1. Home
  2. Groups
  3. Mustard Tempest

Mustard Tempest

Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.[1][2][3][4]

ID: G1020
Associated Groups: DEV-0206, TA569, GOLD PRELUDE, UNC1543
Version: 1.0
Created: 06 December 2023
Last Modified: 25 March 2024

Associated Group Descriptions

Name Description
DEV-0206

[2]
TA569

[3]
GOLD PRELUDE

[3]
UNC1543

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Mustard Tempest has used the filename AutoUpdater.js to mimic legitimate update files and has also used the Cyrillic homoglyph characters С (0xd0a1) and а (0xd0b0), to produce the filename Сhrome.Updаte.zip.[5][4]
Enterprise T1584 .001 基础设施妥协: Domains

Mustard Tempest operates a global network of compromised websites that redirect into a traffic distribution system (TDS) to select victims for a fake browser update page.[3][4][6][5]
Enterprise T1608 .001 暂存能力: Upload Malware

Mustard Tempest has hosted payloads on acquired second-stage servers for periods of either days, weeks, or months.[6]
.004 暂存能力: Drive-by Target

Mustard Tempest has injected malicious JavaScript into compromised websites to infect victims via drive-by download.[4][6][5][3]
.006 暂存能力: SEO Poisoning

Mustard Tempest has poisoned search engine results to return fake software updates in order to distribute malware.[1][4]
Enterprise T1189 浏览器攻击

Mustard Tempest has used drive-by downloads for initial infection, often using fake browser updates as a lure.[4][6][5][3]
Enterprise T1204 .001 用户执行: Malicious Link

Mustard Tempest has lured users into downloading malware through malicious links in fake advertisements and spearphishing emails.[1][4]
Enterprise T1082 系统信息发现

Mustard Tempest has used implants to perform system reconnaissance on targeted systems.[1]
Enterprise T1583 .004 获取基础设施: Server

Mustard Tempest has acquired servers to host second-stage payloads that remain active for a period of either days, weeks, or months.[6]
.008 获取基础设施: Malvertising

Mustard Tempest has posted false advertisements including for software packages and browser updates in order to distribute malware.[1]
Enterprise T1105 输入工具传输

Mustard Tempest has deployed secondary payloads and third stage implants to compromised hosts.[1]
Enterprise T1566 .002 钓鱼: Spearphishing Link

Mustard Tempest has sent victims emails containing links to compromised websites.[4]

Software

ID Name References Techniques
S0154 Cobalt Strike [1] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S1124 SocGholish [1][3][4] Windows管理规范, 伪装: Match Legitimate Name or Location, 命令与脚本解释器: JavaScript, 域信任发现, 数据分段: Local Data Staging, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 浏览器攻击, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious Link, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 网络服务, 软件发现, 输入工具传输, 进程发现, 钓鱼: Spearphishing Link

References

  1. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
  1. Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
  2. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
  3. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.