Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors
Tags
cmtmf-attack-pattern: Boot Or Logon Autostart Execution Command And Scripting Interpreter Event Triggered Execution Masquerading Obfuscated Files Or Information Scheduled Task/Job
country: Russia
maec-delivery-vectors: Watering Hole
attack-pattern: Data Boot Or Logon Autostart Execution - T1547 Cdns - T1596.004 Command And Scripting Interpreter - T1623 Data From Local System - T1533 Domains - T1583.001 Domains - T1584.001 Event Triggered Execution - T1624 Event Triggered Execution - T1546 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Software - T1592.002 Windows Management Instrumentation Event Subscription - T1546.003 Command-Line Interface - T1059 Data From Local System - T1005 Deobfuscate/Decode Files Or Information - T1140 Hypervisor - T1062 Masquerading - T1036 Modify Registry - T1112 Obfuscated Files Or Information - T1027 Powershell - T1086 Scheduled Task - T1053 Windows Management Instrumentation - T1047 Windows Management Instrumentation Event Subscription - T1084 Masquerading
Show in Graph
Common Information
Type Value
UUID 4b8eeee2-831b-4b09-ac68-efd7324023f3
Fingerprint f00d8df2413babce
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 28, 2022, 3:33 p.m.
Added to db Jan. 16, 2023, 3:54 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors
Title Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors
Detected Hints/Tags/Attributes 93/4/53
Source URLs
Redirection Url
Details Source https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/
URL Provider
Details Provider Source level domain
Details securonix.com www.securonix.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
terma.dev
Details Domain 107 
system.management
Details Domain 1 
terma.vip
Details Domain 3 
terma.app
Details Domain 1 
terma.icu
Details Domain 2 
terma.wiki
Details Domain 1 
terma.pics
Details Domain 1 
terma.lol
Details Domain 2 
terma.ink
Details Domain 1 
cobham-satcom.onrender.com
Details Domain 1 
onrender.com
Details Domain 145 
threatpost.com
Details Domain 58 
www.cloudflare.com
Details Domain 12 
www.mdsec.co.uk
Details Domain 32 
lolbas-project.github.io
Details Domain 10 
pentestlab.blog
Details Domain 12 
www.blackhillsinfosec.com
Details File 2 
benefits.pdf
Details File 2125 
cmd.exe
Details File 1208 
powershell.exe
Details File 3 
tracing.ps
Details File 33 
forfiles.exe
Details File 97 
mpcmdrun.exe
Details File 249 
schtasks.exe
Details File 18 
pcalua.exe
Details File 9 
wsreset.exe
Details File 4 
header.png
Details File 15 
powershell.core
Details sha256 1 
da0888f06b2e690a3a4f52f3b04131f7a181c12c3cb8e6861fc67ff062beef37
Details sha256 1 
691c0a362337f37cf6d92b7a80d7c6407c433f1b476406236e565c6ade1c5e87
Details IPv4 1 
28.199.53.243
Details IPv4 1 
165.227.139.39
Details MITRE ATT&CK Techniques 409 
T1566
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 504 
T1140
Details MITRE ATT&CK Techniques 534 
T1005
Details MITRE ATT&CK Techniques 550 
T1112
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 310 
T1047
Details MITRE ATT&CK Techniques 207 
T1547
Details MITRE ATT&CK Techniques 480 
T1053
Details MITRE ATT&CK Techniques 275 
T1053.005
Details Url 1 
https://terma.dev/0
Details Url 1 
https://threatpost.com/powershell-payload-analysis-malware/165188
Details Url 1 
https://www.cloudflare.com/learning/cdn/what-is-a-cdn
Details Url 2 
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion
Details Url 1 
https://lolbas-project.github.io/lolbas/binaries/pcalua
Details Url 1 
https://lolbas-project.github.io/lolbas/binaries/wsreset
Details Url 1 
https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription
Details Url 1 
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2
Details Url 1 
https://www.blackhillsinfosec.com/getting-started-with-sysmon
Details Windows Registry Key 2 
HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
Details Windows Registry Key 4 
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging