Procedures

Input Capture: Keylogging

  • Evilnum is a cyber-espionage group known for targeting the fintech sector. They use the PyVil RAT, a Python-scripted Remote Access Trojan (RAT), which includes keylogging functionality. This RAT captures user inputs, allowing the group to record keystrokes and gather sensitive information. The group deploys PyVil RAT through spear-phishing emails that contain malicious attachments or links. Once installed, PyVil RAT can execute additional Python scripts or executables, enhancing its capabilities.

  • Winnti Group is a sophisticated Chinese cyber-espionage group targeting multiple sectors. They use a malware named PipeMon, which includes keylogging functionality to capture credentials. PipeMon registers as a Windows Print Processor, ensuring it loads every time the Print Spooler service starts, providing persistence across reboots. The malware uses reflective loading to inject its modules into critical system processes, blending with legitimate processes to evade detection.

  • Chafer APT Group is an Iranian cyber-espionage group that uses the Remexi malware. Remexi includes keylogging capabilities to capture user inputs and sensitive information. This malware also takes screenshots based on mouse clicks and predefined window titles, such as login pages and security-related windows. Additionally, Remexi monitors and logs clipboard content, transferring it to a designated subdirectory for exfiltration.

  • APT-C-34 is a cyber-espionage group known for using the Harpoon backdoor, written in Delphi, which includes keylogging capabilities. This backdoor can log keystrokes, record clipboard content, take screenshots at intervals, and record audio from the microphone. It also steals files with specific extensions and monitors Skype and Google Hangouts communications. The collected data is uploaded to an FTP server for exfiltration. APT-C-34 has also procured commercial spyware like HackingTeam RCS and NSO Group’s Pegasus, which support functionalities such as keylogging, clipboard monitoring, and remote control.

Credentials from Password Stores: Credentials from Web Browsers

  • CopperStealer is a malware that specializes in stealing browser credentials and cookies, installing malicious browser extensions, and exfiltrating stored credentials from Facebook and Google accounts for malicious advertising purposes. The infection typically begins with users visiting warez websites, where misleading download buttons initiate a series of redirects through domains part of pay-per-install networks. Once installed, CopperStealer performs functions like stealing cookies and saved logins from various browsers and communicating with its command and control (C&C) servers using a domain generation algorithm to evade detection​​.

  • Void Balaur is another group that targets credentials stored in web browsers and other applications. They use malware such as Z*Stealer to extract credentials from various applications, including instant messaging software, FTP clients, email clients, browsers, and cryptocurrency wallets. This group often sets up phishing sites to trick users into providing their login information, thus facilitating the theft of browser-stored credentials​​.

  • Dark Caracal is an espionage group linked to the Lebanese General Directorate of General Security (GDGS). This group uses Android and Windows malware to exfiltrate a wide range of data, including credentials from web browsers. They distribute trojanized versions of legitimate apps like Signal and WhatsApp, which can steal browser history, cookies, and saved passwords from infected devices​​.

  • TA505 is a notorious cybercriminal group recognized for their large-scale spam campaigns and the deployment of various malware tools. Once the document is opened and the macro is enabled, it downloads malware like Dridex, which is known for its capability to steal banking credentials through web injection and form grabbing. Dridex specifically targets browsers to intercept and steal sensitive information, such as login credentials and session tokens, making it a significant threat to users who store their passwords in web browsers​​.

OS Credential Dumping: LSASS Memory

  • Lazarus Group, also known as APT37, is a North Korean cyber espionage group targeting various industries globally. They use a custom encrypted version of Mimikatz to dump credentials from the Local Security Authority Subsystem Service (LSASS) memory. This tool is decrypted in-memory via a small loader executable, allowing them to extract password hashes and plain-text passwords. They then use these credentials to move laterally within the victim's network.

  • APT3, also known as Gothic Panda, is a Chinese cyber espionage group targeting multiple sectors. They use customized versions of pwdump and Mimikatz to dump credentials from LSASS memory. This allows them to capture password hashes and plain-text passwords from the operating system. The harvested credentials are used for lateral movement, enabling them to spread to file and printer servers.

  • Volt Typhoon is a sophisticated group conducting cyber espionage operations against critical infrastructure. They attempt to dump credentials from the LSASS process memory to access operating system credentials. By doing so, they gather hashes that can be cracked offline to gain valid domain account credentials. This enables them to regain access if needed and continue their reconnaissance and exploitation activities.

  • HAFNIUM is a state-sponsored threat actor targeting entities in the United States for intelligence gathering. They use Procdump, a legitimate Windows Sysinternals tool, to dump the memory of the LSASS process. This technique helps them capture credentials that can be used to move laterally and maintain access to compromised systems. The stolen credentials are also used to export mailbox data and gather other sensitive information from the target environment​​​​.

