ioc[.]one - OSINT Cyber Threat Intelligence Database

New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents

Tags

cmtmf-attack-pattern:	Command And Scripting Interpreter Masquerading Process Injection
country:	Russia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Clipboard Data - T1414 Command And Scripting Interpreter - T1623 Dns - T1071.004 Dns - T1590.002 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Ingress Tool Transfer - T1544 Ip Addresses - T1590.005 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Proc Memory - T1055.009 Process Injection - T1631 Reflective Code Loading - T1620 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Windows Command Shell - T1059.003 Visual Basic - T1059.005 Clipboard Data - T1115 Command-Line Interface - T1059 Connection Proxy - T1090 Exfiltration Over Command And Control Channel - T1041 Remote File Copy - T1105 Masquerading - T1036 Powershell - T1086 Process Injection - T1055 Spearphishing Attachment - T1193 User Execution - T1204 Masquerading Spearphishing Attachment User Execution

Show in Graph

Common Information

Type	Value
UUID	9d11719f-a7bf-4059-9366-c61af046fa98
Fingerprint	bc0d26f2a93683e0
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 30, 2023, 2:20 p.m.
Added to db	April 3, 2023, 12:58 p.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents
Title	New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents
Detected Hints/Tags/Attributes	96/4/141

Source URLs

	Redirection	Url
Details	Source	https://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/?&web_view=true

