# New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign **cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one** Written By Cybereason Nocturnus February 13, 2020 | 11 minute read **Research by: Cybereason Nocturnus Team** ## Background Over the last several months, the Cybereason Nocturnus team has been tracking recent espionage campaigns targeting the Middle East. These campaigns are specifically directed at entities and individuals in the Palestinian territories. This investigation shows multiple similarities [to previous attacks attributed to a group called MoleRATs (aka](https://attack.mitre.org/groups/G0021/) [The Gaza Cybergang), an Arabic-speaking, politically motivated group that has](https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/) operated in the Middle East since 2012. In our analysis, we distinguish between two separate campaigns happening simultaneously. These campaigns differ in tools, server infrastructure, and nuances in decoy content and intended targets. 1. The Spark Campaign: This campaign uses social engineering to infect victims, mainly from the Palestinian territories, with the Spark **[backdoor. This backdoor first emerged in January 2019 and has been continuously active since then. The campaign’s lure content](https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/)** revolves around recent geopolitical events, espeically the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements. 2. The Pierogi Campaign: This campaign uses social engineering attacks to infect victims with a new, undocumented backdoor dubbed **Pierogi. This backdoor first emerged in December 2019, and was discovered by Cybereason. In this campaign, the attackers use** [different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and](https://blog.talosintelligence.com/2017/06/palestine-delphi.html) [Kaperagent malware.](https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/) In part one of this research, we analyze the Spark campaign. This campaign is named after a rare backdoor used by the MoleRATs Group, [dubbed Spark by Cybereason and previously reported by 360’s blog.](http://webcache.googleusercontent.com/search?q=cache:https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/) [For a detailed report on the Pierogi campaign, please see part 2 of this research.](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor) The creators of the Spark backdoor use several techniques to evade detection and stay under the radar. They pack the malware with a [powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are Arabic speaking. This minimizes the](https://enigmaprotector.com/en/home.html) risk of detection and infection of unwanted victims. ## Key Points **Cyber Espionage in the Middle East: The Cybereason Nocturnus team has discovered several recent, targeted attacks in the Middle** East These attacks deliver the Spark and Pierogi backdoors for politically-driven cyber espionage operations ----- **a get** **g** **a est** **a s** e ca pa g s see s to ta get a est a d dua s a d e t t es, e y e ated to t e a est a go e e t **Politically-motivated APT: Cybereason suspects that the objective of the threat actor is to obtain sensitive information from the victims** and leverage it for political purposes. **Lured Into Deploying a Backdoor: The attackers use specially crafted lure content to trick targets into opening malicious files that infect** the victim’s machine with a backdoor. The lure content in the malicious files relates to political affairs in the Middle East, with specific references to the Israeli-Palestinian conflict, tension between Hamas and Fatah, and other political entities in the region. **Perpetrated by an Arabic-Speaking APT Group: The modus-operandi of the attackers in conjunction with the social engineering** tactics and decoy content seem aligned with previous attacks carried out by the Arabic-speaking APT group MoleRATs (aka Gaza Cybergang). This group has been operating in the Middle East since 2012. [For a synopsis of this research, check out the Molerats & Pierogis Threat Alert.](https://www.cybereason.com/threat-alert-molerats-pierogis) ## Table of Contents Suspected Threat Actor Description These attacks show significant similarities to