Unsecured Credentials: Credentials In Files

  • TeamTNT is a threat actor group known for targeting cloud environments and container technologies. They deploy scripts to steal local credentials and create local users with SSH access, ensuring persistent access to infected systems. The group scans infected systems for AWS credentials, initially focusing on root user home folders and later expanding to other users and environment variables. TeamTNT maintains long-term access by using open-source remote shells and IRC bots for C2 operations.

  • Cyclops Blink is a sophisticated botnet that uses advanced persistence techniques and encrypted communications. The malware targets credentials stored in configuration files and web browsers, using these to maintain and expand their control over infected devices. Cyclops Blink employs obfuscation techniques and uses legitimate SSL certificates for C2 communications, making detection difficult.

  • DarkSeoul/Jokra Malware: This group is known for its cyber-attacks on South Korean broadcasting and banking systems. The malware used by this group can access disks by opening the physical drive as a file and then target specific sectors. While its primary objective is to overwrite critical system data to render systems inoperable, the same level of access allows it to search for and extract sensitive information, including credentials stored in configuration files and scripts. By gaining physical disk access, the malware can systematically search through various directories, identify files with hard-coded credentials, and exfiltrate them back to the attackers' command and control servers.

  • GhostNet, primarily targeting Tibetan organizations and various government entities worldwide, utilized spear-phishing emails containing malicious attachments or links. Once the malware was installed on a victim's machine, it allowed attackers to take real-time control over the system, enabling them to search for and exfiltrate sensitive files, including those containing credentials. The malware's capabilities included keylogging, file management, and remote command execution, which facilitated the extraction of hard-coded credentials from configuration files, databases, and script files stored on local and remote file shares.

Credentials from Password Stores

  • Energetic Bear is a Russian cyber espionage group targeting critical infrastructure sectors. They compromise websites to inject SMB credential-harvesting malware, which redirects visitors to malicious sites via the file protocol. This technique harvests Microsoft SMB credentials from victims. The group uses these credentials to gain unauthorized access to critical systems. They employ a combination of compromised JavaScript libraries and intermediary hosts to avoid direct detection. By targeting a broad range of industrial sector websites, Energetic Bear effectively maintains a wide reach for their credential harvesting campaigns​​.

  • TeamTNT: TeamTNT is a threat group known for targeting cloud environments, particularly Docker and Kubernetes. They scan for and extract AWS credentials from compromised systems, focusing initially on root user home folders before expanding to other users and environment variables. TeamTNT also searches for Docker API credentials and uploads any found credentials to their command-and-control (C2) server. They deploy various backdoors and persistence mechanisms to maintain long-term access, including open-source remote shells and IRC bots. The group's payloads often include rootkits to hide activities like cryptocurrency mining, ensuring their operations remain undetected​​​​.

  • Volt Typhoon: Volt Typhoon is a sophisticated threat group that conducts cyber espionage operations against critical infrastructure. They gather operating system and domain credentials, as well as data from local web browsers, often staging the collected data in password-protected archives for exfiltration. Volt Typhoon uses custom versions of open-source tools like Impacket and Fast Reverse Proxy (FRP) to establish command-and-control channels. Their use of valid credentials to access compromised systems allows them to blend into normal network traffic, maintaining a low profile. This approach makes detection and mitigation challenging for targeted organizations​​​​.

  • Chaes Group: Chaes is a Latin American cybercrime group known for the Chaes malware, which steals credentials from web browsers. The malware hooks into Chrome to scrape sensitive information such as login credentials and financial details. Chaes uses legitimate tools and open-source software to execute these actions, making detection difficult. The stolen data is sent to remote C2 servers using encrypted communication channels. This method allows the group to steal valuable information from e-commerce platforms in the region. Chaes continuously evolves, indicating ongoing development and enhancement by its authors​​​​.

  • HAFNIUM: HAFNIUM is a state-sponsored threat actor targeting entities in the United States for intelligence gathering. They use Procdump, a legitimate Windows Sysinternals tool, to dump the memory of the Local Security Authority Subsystem Service (LSASS) process. This technique helps them capture credentials that can be used to move laterally and maintain access to compromised systems. HAFNIUM often deploys web shells on compromised servers to facilitate further exploitation. The stolen credentials are also used to export mailbox data and gather other sensitive information from the target environment​​​​.

