1. Home
  2. Groups
  3. WIRTE

WIRTE

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.[1][2]

ID: G0090
Contributors: Lab52 by S2 Grupo
Version: 2.0
Created: 24 May 2019
Last Modified: 15 April 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

WIRTE has named a first stage dropper Kaspersky Update Agent in order to appear legitimate.[2]
Enterprise T1140 反混淆/解码文件或信息

WIRTE has used Base64 to decode malicious VBS script.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

WIRTE has used PowerShell for script execution.[1]
.005 命令与脚本解释器: Visual Basic

WIRTE has used VBScript in its operations.[1]

Enterprise T1071 .001 应用层协议: Web Protocols

WIRTE has used HTTP for network communication.[1]

Enterprise T1204 .002 用户执行: Malicious File

WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.[2]
Enterprise T1218 .010 系统二进制代理执行: Regsvr32

WIRTE has used regsvr32.exe to trigger the execution of a malicious script.[1]
Enterprise T1588 .002 获取能力: Tool

WIRTE has obtained and used Empire for post-exploitation activities.[1]
Enterprise T1105 输入工具传输

WIRTE has downloaded PowerShell code from the C2 server to be executed.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.[2]
Enterprise T1571 非标准端口

WIRTE has used HTTPS over ports 2083 and 2087 for C2.[2]

Software

ID Name References Techniques
S0363 Empire [1] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0679 Ferocious [2] 事件触发执行: Component Object Model Hijacking, 修改注册表, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 外围设备发现, 移除指标: File Deletion, 系统信息发现, 虚拟化/沙盒规避: System Checks, 软件发现: Security Software Discovery
S0680 LitePower [2] 命令与脚本解释器: PowerShell, 屏幕捕获, 应用层协议: Web Protocols, 本机API, 查询注册表, 系统信息发现, 系统所有者/用户发现, 软件发现: Security Software Discovery, 输入工具传输, 通过C2信道渗出, 预定任务/作业: Scheduled Task

References

  1. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  1. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.