previously documented attacks attributed to the Arabic-speaking threat actor, commonly referred to as the [MoleRATs group (aka,](https://attack.mitre.org/groups/G0021/) [The Gaza Cybergang,](https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/) [Moonlight,](https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks) [DustySky, Gaza Hacker Team). This group, which has been attributed by](https://www.clearskysec.com/dustysky/) various security teams, is believed to be comprised of three subgroups: [1. Gaza Cybergang Group 1, also dubbed MoleRATs: MoleRATs has been active since at least 2012. This Arabic-speaking group uses](https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/) spear phishing attacks to infect target machines in the Middle East and North Africa with various Remote Access Trojans (RATs). As MoleRATs most prominently targets Palestinian territories, its spear phishing attacks often use attached malicious documents on topical Palestinian Authority-related issues to lure their victims. The group uses a mix of tools and malware, some developed by the group and others that are more generic tools. [2. Gaza Cybergang Group 2, also dubbed Desert Falcons,](https://www.kaspersky.com/blog/desert-falcon-arabic-apt/7678/) [APT-C-23,](https://malpedia.caad.fkie.fraunhofer.de/actor/aridviper) [Arid Viper. This second group is an Arabic-speaking group that](https://malpedia.caad.fkie.fraunhofer.de/actor/aridviper) mainly targets the Middle East and North Africa, with a few targets in European and Asian countries as well. The group is known for their [advanced attacks that leverage custom-built Windows malware (Kasperagent,](https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/) [Micropsia) as well as Android malware (Vamp,](https://blog.talosintelligence.com/2017/06/palestine-delphi.html) [GnatSpy).](https://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/) [3. Gaza Cybergang Group 3: This group is believed to be behind Operation Parliament. It is considered to be the most advanced group of](https://securelist.com/operation-parliament-who-is-doing-what/85237/) the three, and is focused on high-profile targets in the Middle East, North America, Europe and Asia. The group is reported to have previously attacked government institutions, parliaments, senates, diplomatic functions, and even Olympic and other sports bodies. **A Note on Attribution** It is important to remember there are many threat actors operating in the Middle East, and often there are overlaps in TTPs, tools, motivation, and victimology. There have been cases in the past where a threat actor attempted to mimic another to thwart attribution efforts, and as such, attribution should rarely be taken as is, but instead with a grain of salt and critical thinking. ## Infection Vector - Social Engineering using Targeted Content **Themes of the Content Used to Lure Targets** In this attack, the targets are lured to open a document or a link attached to an email. There have been cases in the past where victims also [downloaded malicious content from fake news websites. The names of the files and their content play a major part in luring victims to open](https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/) [them, as they usually relate to current topics pertaining to Hamas, the](https://en.wikipedia.org/wiki/Hamas) [Palestinian National Authority, or other recent events in the Middle East.](https://en.wikipedia.org/wiki/Palestinian_National_Authority) The lure documents analyzed by Cybereason in this attack concentrate on the following themes: **The Conflict between Hamas and Fatah: The** [historical rivalry between the Hamas and Fatah has resulted in many open battles](https://en.wikipedia.org/wiki/Fatah%E2%80%93Hamas_conflict) between the two entities. Since 2006, Hamas has controlled the Gaza strip and Fatah has controlled the West Bank. **Matters pertaining to the Israeli-Palestinian Conflict: Some of the documents in this campaign reference different aspects of the** Israeli-Palestinian conflict, and the efforts for ceasefire and peace processes between the Israelis and the Palestinians, including the [latest peace plan made by President Donald Trump and Senior Advisor to the President of the United