  • CARBANAK Group: CARBANAK, also known as FIN7, is a notorious cybercriminal group targeting sectors such as banking and hospitality. They use a toolset that includes keylogging functionality to capture credentials from compromised systems. CARBANAK's initial point of entry often involves exploiting software vulnerabilities, allowing them to gain administrative access quickly. Their toolset includes over 30 unique samples of malware and tools, normalized across both Windows and Linux environments. The group's operations involve lateral movement, log cleanup, credential harvesting, and internal reconnaissance. CARBANAK's sophisticated operational tactics include using custom scripts and utilities to clean up logs and erase traces of activities​​.

OS Credential Dumping: Security Account Manager

  • Lazarus Group: Lazarus Group is a North Korean state-sponsored cyber-espionage group targeting various industries globally. They use a custom version of Mimikatz to dump credentials from the Security Account Manager (SAM) database. The attackers gain initial access through phishing or exploitation of vulnerabilities, then use tools like PsExec and WMIC to execute Mimikatz remotely. The stolen credentials are used to move laterally within the network, maintaining a persistent presence. They also disable security features like Windows Defender to facilitate credential dumping. Lazarus Group employs advanced evasion techniques, making detection and mitigation challenging​​.

  • HAFNIUM: HAFNIUM is a state-sponsored threat actor targeting entities in the United States for intelligence gathering. They use tools like Procdump to dump the LSASS process memory and retrieve credentials from the SAM database. This allows them to capture and decrypt password hashes, which are used for further access and lateral movement. HAFNIUM's operations often involve web shell deployment for persistent access and using PowerShell for various malicious activities. The group employs legitimate tools and scripts to evade detection. Their sophisticated techniques highlight the need for robust security measures and timely patching​​​​.

  • APT10 (Stone Panda): APT10, also known as Stone Panda, is a Chinese cyber-espionage group targeting various sectors worldwide. They perform SYSTEM/SECURITY/SAM hive dumps to steal credentials stored in the SAM database. This process involves using tools like csvde.exe and AdFind to export directory information and identify high-value targets. APT10 uses custom tools and scripts to maintain persistence and evade detection. The stolen credentials are used for lateral movement, enabling the group to access sensitive information and systems. APT10's continuous evolution of tactics makes them a persistent threat​​​​.

  • Emissary Panda (APT27): Emissary Panda, also known as APT27, targets entities in the Middle East and Asia. They use tools like Dumpert to dump LSASS memory and retrieve credentials from the SAM database. Dumpert leverages direct system calls and API unhooking to bypass security measures and dump LSASS memory stealthily. The group employs web shells and other persistence mechanisms to maintain long-term access to compromised systems. Emissary Panda's sophisticated techniques include network discovery and system enumeration to identify and exploit high-value targets. They use valid credentials to blend into normal network activities, complicating detection efforts​​​​.

  • Chimera APT: Chimera APT is a sophisticated threat actor known for targeting the semiconductor industry. They use SkeletonKeyInjector, which implants a skeleton key into domain controllers, allowing continuous lateral movement by altering NTLM authentication. This tool incorporates code from Mimikatz and Dumpert to dump credentials from the SAM database. Chimera employs Cobalt Strike for remote access and data exfiltration, often disguising malware as legitimate software. Their operations involve extensive reconnaissance and lateral movement using valid credentials obtained from dumped SAM hives. Chimera's techniques emphasize the need for advanced detection and response capabilities​​.

  • TeamTNT: TeamTNT is a threat actor group focusing on cloud environments and container technologies. They search for and extract AWS credentials from compromised systems and perform SYSTEM/SECURITY/SAM hive dumps to steal credentials stored in the SAM database. TeamTNT uses a combination of open-source tools and custom scripts to execute these activities. They maintain persistence through backdoors, remote shells, and IRC bots, often deploying rootkits to hide their actions. Their sophisticated evasion techniques make detection difficult, allowing them to conduct long-term campaigns in targeted environments​​​​.

OS Credential Dumping: LSA Secrets

  • APT10 (Stone Panda): APT10, also known as Stone Panda, is a Chinese cyber-espionage group targeting various sectors worldwide. They perform SYSTEM/SECURITY/SAM hive dumps to steal credentials stored in the Security Account Manager (SAM) database and use tools like Mimikatz to extract LSA secrets. This process involves extracting stored credentials and decrypting them using built-in Windows APIs. They utilize tools such as AdFind and csvde.exe to export directory information, aiding in lateral movement. APT10 employs PowerShell remoting to delete event logs, obfuscating their activities. The group’s sophisticated techniques and persistence mechanisms make them a persistent threat to global enterprises​​​​.

