ioc[.]one - OSINT Cyber Threat Intelligence Database

Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More

Tags

cmtmf-attack-pattern:	Application Layer Protocol Automated Exfiltration Boot Or Logon Autostart Execution Command And Scripting Interpreter Exploit Public-Facing Application Obfuscated Files Or Information Traffic Distribution
country:	Austria China Czechia North Korea Iran South Korea Panama Poland Vietnam United Kingdom United States Of America U.S. Virgin Islands
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Abuse Elevation Control Mechanism - T1626 Abuse Elevation Control Mechanism - T1548 Software Discovery - T1418 Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Create Or Modify System Process - T1543 Credentials - T1589.001 Credentials From Password Stores - T1555 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Exfiltration Over Web Service - T1567 Exploit Public-Facing Application - T1377 Exploitation For Client Execution - T1658 Exploits - T1587.004 Exploits - T1588.005 Firmware - T1592.003 Firmware Corruption - T1495 Hide Artifacts - T1628 Hide Artifacts - T1564 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Indicator Removal On Host - T1630 Ingress Tool Transfer - T1544 Ip Addresses - T1590.005 Lsass Memory - T1003.001 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Password Managers - T1555.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Pre-Os Boot - T1542 Protocol Tunneling - T1572 Scheduled Task - T1053.005 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Server Software Component - T1505 Software - T1592.002 Software Discovery - T1518 Ssh - T1021.004 Steal Application Access Token - T1528 Steal Application Access Token - T1635 Steal Web Session Cookie - T1539 System Services - T1569 Web Shell - T1505.003 Vulnerabilities - T1588.006 Access Token Manipulation - T1134 Standard Application Layer Protocol - T1071 Automated Collection - T1119 Automated Exfiltration - T1020 Logon Scripts - T1037 Browser Extensions - T1176 Command-Line Interface - T1059 Connection Proxy - T1090 Credential Dumping - T1003 Data Encoding - T1132 Data Obfuscation - T1001 Deobfuscate/Decode Files Or Information - T1140 Email Collection - T1114 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 Exploitation For Client Execution - T1203 Indicator Removal On Host - T1070 Remote File Copy - T1105 Modify Registry - T1112 Standard Non-Application Layer Protocol - T1095 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Discovery - T1057 Rootkit - T1014 Scheduled Task - T1053 Screen Capture - T1113 System Information Discovery - T1082 System Owner/User Discovery - T1033 System Service Discovery - T1007 System Time Discovery - T1124 Web Shell - T1100 User Execution - T1204 Automated Collection Exploit Public-Facing Application Indicator Removal On Host Rootkit Screen Capture User Execution

Show in Graph

Common Information

Type	Value
UUID	bf0090da-201d-4c05-8635-af66f7ed49ff
Fingerprint	cf470813e7875f07
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 2, 2022, midnight
Added to db	Sept. 11, 2022, 12:47 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More
Title	Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More
Detected Hints/Tags/Attributes	225/4/57

Source URLs

	Redirection	Url
Details	Source	https://www.anomali.com/blog/anomali-cyber-watch-velvet-chollima-steals-emails-from-browsers-austrian-mercenary-leverages-zero-days-china-sponsored-group-uses-cosmicstrand-uefi-firmware-rootkit-and-more

URL Provider

Details	Provider	Source level domain
Details	anomali.com	www.anomali.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	270	✔	—	https://www.anomali.com/site/blog-rss	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	19	cve-2022-22047
Details	CVE	11	cve-2021-28550
Details	CVE	6	cve-2021-36948
Details	CVE	9	cve-2021-31201
Details	CVE	10	cve-2021-31199
Details	CVE	2	cve-2022-22026
Details	CVE	2	cve-2022-22049
Details	File	128	w3wp.exe
Details	MITRE ATT&CK Techniques	30	T1176
Details	MITRE ATT&CK Techniques	89	T1114
Details	MITRE ATT&CK Techniques	695	T1059
Details	MITRE ATT&CK Techniques	107	T1564
Details	MITRE ATT&CK Techniques	409	T1566
Details	MITRE ATT&CK Techniques	245	T1203
Details	MITRE ATT&CK Techniques	420	T1204
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	75	T1001
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	289	T1003
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	67	T1505
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	95	T1572
Details	MITRE ATT&CK Techniques	163	T1573
Details	MITRE ATT&CK Techniques	99	T1539
Details	MITRE ATT&CK Techniques	126	T1567
Details	MITRE ATT&CK Techniques	172	T1555
Details	MITRE ATT&CK Techniques	40	T1528
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	185	T1518
Details	MITRE ATT&CK Techniques	86	T1124
Details	MITRE ATT&CK Techniques	100	T1007
Details	MITRE ATT&CK Techniques	444	T1071
Details	MITRE ATT&CK Techniques	102	T1020
Details	MITRE ATT&CK Techniques	207	T1547
Details	MITRE ATT&CK Techniques	26	T1037
Details	MITRE ATT&CK Techniques	122	T1543
Details	MITRE ATT&CK Techniques	10	T1542
Details	MITRE ATT&CK Techniques	41	T1014
Details	MITRE ATT&CK Techniques	4	T1495
Details	MITRE ATT&CK Techniques	159	T1095
Details	MITRE ATT&CK Techniques	164	T1574
Details	MITRE ATT&CK Techniques	480	T1053
Details	MITRE ATT&CK Techniques	78	T1569
Details	MITRE ATT&CK Techniques	116	T1134
Details	MITRE ATT&CK Techniques	78	T1548
Details	MITRE ATT&CK Techniques	247	T1070
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	157	T1560
Details	MITRE ATT&CK Techniques	111	T1119
Details	MITRE ATT&CK Techniques	96	T1132
Details	MITRE ATT&CK Techniques	422	T1041
Details	Threat Actor Identifier - APT	277	APT37
Details	Threat Actor Identifier - APT	783	APT28