ioc[.]one - OSINT Cyber Threat Intelligence Database

Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server

Tags

cmtmf-attack-pattern:	Acquire Infrastructure Application Layer Protocol Data Manipulation Exploit Public-Facing Application Masquerading Obfuscated Files Or Information Obtain Capabilities Process Injection Resource Hijacking Stage Capabilities Supply Chain Compromise
country:	North Korea
maec-delivery-vectors:	Watering Hole
attack-pattern:	Acquire Infrastructure Data Acquire Infrastructure - T1583 Application Layer Protocol - T1437 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Clear Windows Event Logs - T1070.001 Compromise Software Supply Chain - T1195.002 Compromise Software Supply Chain - T1474.003 Credentials From Password Stores - T1555 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Data From Local System - T1533 Data Manipulation - T1641 Data Manipulation - T1565 Debugger Evasion - T1622 Digital Certificates - T1596.003 Digital Certificates - T1587.003 Digital Certificates - T1588.004 Dll Search Order Hijacking - T1574.001 Dll Side-Loading - T1574.002 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Dynamic Dns - T1311 Dynamic Dns - T1333 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over Alternative Protocol - T1639 Exfiltration Over C2 Channel - T1646 Exploit Public-Facing Application - T1377 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Indicator Removal On Host - T1630 Ingress Tool Transfer - T1544 Install Digital Certificate - T1608.003 Invalid Code Signature - T1036.001 Ip Addresses - T1590.005 Kerberoasting - T1558.003 Malicious Image - T1204.003 Malvertising - T1583.008 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 System Information Discovery - T1426 Obtain Capabilities - T1588 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Injection - T1631 Python - T1059.006 Reflective Code Loading - T1620 Resource Hijacking - T1496 Screen Capture - T1513 Search Engines - T1593.002 Server - T1583.004 Server - T1584.004 Service Stop - T1489 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Stage Capabilities - T1608 Steal Or Forge Kerberos Tickets - T1558 Steal Web Session Cookie - T1539 Stored Data Manipulation - T1565.001 Stored Data Manipulation - T1492 Supply Chain Compromise - T1474 System Checks - T1633.001 System Checks - T1497.001 System Language Discovery - T1614.001 System Location Discovery - T1614 Web Protocols - T1071.001 Web Protocols - T1437.001 Virtualization/Sandbox Evasion - T1497 Tool - T1588.002 Virtualization/Sandbox Evasion - T1633 Standard Application Layer Protocol - T1071 Data From Local System - T1005 Deobfuscate/Decode Files Or Information - T1140 Dll Search Order Hijacking - T1038 Dll Side-Loading - T1073 Exfiltration Over Alternative Protocol - T1048 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Remote File Copy - T1105 Kerberoasting - T1208 Masquerading - T1036 Modify Registry - T1112 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Injection - T1055 Query Registry - T1012 Screen Capture - T1113 Third-Party Software - T1072 Spearphishing Attachment - T1193 Supply Chain Compromise - T1195 System Information Discovery - T1082 User Execution - T1204 Exploit Public-Facing Application Indicator Removal On Host Masquerading Screen Capture Service Stop Spearphishing Attachment Supply Chain Compromise User Execution

Show in Graph

Common Information

Type	Value
UUID	cc4e5c13-27bc-457b-b0d8-8191db42d463
Fingerprint	cf4f0502e7974f03
Analysis status	DONE
Considered CTI value	2
Text language
Published	April 25, 2023, midnight
Added to db	June 5, 2023, 11:49 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server
Title	Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server
Detected Hints/Tags/Attributes	192/4/54

Source URLs

	Redirection	Url
Details	Source	https://www.anomali.com/blog/anomali-cyber-watch-two-supply-chain-attacks-chained-together-decoy-dog-stealthy-dns-communication-evilextractor-exfiltrates-to-ftp-server

URL Provider

Details	Provider	Source level domain
Details	anomali.com	www.anomali.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	270	✔	—	https://www.anomali.com/site/blog-rss	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	30	cve-2013-3900
Details	File	4	netscanold.exe
Details	File	2	pshashes.txt
Details	Mandiant Uncategorized Groups	59	UNC4736
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	107	T1496
Details	MITRE ATT&CK Techniques	348	T1036
Details	MITRE ATT&CK Techniques	197	T1489
Details	MITRE ATT&CK Techniques	145	T1588
Details	MITRE ATT&CK Techniques	18	T1588.004
Details	MITRE ATT&CK Techniques	46	T1608
Details	MITRE ATT&CK Techniques	17	T1608.003
Details	MITRE ATT&CK Techniques	52	T1195
Details	MITRE ATT&CK Techniques	36	T1195.002
Details	MITRE ATT&CK Techniques	164	T1574
Details	MITRE ATT&CK Techniques	227	T1574.002
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	15	T1036.001
Details	MITRE ATT&CK Techniques	247	T1070
Details	MITRE ATT&CK Techniques	92	T1070.001
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	238	T1497
Details	MITRE ATT&CK Techniques	97	T1497.001
Details	MITRE ATT&CK Techniques	91	T1620
Details	MITRE ATT&CK Techniques	52	T1622
Details	MITRE ATT&CK Techniques	501	T1012
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	50	T1614
Details	MITRE ATT&CK Techniques	33	T1614.001
Details	MITRE ATT&CK Techniques	444	T1071
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	52	T1071.004
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	163	T1573
Details	MITRE ATT&CK Techniques	74	T1573.002
Details	MITRE ATT&CK Techniques	33	T1565
Details	MITRE ATT&CK Techniques	13	T1565.001
Details	MITRE ATT&CK Techniques	422	T1041
Details	MITRE ATT&CK Techniques	82	T1583.001
Details	MITRE ATT&CK Techniques	92	T1048
Details	MITRE ATT&CK Techniques	310	T1566.001
Details	MITRE ATT&CK Techniques	420	T1204
Details	MITRE ATT&CK Techniques	172	T1555
Details	MITRE ATT&CK Techniques	99	T1539
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	534	T1005
Details	MITRE ATT&CK Techniques	472	T1486
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	36	T1558.003
Details	Threat Actor Identifier - APT	115	APT43