  • Emissary Panda (APT27): Emissary Panda, also known as APT27, targets entities in the Middle East and Asia. They use tools like Dumpert to dump LSASS memory and retrieve credentials, including LSA secrets. Dumpert leverages direct system calls and API unhooking to bypass security measures and dump LSASS memory stealthily. The group employs web shells and other persistence mechanisms to maintain long-term access to compromised systems. Emissary Panda combines network discovery and system enumeration to identify and exploit high-value targets. Their sophisticated techniques and use of valid credentials help them evade detection and maintain a low profile within the network​​​​.

  • HAFNIUM: HAFNIUM is a state-sponsored threat actor targeting entities in the United States for intelligence gathering. They use tools like Procdump to dump the LSASS process memory and retrieve credentials from the SAM database, including LSA secrets. This allows them to capture and decrypt password hashes, which are used for further access and lateral movement. HAFNIUM's operations often involve web shell deployment for persistent access and using PowerShell for various malicious activities. The group employs legitimate tools and scripts to evade detection. Their sophisticated techniques highlight the need for robust security measures and timely patching​​​​.

  • Lazarus Group: Lazarus Group, also known as APT37, is a North Korean state-sponsored cyber-espionage group targeting various industries globally. They use a custom version of Mimikatz to dump credentials from the Security Account Manager (SAM) database and extract LSA secrets. The attackers gain initial access through phishing or exploitation of vulnerabilities, then use tools like PsExec and WMIC to execute Mimikatz remotely. The stolen credentials are used to move laterally within the network, maintaining a persistent presence. They disable security features like Windows Defender to facilitate credential dumping. Lazarus Group employs advanced evasion techniques, making detection and mitigation challenging​​.

  • BISMUTH: BISMUTH is a threat actor group known for combining cyber espionage and coin mining activities. They use Base64-encoded Mimikatz commands to dump credentials from the SAM database, including LSA secrets. BISMUTH relies heavily on PowerShell scripts for credential dumping and further discovery, utilizing tools like the Empire PowerDump command. They delete PowerShell event logs to evade detection and use the system tool Nltest.exe to gather domain trust information and identify high-value targets. The group’s focus on credential theft involves the use of co-opted tools like Sysinternals DebugView for data exfiltration. Their sophisticated techniques and persistence strategies make them a formidable threat​​.

  • FIN7 (Carbanak): FIN7, also known as Carbanak, is a notorious cybercriminal group targeting sectors such as banking and hospitality. They use a toolset that includes keylogging functionality and credential dumping from the SAM database and LSA secrets to capture credentials from compromised systems. FIN7's initial point of entry often involves exploiting software vulnerabilities, allowing them to gain administrative access quickly. Their toolset includes over 30 unique samples of malware and tools, normalized across both Windows and Linux environments. The group's operations involve lateral movement, log cleanup, credential harvesting, and internal reconnaissance. FIN7's sophisticated operational tactics include using custom scripts and utilities to clean up logs and erase traces of activities​​​​.

Brute Force: Password Spraying

  • Chimera APT Group: Chimera targets the semiconductor and aviation industries by starting with usernames and passwords from previous breaches. They use these credentials to perform password spraying attacks on remote services such as webmail and VPNs. This technique allows them to identify valid credential pairs without triggering account lockouts. Successful attempts grant them initial access, which they use to deploy additional tools and malware for further penetration. Their attacks often include persistence mechanisms like scheduled tasks and extensive lateral movement within the network. Chimera’s methodical password spraying enables them to bypass initial security barriers effectively.

  • Shuckworm: Shuckworm focuses on Ukrainian entities, employing password spraying to gain entry into target systems. They collect lists of common usernames and attempt multiple passwords systematically, aiming to avoid detection and account lockouts. Once they achieve access, they deploy custom malware and freely available remote access tools to maintain a foothold. Their persistence involves long-term surveillance and data exfiltration, making use of the credentials obtained through password spraying. Shuckworm’s strategic use of this technique highlights their adaptive approach to compromising secure networks.

  • Elephant Beetle: Elephant Beetle targets businesses in Latin America, leveraging password spraying as a part of their initial intrusion tactics. They exploit weak credentials on Java-based web servers to gain access without triggering alarms. Post-access, they establish persistence through web shells and malicious files. Their focus remains on financial operations, where they monitor and manipulate transactions using the credentials acquired through password spraying. This method allows them to siphon funds gradually while staying under the radar of security systems.

  • FIN8: FIN8 combines social engineering with password spraying to penetrate financial networks. By systematically attempting common passwords across various accounts, they identify valid credentials without causing account lockouts. These credentials facilitate further access and allow FIN8 to deploy additional malware and conduct network reconnaissance. Their operations often involve using these credentials to move laterally and maintain a persistent presence. FIN8’s reliance on password spraying demonstrates their commitment to exploiting weak password policies in financial institutions.

