FOCUS MODE
EXTRACT IOC
Interesting Stuff

UFO-1, – Threat Intelligence

iocOne
UFO-1, – Threat Intelligence
This article discusses various exercises completed as part of Threat Intelligence training on the Hack The Box platform, focusing on the Sandworm Team (also known as BlackEnergy Group and APT44). The training utilizes the MITRE ATT&CK framework to explore the tactics, techniques, and procedures (TTPs) employed by this group, analyzing their historical campaigns, tools, and methods. Affected: Cybersecurity sector, ICS (Industrial Control Systems)

Keypoints :

  • The Sandworm Team began operations in 2009.
  • MITRE identifies techniques used by Sandworm Team, particularly during their campaigns against the Ukrainian power grid.
  • Credential access techniques used include LSASS Memory access (T1003.001) and another technique with ID T1100.
  • A VBS script named ufn.vbs was noted during the Sandworm operations.
  • A technique for persistence identified was T1505.003, using a reverse shell for remote access.
  • Malware utilized in their operations includes Neo-REGEORG and CaddyWiper.
  • scilc.exe was the binary abused for code execution in SCADA systems during a 2022 campaign.
  • The full command for executing scilc.exe was C:scprogexecscilc.exe -do packscils1.txt.
  • NotPetya was recognized for its worm-like and ransomware characteristics used by the Sandworm Team.
  • The Microsoft security bulletin ID for the vulnerability exploited by NotPetya was MS17–010.
  • AcidRain was identified as the malware designed to target modems.
  • The Sandworm Team reportedly operated their SSH server on port 6789.
  • They have collaborated with another APT group known as APT.

MITRE Techniques :

  • Credential Access – LSASS Memory access (T1003.001): Used for extracting credentials.
  • Credential Access – Credential Dumping (T1100): Utilized in brute-force attacks to authenticate across hosts.
  • Execution – VBS Script Execution (T1059.002): The script ufn.vbs was used for lateral movement.
  • Persistence – Application Layer Protocol (T1505.003): Used a reverse shell for maintaining remote access.
  • Execution – Remote File Copy (T1106): Allows malware to interact with low-level system functions.
  • Exploitation of SCADA Application – Abuse Elevation Control Mechanism (T1294): Used scilc.exe for command execution on SCADA systems.
  • Destruction – Data Destruction (T1485): CaddyWiper was used for destructive actions in compromised environments.
  • Exploitation of Remote Services – SMB/Windows (T1210): NotPetya exploited this vulnerability to spread.
  • Malicious Technical Means – Malicious Remote Administration Tools (T1190): AcidRain targeted modems.
  • Use of Non-Standard Ports – Port Utilization (T1571): SSH server was established on port 6789.

Indicator of Compromise :

  • [File] ufn.vbs
  • [Executable] scilc.exe
  • [Malware] CaddyWiper
  • [Malware] NotPetya
  • [Port] 6789

Full Story: https://tizimass.medium.com/ufo-1-threat-intelligence-0d3fa7b45b2c?source=rss——cybersecurity-5

Tags: TOOL, SOC, WORM, PATCH, APT, WINDOWS, EXPLOIT, VIRUS