States Jared Kushner.](https://en.wikipedia.org/wiki/Trump_peace_plan) **Vigilance Following Soleimani’s Assassination: One of the lure documents mentions sources in Lebanon that report a state of alert** [and vigilance amongst Iranian, Syrian, and Lebasense militias following Soleimani’s assassination.](https://www.bbc.co.uk/news/world-middle-east-50979463) **Tensions Between Hamas and the Egyptian Government: Egypt plays a major role as a mediator in the Israeli-Palestinian confict and** has brokered several ceasefire deals and other negotiations in the past. Changes to Egypt’s internal political climate are known to have [affected Egyptian government relations with Hamas over the years. It was recently reported that Ismail Haniyeh, the head of Hamas’](https://en.wikipedia.org/wiki/Ismail_Haniyeh) [political Bureau, had a falling-out with the Egyptian government over his visit to Tehran to participate in General Qasem Soleimani’s](https://aawsat.com/english/home/article/2111556/haniyeh-settles-qatar-has-no-plans-return-gaza) [funeral, following Soleimani’s assassination.](https://www.bbc.co.uk/news/world-middle-east-50979463) ----- _Spa_ _ac doo d oppe_ _a_ _ed_ _bu_ _a e_ _a d_ _us_ _e s_ _eet g up oaded to_ _us ota_ _o_ _t e_ _a est_ _a_ _te_ _to es_ **File Name** **SHA-256** ﻟﻘﺎء اﺑﻮ ﻣﺎزن و ﻛﻮﺷﻨﯿﺮ.exe **Translation: Meeting between Abu-Mazen and Kushner** ﻣﺤﻀﺮ اﺟﺘﻤﺎع ﻗﯿﺎدةاﻻﺟﻬﺰة اﻻﻣﻨﯿﺔ ﻓﻲ ﻏﺰة ﻣﻦ اﺟﻞ اﻓﺸﺎل اﻧﻄﻼﻗﺔ ﻓﺘﺢ.exe **Translation: Minutes of the meeting of the leadership of** the security services in Gaza in order to thwart the anniversary of Fatah.exe 01887df1febdf6fdf85e870e8d87f4397a4854ffedeaffd2f8d21310306e50b0 2268101c32989e7cfcb8b2ef47163f741850e7619edf0c0e8f365cfceb1b1e82 Details%20Ceasfire%20with%Israel.zip 31b08c139b6fc3bdde0734d1b2c609550a03ca97ec941eaf24224bb449e17e26 ﻫﻨﯿﺔ ﺳﯿﻘﯿﻢ ﻓﻲ اﻟﺨﺎرج و ﺣﻤﺎس ﺗﺼﻌﺪ ﻓﻲ ﻏﺰة.pdf **Translation: Haniyeh will remain abroad and Hamas steps** up in Gaza.pdf ﺗﻘﺮﯾﺮ ﻣﻌﻠﻮﻣﺎت ﻓﻮري.exe **Translation: Urgent Information Report.exe** _Table that summarizes files observed in the Spark campaign._ 5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e 6e896099a3ceb563f43f49a255672cfd14d88799f29617aa362ecd2128446a47 In the Spark campaign, the lure documents and links point to one of two file sharing websites, Egnyte or Dropbox. The target is encouraged to download an archive file in a rar or zip format that contains an executable file masquerading as a Microsoft Word document. The following file was downloaded from DropBox: _Malicious archive hosted on Dropbox._ _Malicious archive with a name meant to lure targets._ ## Example 1: Social Engineering using a PDF Document One example of a lure document used in the Spark campaign is a PDF file that is used to deliver the Spark backdoor to the victim. The [document includes a special report allegedly quoted from the Egyptian newspaper Al-Ahram. This document reports that](https://en.wikipedia.org/wiki/Al-Ahram) [Ismail Hanieyh, the](https://en.wikipedia.org/wiki/Ismail_Haniyeh) political leader of Hamas, had notified the Egyptian government that he will remain abroad after his visit to Tehran to take part in Soleimani’s [funeral, which sparked tension with the Egyptian authorities.](https://www.timesofisrael.com/hamas-chief-to-remain-outside-gaza-for-months-his-deputy-says/) **File Name** **SHA-256** **ﻫﻨﯿﺔ ﺳﯿﻘﯿﻢ ﻓﻲ اﻟﺨﺎرج و ﺣﻤﺎس ﺗﺼﻌﺪ ﻓﻲ ﻏﺰة.pdf** **Translation: Haniyeh will remain abroad and Hamas rises in** Gaza.pdf 5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e ----- e docu e t as sub tted to us ota o t e 0/0 / 0 0 o t e a est a te to es _Document uploaded to VirusTotal on 20/01/2020 from the Palestinian territories._ _Phishing document luring the readers to click on a malicious link._ The target is encouraged to click on the link to read the entire article. However, the document does not link to the Egyptian Newspaper [website, but instead to a file sharing website called Egnyte. It prompts the user to download a file that supposedly contains the full article.](https://www.egnyte.com/) _Link embedded in the PDF document: hxxps://csaasd.egnyte[.]com/dd/h5s7YHzOy5_ The downloaded file is an archive file (.r23), that contains a Windows executable file with the same name as the PDF and with a fake