URL Provider

Details	Provider	Source level domain
Details	securonix.com	www.securonix.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	99	✔	Cyware News - Latest Cyber News	https://cyware.com/allnews/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	4	titlecontractdocs.zip
Details	Domain	4	jrclientcopy3122.zip
Details	Domain	2	fieldsgovtcopy2021.zip
Details	Domain	2	panyangfederalustaxdocs.zip
Details	Domain	30	pdf.zip
Details	Domain	3	forensicitguy.github.io
Details	Domain	2	www.rocketcyber.com
Details	File	4	titlecontractdocs.zip
Details	File	4	jrclientcopy3122.zip
Details	File	3	files.pdf
Details	File	2	sammenstyrtningens242.vbs
Details	File	2	c:\windows\tasks\tepolerd.vbs
Details	File	4	info.pdf
Details	File	2	c:\users\public\infos.pdf
Details	File	1209	powershell.exe
Details	File	16	ieinstal.exe
Details	File	2	tax.jpg
Details	File	2	jrclientcopy3122.pdf
Details	File	2	bettygildoc.pdf
Details	File	2	titlecontractdocs.pdf
Details	File	2	fieldsgovtcopy2021.pdf
Details	File	2	paulajonesclienttaxs2022.pdf
Details	File	2	brentfisherustax.pdf
Details	File	8	2022.pdf
Details	File	2	doc436985.pdf
Details	File	2	1040.pdf
Details	File	2	_beaumont_taxdocuments.pdf
Details	File	4	information.pdf
Details	File	2	chargeback_dispute_details.pdf
Details	File	2	_moretz_taxdocuments.pdf
Details	File	2	fieldsgovtcopy2021.zip
Details	File	2	saxton_returns.zip
Details	File	2	2022_docs.zip
Details	File	2	brentfisher_fedtaxes.zip
Details	File	2	panyangfederalustaxdocs.zip
Details	File	2	fedtax_docs_brentf.zip
Details	File	2	chargeback_dispute_details.zip
Details	File	3	leekish.vbs
Details	File	5	safe.exe
Details	File	2	kriminalromaners.vbs
Details	File	2	untuber88.vbs
Details	File	2	vejlensisk90.vbs
Details	File	2	blotlg.vbs
Details	File	2	jubilets1.vbs
Details	File	2	tepolerd.vbs
Details	File	2	hygiastic.ps
Details	File	2	pilhenv.vbs
Details	File	2	sammenstyrtningens242a.vbs
Details	File	2	categ31.xlsx
Details	File	2	eksegese64.vbs
Details	File	2	eksegese641.vbs
Details	File	2	petyusayzfzgci67nw.ps
Details	File	2127	cmd.exe
Details	File	5	interopservices.dll
Details	File	2	many-faces-of-ip-address.html
Details	sha256	2	0d1dad9f09654d9f111e2e4d9451708237f2129cb674c380057938ea7a7ba4bf
Details	sha256	2	5ac2a9e27896c467eb5363ab24c931a5b721c3a715590441a936eb49b06dfb3e
Details	sha256	2	1dc173bba60254b915f8fa88f2ee5730f8d9ba3919ffa7c7a3cc28c3728c43ec
Details	sha256	2	ff6c37680217620045135d6ec7ac0f7ca7560d8e189c701837f335e45d3213de
Details	sha256	2	2893eab39fa7bd0db75cb5657565e04f1a438e6397f7fd2990f0a03e9954bbc0
Details	sha256	2	fc06588222dd51a08f9359e5d6ce9ee8c2ae90ff700533bc47d2ab4ead0071e8
Details	sha256	2	562ec1673c90fd1932f60b0f4e26e02a059347b88aa2d8fc0bddd058427d6946
Details	sha256	2	86a3eea0abb10bdcac6a00b9bdf1d76a408fbdd27db8be389757e069a2855f11
Details	sha256	3	63559daa72c778e9657ca53e2a72deb541cdec3e0d36ecf04d15ddbf3786aea8
Details	sha256	3	23597910ec60cf8b97144447c5cddd2e657d09e2f2008d53a3834b6058f36a41
Details	sha256	2	76c22709a51448a508852f449d1b756d45754150093d6a5fb5eaef34673bbd82
Details	sha256	2	0cea74786657ad2094759e2a512a648efecf9a33d6ce3ee0c7ac1840dbf276cc
Details	sha256	2	ab1eb7454d2cc5549c4c09422cdeb2fbf9254a977a42b03ca887a42d4e66f84e
Details	sha256	2	6e3b660bd913e1bd538811501fbc42ad9f4786c8258b7120e76d671c23252403
Details	sha256	2	46c5b1f2090450b537389b1e221f7264a460fe47387e746555ba0543c0782ef9
Details	sha256	2	e72dc71684d57785129e128b05212467e528912106c8fe63c25baacbf0340ea5
Details	sha256	2	907756fb841a1ed62e245a9d97b8c8ead78fa4fb6ec4357088f283e8db4f62f4
Details	sha256	2	e45adb5a0dcfde2f3a70d2d4e91d6bcaec54858c61f0ecce3fc76d8cf6cf12e6
Details	sha256	2	4080b180ba4b33becc75686bc7f739a7d0ca6df446f3f6749bcd7a356c76ce66
Details	sha256	2	1b3d2a6e04de259510090506a7357bdeced4f8c2c95607359837b105409abad0
Details	sha256	2	f79c1d0ddadc7222e3eaa82416f515ef263ae6b3ba2a8d87f4f458b2ef98e8ea
Details	sha256	2	34bdc88439fa6c06be4fa4b8a1747366157e71f196a20686366b8dacaf9e3ffc
Details	sha256	2	2f2892ce3885179c5ddd3ced5f8e3ae5f890ed0cef989f62a0285de136e31fa3
Details	sha256	2	8ab6933a480b546996a19daa13a7b5b0429099bfea57d42055f97fe9d3e251cf
