command instructing the malware to get files listed in the current user’s home directory. After completing the command, the malware will send the list of files back to Operator and instruct the TTP which hosts the payload to gracefully shut down.
Watch a demonstration:
Staying up to date
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Get our products
Download Prelude Operator: https://www.prelude.org/download
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Join our community
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
Follow our team