Microsoft Word icon. **SHA-256** **File Name** e8d73a94d8ff18c7791bf4547bc4ee2d3f62082c594d3c3cf7d640f7bbd15614ﻫﻨﯿﺔ ﺳﯿﻘﯿﻢ ﻓﻲ اﻟﺨﺎرج و ﺣﻤﺎس ﺗﺼﻌﺪ ﻓﻲ ﻏﺰة.r23 (Hanieh will remain abroad and Hamas steps up in Gaza.r23) 7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128ﻫﻨﯿﺔ ﺳﯿﻘﯿﻢ ﻓﻲ اﻟﺨﺎرج و ﺣﻤﺎس ﺗﺼﻌﺪ ﻓﻲ ﻏﺰة.exe (Hanieh will remain abroad and Hamas steps up in Gaza.exe) ----- _Spark backdoor dropper file masquerading as Word document using a fake icon._ When the victim double clicks on the executable file, it unpacks and installs the Spark backdoor, as shown in the attack tree screenshot below. _Installation process of the Spark backdoor, as shown in Cybereason’s attack tree._ ## Backdoor Installation: Autoit Dropper The extracted executable file contains a compiled Autoit script, which can be seen in the RT_RCDATA section of the file. _Autoit indications found in the binary resources of the dropper (SHA-256:_ _7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128)._ The decompiled code shows the decryption routine that unpacks the embedded Spark backdoor. _Excerpt from the decompiled Autoit script where it is unpacking the Spark backdoor._ Once the file is unpacked, the backdoor is dropped in two different locations on the infected operating system: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runawy.exe C:\Users\user\runawy.exe In addition, the Autoit code also creates the following scheduled task for persistence: SCHTASKS /Create /f /SC minute /TN runawy /mo 5 /tr C:\Users\\runawy.exe ----- _Excerpt from the decompiled Autoit script where it installs the backdoor and creates persistence._ ## Example 2: Dropper with a Decoy Document During our investigation, we found the following executable file. **File name** **SHA-256** ﺗﻘﺮﯾﺮ ﻣﻌﻠﻮﻣﺎت ﻓﻮري.exe (Urgent Information Report.exe) 6e896099a3ceb563f43f49a255672cfd14d88799f29617aa362ecd2128446a47 The executable has a Microsoft Word icon to trick victims into believing they are opening a Word document. _Spark backdoor dropper file masquerading as Word document using a fake icon_ Once the user double-clicks on the executable file, the dropper drops a Word document in %AppData% and displays the following decoy document to the victim, while the dropper runs in the background and installs the backdoor. **Decoy Document Name and Path** **SHA-256** %appdata%\info.docx 2c50eedc260c82dc176447aa4116ad37112864f4e1e3e95c4817499d9f18a90d ----- _The decoy document presents to the user titled “Urgent Information Report” in Arabic._ The dropper drops the Spark backdoor binary and a shortcut file used to initiate persistence in the following locations. **File name** **SHA-256** C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Blaster.lnk 4254dc8c368cbc36c8a11035dcd0f4b05d587807fa9194d58f0ba411bfd65842 C:\Users\user\AppData\Roaming\Blaster.exe cf32479ed30ae959c4ec8a286bb039425d174062b26054c80572b4625646c551 _Cybereason UI: The attack tree displaying the Spark backdoor infection chain._ ## Spark Backdoor Analysis [The Spark payload is a custom backdoor likely developed by the MoleRATs group. In addition to known generic malware (such as: njRAT,](https://attack.mitre.org/software/S0385/) [Poison Ivy,](https://attack.mitre.org/software/S0012/) [XtremeRAT), the MoleRATs group has been known to develop its own custom tools such as DustySky, the](https://www.sans.org/reading-room/whitepapers/malicious/xtremerat-unicode-breaks-35897) [MoleRAT Loader and](https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader) [Scote. We believe this backdoor is relatively new and seems to have appeared starting in the beginning of 2019.](https://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/) The name Spark is derived from the PDB path left in a few of the backdoor binaries: W:\Visual Studio 2017\Spark4.2\Release\Spark4.2.pdb The Spark backdoor allows the attackers to: Collect information about the infected machine. Encrypt the collected data and send it to the attackers over the HTTP protocol ----- o oad add t o a pay oads Log keystrokes. Record audio using the computer’s microphone. Execute commands on the infected machine. The creators of the Spark backdoor use a few techniques that are intended to keep the backdoor under-the-radar, including: Packing the