  • Volt Typhoon: Volt Typhoon, targeting critical infrastructure, employs password spraying to compromise accounts with privileged access. They focus on gaining initial entry by systematically testing common passwords against a set of usernames. This technique helps them evade detection and successfully infiltrate networks. Once inside, they leverage the acquired credentials to conduct further attacks and establish command and control channels. Volt Typhoon’s use of password spraying highlights their methodical approach to breaching high-value targets.

  • APT31 (Zirconium): APT31, associated with the Chinese government, utilizes password spraying to infiltrate various sectors. They target remote services like VPNs and webmail by applying a broad range of common passwords across multiple accounts. Successful breaches provide them with a gateway to deploy sophisticated tools and malware. APT31’s password spraying attacks enable them to maintain a presence in the compromised networks and carry out extensive espionage activities. Their focused use of this technique underscores its effectiveness in their cyber-espionage campaigns.

OS Credential Dumping: NTDS

  • Volt Typhoon: Volt Typhoon targets critical infrastructure sectors and employs Ntdsutil.exe to create installation media from domain controllers. This media contains usernames and password hashes, which are then cracked offline. By obtaining these credentials, Volt Typhoon can regain access if needed and perform lateral movement within the network. Their extensive use of system and network discovery commands aids in identifying high-value targets. They also blend into normal network traffic by using valid credentials, making detection challenging. Volt Typhoon’s sophisticated techniques emphasize the need for robust security measures​​.

  • Emissary Panda (APT27): Emissary Panda focuses on entities in the Middle East and Asia, utilizing tools like Ntdsutil.exe to dump credentials from NTDS.dit. They leverage the extracted data for lateral movement and privilege escalation within the target network. Emissary Panda often uses web shells and other persistence mechanisms to maintain long-term access. Their sophisticated network discovery and system enumeration techniques help them identify and exploit high-value targets. They use valid credentials to mirror legitimate user actions, complicating detection efforts. Their operations highlight the importance of comprehensive network monitoring and incident response strategies​​.

  • APT10 (Stone Panda): APT10, known for targeting global sectors, performs SYSTEM/SECURITY/SAM hive dumps to access credentials stored in NTDS.dit. They employ tools like csvde.exe and AdFind to export directory information and identify high-value targets. APT10 uses PowerShell remoting for log deletion to cover their tracks and uses scheduled tasks to ensure persistence. They employ various tools for lateral movement and privilege escalation, making detection and response challenging. Their continuous evolution of tactics underscores their persistent threat to enterprises worldwide​​​​.

  • Lazarus Group: Lazarus Group, a North Korean state-sponsored group, uses custom versions of Mimikatz and other tools to dump credentials from NTDS.dit. They gain initial access through phishing or exploiting vulnerabilities and then use these tools for lateral movement. The group disables security features to facilitate credential dumping and leverages these credentials to move within the network. Lazarus Group employs advanced evasion techniques and blends their activities with normal network traffic. Their sophisticated methods highlight the need for advanced security measures and continuous monitoring​​.

  • FIN7 (Carbanak): FIN7 targets banking and hospitality sectors, using tools to extract credentials from NTDS.dit. They often begin with exploiting software vulnerabilities to gain initial access and then use these credentials for extensive network reconnaissance and lateral movement. FIN7's toolset includes various malware samples and utilities normalized across Windows and Linux environments. Their operations involve log cleanup, credential harvesting, and internal reconnaissance. FIN7's sophisticated tactics include using custom scripts to erase traces of their activities, highlighting the need for robust security protocols​​.

  • Chimera APT: Chimera APT targets the semiconductor industry, using tools like SkeletonKeyInjector to implant a skeleton key into domain controllers. This tool includes code from Mimikatz to dump credentials from NTDS.dit, allowing continuous lateral movement by altering NTLM authentication. Chimera uses Cobalt Strike for remote access and data exfiltration, often disguising malware as legitimate software. Their operations involve extensive reconnaissance and lateral movement using valid credentials obtained from NTDS.dit. Chimera’s techniques emphasize the need for advanced detection and response capabilities to counter their sophisticated attacks​​.

Network Sniffing

  • OceanLotus (APT32): OceanLotus, also known as APT32, is a well-documented advanced persistent threat (APT) group suspected to have Vietnamese origins. They deploy a series of sophisticated remote access trojans (RATs) known as Ratsnif, which enable extensive network attack capabilities. Ratsnif uses the WinPcap library to filter and capture specific types of network traffic, processing these packets to extract valuable data such as login credentials. The malware captures and analyzes packets passing through a network interface, demonstrating the group's advanced technical prowess. This packet sniffing capability allows OceanLotus to intercept sensitive information traversing the network. Their continuous development and enhancement of Ratsnif variants underscore the importance of robust network security measures​​​​.