Details	sha256	2	e4a600fe6f9928350d460b97162569d32e6acf70c7fe3ada68cbb6e861eeb972
Details	sha256	2	a639cb71f6f021a531d79c4ec2c9b22c5244874f6c959135d843e1db3476b1f4
Details	sha256	2	d562a9e5cd1dc88de6308986d68edfd90dd0111f7971ec252dd09f12eb2f8b1a
Details	sha256	3	7bd663ea34e358050986bde528612039f476f3b315ee169c79359177a8d01e03
Details	sha256	2	057b1da6363eedc2156003b8547ac57116793278b0b0b21767cc05fc8b143b99
Details	sha256	2	6e641de68bfd6ab98e297704ab27f784cde401eaaa2d3f7d8653553c60f977da
Details	sha256	2	85e27758a4ed4b7754b8003de1313540678f216bd21d883f03c2512bc89c32dc
Details	sha256	2	000bc200b6ba104ac05dcbcb9b54a4f9610d8190ab5f9a4a1a5b189b0057f006
Details	sha256	3	c914dab00f2b1d63c50eb217eeb29bcd5fe20b4e61538b0d9d052ff1b746fd73
Details	sha256	2	a373f01a9cd3e3db683ab892027c1a529bdb7f1f8a8c114be940cd10a27366c7
Details	sha256	2	cf55584023a70e43ec2637532cc8150c00f007825f705ef07dcef39c9f6b74ef
Details	sha256	2	88b917c71897d8d516a5386818e83a62cc210fd52b52ee069875e56d5142e015
Details	sha256	2	ef7fb7af43f7ce46209da523f6b168de225694760f2e8243158d65beb31827de
Details	sha256	2	0dabff6f0dd86d59a869f2633f4eebc31a96b70bf90ed8e766ca22b49f68459c
Details	sha256	2	e5fd42c20d0c95edd3e1d12ddc4ddbe99a4f2adecfe0a14250ded98f189599a1
Details	sha256	2	ffe477577469c87c606e0cbd9d0da68446cd8d895e4f4ab0a083f0a05ac8ab20
Details	sha256	2	20d129d8ad727dc816fac7ab3dc4d3d3f3666220822de0d722db763fa138a246
Details	sha256	2	09b1fd66b0ec4b57861db145bf4cefff0ee5634eb5a156d04d04f8495d309dab
Details	sha256	2	0a542e1d7444df99461de2ca49a3859aa1a35b458f8f77b205aea0d14e6620a2
Details	sha256	2	73e714ee977ba7c4cd32f52539f94031b52fcaa90448ceaeb910fd22932e9d4e
Details	sha256	2	c5be50f35fbda3fd8b996659fe3b1a648ac3eb4ded45825a0c158a1303cdae5a
Details	sha256	2	dd7e1d8f39581e3f90e51e082e11344eed2668c0377439d769ddf5422b4c66fb
Details	sha256	2	27806a2c2a1246965d0e15d20dc6f3d46df0cb242c3296311f40dd63991cd02c
Details	sha256	2	149ee334dc6cd0593aec294f405a9390623ab198080b476122433048402f93b4
Details	sha256	2	fc1f9fc56f9b87242d205d67c40e5772c0a510650d83f1b7429dd037754c8eaf
Details	sha256	2	34a689fc4ca1f0b001bee4b0640487e98fce0c67ec67cdf076d86efe9b10072f
Details	sha256	2	ef1065677b256644113648caa26d75512bea881c4953396da561eae8231f56f3
Details	sha256	2	926fe7f70c86b5c16a632344191820206772f8c53ac075446b138d209a1bf22a
Details	sha256	2	87dc4e513a7023f1b8d38499c6fede4e6ab7ec563e1f0dbbd5e9b365e213d145
Details	sha256	2	18d7be1dfaed274670ea6cdd3d45e864cdca173d5e71753dc69910334d0a92fa
Details	sha256	2	2cf0f2c5d665438ac31a6b2880cd8ff637e7d4339781b5f2d26e7bc6058b737f
Details	sha256	2	e1c6e7d919eebe7cf75d5acbae975bb4ad3c760ff303714297e9f7072df582d0
Details	sha256	2	e587fb76c736b268fca167994649b09401fef04a433f6c28480c315c83181e24
Details	sha256	2	f2d64f2cc3902c13e457656c06e2af1b4e11ec3f60e3ebc5d8f9e7bb3e673296
Details	sha256	2	c8be839ed95d6bcfd484ba7a9389ba0a56cfd8841c9fde04fe5651ed853bee1a
Details	sha256	2	f0382214714adc0d3c71fc5cd63f99f17f6a2e0a3cf45378cdaf236770793d65
Details	sha256	2	4dbd53b7ce4753778b1c2375a21fc4641e36d57880579779b376d4d8b591c6f7
Details	sha256	2	e03e3c2c78a20a58e6b9546f62dce95233362eee7534785ce0b79f7f0886ba5b
Details	sha256	2	6e5163d9b9992847cab46d48c691c2a04f6d01e5b430dea02aa2a8119c299047
Details	IPv4	3	208.67.222.123
Details	IPv4	3	5.8.8.100
Details	IPv4	10	194.180.48.211
Details	IPv4	3	109.206.240.67
Details	MITRE ATT&CK Techniques	409	T1566
Details	MITRE ATT&CK Techniques	310	T1566.001
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	137	T1059.005
Details	MITRE ATT&CK Techniques	106	T1204.001
Details	MITRE ATT&CK Techniques	4	T1055.009
Details	MITRE ATT&CK Techniques	91	T1620
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	422	T1041
Details	Url	2	http://5.8.8.100/signal/traverser.dwp
Details	Url	2	http://194.180.48.211/oy
Details	Url	3	http://194.180.48.211/zarath
Details	Url	2	https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer?view=windowsserver2022
Details	Url	2	https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon
Details	Url	2	https://www.hacksparrow.com/networking/many-faces-of-ip-address.html#2
Details	Url	2	https://www.rocketcyber.com/blog-cyber-cases-from-the-soc-fileless-malware-kovter