payloads with the Enigma packer. Checking for antivirus and other security products using WMI. Validating Arabic keyboard and language settings on the infected machine. ## Enigma Packer [All the the payloads observed by Cybereason in this campaign were packed by a powerful yet commercial packer called Enigma Packer. The](https://enigmaprotector.com/en/home.html) [MoleRATs group have been known to use this packer in previous attacks.](https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-themiddle-east-en/) _Enigma packer artifacts in file metadata (SHA-256: b08b8fddb9dd940a8ab91c9cb29db9bb611a5c533c9489fb99e36c43b4df1eca)._ ## Checking for Security Products One common evasive mechanism used by the Spark backdoor is its ability to check for installed security products using WMI queries (WQL). If certain security products are installed, the backdoor does not carry out its malicious activity. SELECT * FROM AntiVirusProduct SELECT * FROM FirewallProduct ## Checking for the Arabic Language Another evasive mechanism used by the backdoor is how it checks whether an Arabic keyboard and Arabic language settings are used on the infected machine. If Arabic keyboard and language settings are not found on the machine, the backdoor will not carry out its malicious activity. This check serves two purposes: 1. It minimizes the risk of overexposure by specifically targeting Arabic speakers. 2. It can thwart detection by automated analysis engines and sandbox solutions. _Enumerating installed keyboards on the infected machine._ ----- _Obtaining locale information from the infected machine._ _Comparing the results of the language checks with the word Arabic._ ## Using a Hidden Window After unpacking itself, the Spark backdoor creates a hidden window where most of the malicious activity is handled. _Creation of the hidden window, using 0 value for the ShowWindow function to hide the window._ [This behavior can be detected using a tool called WinLister, which enumerates hidden windows. The name of the window is Spark4.2.](https://www.nirsoft.net/utils/winlister.html) ## C2 Communication The Spark backdoor communicates with the C2 servers over the HTTP protocol. The data is first encrypted and then encoded with Base64. In this instance, the backdoor posts the data to the domain Nysura[.]com (For more domains, please see the IOC section of this research). It is interesting to see that the HTTP POST host header refers to a legitimate domain cnet.com, however, in acutality, the data is sent to nysura[.]com, as can be seen in the traffic screenshot below. ----- _The Spark backdoor sends data to the C2 server._ The data sent to the C2 follows a structured pattern that uses a predefined keywords array, where each keyword is mapped to a certain subroutine. The keywords are comprised of the names of individuals. They are mostly Western names, but there were some Arabic names in a few of the samples. _Keywords comprised of names used by the backdoor._ Prior to sending the data to the server, the data is encrypted and staged in an array like this: _[27089,28618,9833,4170,25722,19977,2369,21426,3435,7442,30146,21719,16140,16280,16688,22550,19867,194,3298]_ The data is then encoded with Base64: _"WzI3MDg5LDI4NjE4LDk4MzMsNDE3MCwyNTcyMiwxOTk3NywyMzY5LDIxNDI2LDM0MzUsNzQ0MiwzMDE0NiwyMTcxOSwxNjE0MCwxNjI4MC_ [The Base64-encoded data is inserted into the following json object, which contains the individual names.](https://en.wikipedia.org/wiki/JSON) _json object containing the Base64-encoded data._ Lastly, the entire json object is encoded with Base64 and undergoes another stage of encryption, and then sent to the server: _ZjRTc1dTTU9nVW5FaXM3bGgvbU90MTlVMHFkb1c5SFFuRXhhSVR5YytIQkZremk3bk5wY21BUEZRYitJenA1cnlJY1lxREJJZ1RrL0N4UzZWcVV_ [Using names as keywords is an identical technique to that of the data structure logic previously documented by 360’s blog post. This post](http://webcache.googleusercontent.com/search?q=cache:https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/) discusses an earlier variant of the backdoor attributed to the MoleRATs group. Using other individuals names for C2 communication has also been done by the two other Gaza Cybergang groups: ----- **Ga a Cybe ga g G oup** **t** **t e** **[c ops a bac