  • Chafer APT Group: Chafer APT, an Iranian cyber-espionage group, utilizes the Remexi malware for credential access. Remexi includes functionalities such as packet sniffing to capture network traffic. By monitoring and analyzing network packets, Remexi extracts sensitive information, including login credentials and session tokens. This capability allows Chafer to gain unauthorized access to critical systems and data. Their focus on targeting diplomatic entities highlights their strategic objectives. The use of standard Windows utilities and robust encryption techniques aids in evading detection and maintaining persistence​​​​.

  • APT40: APT40, a China-linked threat group, leverages network sniffing to capture credentials from network traffic. They utilize tools capable of intercepting and analyzing network communications to extract sensitive data such as passwords. APT40's focus on network discovery and lateral movement enables them to identify and exploit key targets within the compromised environment. Their sophisticated use of network sniffing underscores the group's capability to conduct detailed reconnaissance and credential harvesting. This technique is part of their broader strategy to maintain long-term access and exfiltrate valuable information​​​​.

  • RedEcho: RedEcho, associated with Chinese state-sponsored activities, targets the Indian power sector and employs network sniffing as part of their credential access techniques. They use automated network traffic analytics to identify and intercept credentials passing through the network. This enables them to capture login information and other sensitive data. RedEcho's campaigns are characterized by their strategic targeting of critical infrastructure, demonstrating their focus on disrupting key sectors. Their use of sophisticated network sniffing tools helps them achieve their objectives while evading detection​​​​.

  • Cobalt Group: The Cobalt Group, known for targeting financial institutions globally, employs network sniffing to gather credentials. They use tools that capture and analyze network packets to extract login details and other sensitive information. This technique is part of their broader attack strategy, which includes phishing and exploiting vulnerabilities for initial access. Once they obtain credentials through network sniffing, they can move laterally and escalate privileges within the target environment. Their operations highlight the critical need for financial institutions to secure their network traffic and monitor for unusual activities​​​​.

  • Callisto Group: Callisto Group is known for targeting individuals involved in European foreign and security policy. They use network sniffing to capture credentials from intercepted network traffic. By analyzing packets, they extract login information that can be used to access email accounts and other sensitive systems. This access allows them to monitor communications and send further phishing emails from compromised accounts. The group's sophisticated use of network sniffing underscores the importance of securing network communications and employing multi-factor authentication to protect against such attacks​​​​.

Brute Force: Password Guessing

  • TeamTNT: TeamTNT is a cybercriminal group targeting cloud environments, particularly Docker and Kubernetes. They use brute force password guessing to access SSH and Docker APIs. Once they gain access, they deploy scripts to steal credentials and create new users for persistent access. TeamTNT often scans for AWS credentials and Docker API tokens, uploading any found to their command-and-control servers. They also employ various backdoors, IRC bots, and rootkits to maintain control and evade detection. Their focus on cloud environments and evolving techniques make them a persistent threat .

  • Outlaw Hacking Group: Outlaw, known for targeting automotive and financial sectors, employs brute force attacks to compromise SSH credentials. They launch extensive SSH brute force campaigns to gain initial access to systems. After successfully guessing passwords, they deploy a combination of cryptocurrency miners and backdoors. Outlaw's use of IRC-based botnets for command-and-control operations enables them to maintain control over compromised systems. They continuously refine their brute force techniques to maximize the efficiency of their attacks .

  • UNC1945: UNC1945 is a sophisticated cybercriminal group targeting financial institutions. They use brute force password guessing as part of their initial access strategy. By targeting legacy systems with weak password policies, they gain access to critical network resources. Once inside, UNC1945 deploys a custom QEMU virtual machine loaded with tools for exploitation, credential harvesting, and lateral movement. Their persistent and stealthy operations often go undetected for extended periods, emphasizing the need for robust password security measures .

  • Void Balaur: Void Balaur, also known as Rockethack, is a cybermercenary group offering a variety of hacking services. They use brute force attacks to compromise email and social media accounts. Their operations include setting up phishing sites to capture credentials and using brute force tools to guess passwords. Once they gain access, they sell sensitive personal data and provide hacking services on underground forums. Void Balaur's techniques reflect their adaptability and deep understanding of both technical and human vulnerabilities ​​.

  • MuddyWater: MuddyWater is a threat actor group known for targeting Middle Eastern organizations. They use brute force password guessing to compromise accounts and gain initial access to networks. MuddyWater often combines brute force attacks with social engineering techniques to enhance their success rate. After gaining access, they deploy sophisticated backdoors and perform extensive reconnaissance. Their evolving tactics and persistent campaigns highlight the importance of robust password policies and user education​​​​.

  • Earth Baku (APT41): Earth Baku, also known as APT41, targets various companies in the Indo-Pacific region. They use brute force password guessing as part of their exploitation against web applications. By targeting systems with weak passwords, they gain access to networks and deploy advanced tools like StealthVector and StealthMutant for further exploitation. APT41's sophisticated campaigns involve a combination of self-developed tools and customized malware, emphasizing the need for strong password security and advanced threat detection .

Steal Web Session Cookie

  • Earth Wendigo: Earth Wendigo, known for targeting organizations in South Asia, uses spear-phishing emails to deliver obfuscated JavaScript. This JavaScript loads malicious scripts from a remote server when opened, designed to steal browser cookies and webmail session keys. By appending malicious scripts to the victim’s email signature, the infection propagates further. They also exploit XSS vulnerabilities in webmail systems to inject malicious JavaScript, ensuring persistent infection each time the victim accesses the webmail page. The stolen session keys and cookies allow attackers to access the victim’s webmail system without needing a password. This sophisticated approach ensures long-term access and control over compromised systems .

  • COZY BEAR: COZY BEAR, a Russian state-sponsored group, bypasses MFA by stealing Chrome browser cookies. They copy Chrome profile directories and DPAPI data, decrypt cookies, and use a "Cookie Editor" extension to hijack sessions. This method allows them to access web services without triggering MFA alerts. They also manipulate built-in O365 Service Principals to maintain access. By regularly updating stolen credentials and performing AD reconnaissance, COZY BEAR ensures persistent access. Their advanced techniques demonstrate their capability to evade detection and maintain long-term control over compromised environments .

  • CopyKittens: CopyKittens, linked to Iran, employs web session cookie theft as part of their credential access strategy. They inject malicious JavaScript into legitimate websites to fingerprint visitors’ browsers and exploit vulnerabilities. By stealing cookies and session tokens, they gain unauthorized access to user accounts. CopyKittens uses DNS for command and control, making their traffic blend in with normal network activity. Their operations are characterized by persistent Cobalt Strike installations and strategic use of social engineering. The group's sophisticated methods highlight the need for robust network security practices .

  • APT41 (Earth Baku): APT41 targets various sectors by stealing web session cookies to bypass authentication mechanisms. They use phishing campaigns to deliver malware that captures session cookies from browsers. These cookies are used to hijack web sessions, providing access to sensitive systems and data. APT41 combines this technique with exploiting web application vulnerabilities to gain deeper access. Their operations involve using advanced tools and custom malware, emphasizing the need for comprehensive security measures. APT41’s persistent attacks showcase their adaptability and technical prowess .

  • Water Pamola: Water Pamola targets e-commerce platforms using XSS vulnerabilities and social engineering. They embed malicious scripts within legitimate workflows, leading to the theft of web session cookies. These stolen cookies allow attackers to bypass authentication and gain access to user accounts. Water Pamola’s campaigns involve distributing malware through fake Flash updates and using DLL sideloading for execution. Their sophisticated approach combines various attack vectors, making detection challenging. Protecting against such threats requires regular updates and robust endpoint security​​ .

  • Shuckworm: Shuckworm, an advanced persistent threat group, leverages custom malware to steal web session cookies. They deploy VBScripts and other tools to maintain persistence and perform credential theft. By capturing browser cookies, Shuckworm gains access to web services and internal systems. Their operations involve continuous monitoring and updating of stolen credentials to maintain access. Shuckworm’s sophisticated tactics and long-term campaigns highlight the importance of vigilant network monitoring and security practices. Their focus on evading detection underscores their persistent threat to targeted entities .

Unsecured Credentials: Private Keys

  • TeamTNT: TeamTNT is a threat actor group focusing on cloud environments, particularly Docker and Kubernetes. They exploit unsecured private keys left on compromised systems to gain unauthorized access. TeamTNT searches for AWS credentials and SSH private keys stored in configuration files, which are often overlooked by security measures. Once these keys are obtained, they are used to access cloud resources and execute further attacks. This method allows them to bypass traditional authentication mechanisms and establish a foothold in the target environment. The group also uploads these credentials to their command-and-control (C2) servers for future use .