doo](https://blog.talosintelligence.com/2017/06/palestine-delphi.html)** t s sta ce, t e C co u cat o p e e ted by t e c ops a backdoor also used specific names for different C2 commands. **Gaza Cybergang Group 3 in** **[Operation Parliament: In this instance, the malware also used people’s names for C2 communication to](https://securelist.com/operation-parliament-who-is-doing-what/85237/)** send and receive commands from the server. Based on the similarity of the naming convention and data format, we believe the Spark **backdoor could be an evolution of the backdoor mentioned in Operation Parliament, or at least inspired by the malware.** ## Conclusion The Spark campaign detailed in this blog demonstrates how the tense geopolitical climate in the Middle East is used by threat actors to lure victims and infect them with the Spark backdoor for cyber espionage purposes. The names of the files and decoy content seem to be carefully crafted, often referencing controversial and topical political issues. Cybereason estimates that the files are specifically meant to lure and appeal to victims from the Middle East, especially towards individuals and entities in the Palestinian territories likely related to the Palestinian government or the Fatah movement. The techniques, tools, and procedures used in this campaign bear great resemblance to previous attacks attributed to the MoleRATs Group (aka Gaza Cybergang Group), an Arabic-speaking, politically motivated group that has operated in the Middle East since 2012. Our research demonstrates the efforts used by attackers to reduce the risk of detection of the Spark backdoor by various security products. The backdoor checks for the existence of antivirus and firewall products before it initiates its malicious activity. Importantly, the backdoor simply will not reveal its malicious nature unless Arabic language keyboard and settings are found on the infected machine. This shows how the attackers use this backdoor in a surgical way to exclusively attack specific targets. In addition, analysis of these backdoor delivery methods also highlights a trend by many threat actors where they use legitimate storage platforms to deliver the initial stages of the attack. By storing malicious content on trusted platforms like DropBox, attackers reduce the risk of detection by certain security solutions that are gaining popularity, like email filters. ## Part 2: The discovery of the New, Mysterious Pierogi Backdoor Cybereason Detection, Visibility, and Prevention Cybereason prevents and detects the attacks mentioned in this research. _Cybereason UI: The attack tree showing the installation of the Spark backdoor._ Cybereason’s Next-generation Antivirus can detect and prevent the Spark backdoor. ----- _(SHA-256: 5139a334d5629c598325787fc43a2924d38d3c005bffd93afb7258a4a9a8d8b3)_ The file (pdf.exe) was automatically blocked by NGAV. _Cybereason agent blocks the execution of the Spark Backdoor._ ## Indicators of Compromise [Click here to download the MoleRATs IOCs (PDF)](https://www.cybereason.com/hubfs/MoleRATs%20IOCs%20(updated).pdf) ## MITRE ATT&CK BREAKDOWN **Initial Access** **Execution** **Persistence** **Privilege** **Escalation** **Defense Evasion** **Discovery** **Collection** **C&C** **Exfiltration** Spearphishing Attachment Spearphishing Link CommandLine Interface Scheduled Task Scheduled Task Registry Run Keys / Startup Folder Bypass User Account Control Startup Items Bypass User Account Control Deobfuscate/Decode Files or Information Disabling Security Tools [File Deletion](https://attack.mitre.org/techniques/T1107) [Software Packing](https://attack.mitre.org/techniques/T1045) [Masquerading](https://attack.mitre.org/techniques/T1036) Evade Analysis Environment Security Software Discovery System Information Discovery [User Discovery](https://attack.mitre.org/techniques/T1033/) Automated Collection Virtualization/Sandbox Discovery Screen Capture Data Encrypted Web Service Data Encoding Remote File Copy [Scripting](https://attack.mitre.org/techniques/T1064) Shortcut Modification User Execution ----- About the Author **Cybereason Nocturnus** The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks. [All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus) -----