  • Chimera APT: Chimera APT targets the semiconductor industry and uses tools like SkeletonKeyInjector to implant a skeleton key into domain controllers. This malware includes code from Mimikatz to dump certificates and private keys, allowing continuous lateral movement by altering NTLM authentication. By accessing these private keys, Chimera can impersonate legitimate users and maintain control over the infected systems. Their operations involve extensive reconnaissance and lateral movement using valid credentials obtained from these keys. Chimera’s techniques highlight the need for advanced detection and response capabilities​​​​.

  • Lazarus Group: Lazarus Group, a North Korean state-sponsored group, targets various industries globally. They use custom versions of Mimikatz and other tools to dump credentials, including private keys, from compromised systems. By exploiting these keys, they gain persistent access and move laterally within the network. Lazarus Group employs advanced evasion techniques, such as disabling security features and blending their activities with normal network traffic. Their sophisticated methods underscore the importance of robust security measures and continuous monitoring .

  • Turla Group: Turla, also known as Snake, is a well-known cyber-espionage group recognized for their sophisticated malware. They use PowerShell scripts to maintain a foothold in compromised systems and avoid detection. Turla targets private keys stored in unsecured locations to facilitate secure communications and data exfiltration. By leveraging these keys, they can decrypt traffic and gain access to sensitive information. This technique allows Turla to conduct detailed reconnaissance and long-term espionage operations .

  • UNC1945: UNC1945 is a sophisticated cybercriminal group that targets various industries. They exploit vulnerabilities in Solaris systems to gain initial access and use tools to harvest private keys. These keys are then used to establish secure connections and move laterally within the network. UNC1945 employs advanced techniques such as custom virtual machines and anti-forensics tools to maintain a low profile. Their operations highlight the critical need for securing private keys and implementing robust access controls .

  • APT10 (Stone Panda): APT10, also known as Stone Panda, is a Chinese cyber-espionage group targeting various sectors globally. They perform SYSTEM/SECURITY/SAM hive dumps to access credentials, including private keys stored in NTDS.dit. APT10 uses these keys to decrypt secure communications and authenticate as legitimate users. This technique enables them to conduct extensive network reconnaissance and lateral movement undetected. Their continuous evolution of tactics underscores their persistent threat to global enterprises​​​​.

Input Capture: Credential API Hooking

  • APT3 (Gothic Panda): APT3, also known as Gothic Panda, is a Chinese cyber-espionage group targeting multiple sectors. They use customized versions of pwdump and Mimikatz to dump credentials from memory and hook into various system APIs to capture credentials. This includes intercepting API calls related to password handling, such as LogonUser and CredEnumerate. By hooking these APIs, they can capture plaintext credentials when users authenticate to systems. This technique allows APT3 to move laterally within networks and access additional sensitive information. Their operations are characterized by extensive use of legitimate tools for lateral movement and privilege escalation .

  • Winnti Group: Winnti Group, a Chinese state-sponsored threat actor, uses credential API hooking as part of their toolkit. They deploy malware that hooks into the Windows LSASS process, intercepting calls to the LogonUser and LsaLogonUser APIs to capture credentials in plaintext. This approach enables them to harvest user credentials without triggering typical security defenses. Winnti Group combines this with other techniques such as process injection and DLL hijacking to maintain persistence and evade detection. Their advanced capabilities highlight the need for robust endpoint detection and response measures .

  • Cobalt Group: Cobalt Group, known for targeting financial institutions, uses sophisticated malware to hook into credential APIs. They inject malicious code into the lsass.exe process to intercept and capture credentials during the authentication process. This technique allows them to collect passwords and hash values in real-time. Cobalt Group often uses this information to perform lateral movements and access high-value targets within a network. Their attacks emphasize the importance of securing authentication processes and monitoring for unusual API activity .

  • Lazarus Group: Lazarus Group, a North Korean state-sponsored actor, employs API hooking techniques to steal credentials. They deploy custom malware that hooks into the authentication processes of Windows operating systems, capturing credentials during login attempts. By hooking functions such as LsaLogonUser, they can extract plaintext passwords and use them to access additional systems and data. Lazarus Group's use of these techniques, combined with their ability to disable security features, makes them a persistent and formidable threat .

  • Turla Group: Turla, also known as Snake, is a Russian cyber-espionage group using advanced API hooking techniques. Their malware hooks into credential-related APIs to capture login credentials from the memory of infected systems. This method allows them to intercept credentials during the authentication process without writing data to disk, reducing the likelihood of detection. Turla's operations are known for their stealth and persistence, often involving long-term espionage activities. Their sophisticated use of API hooking highlights the need for advanced monitoring solutions to detect such threats .

  • APT41 (Double Dragon): APT41, a Chinese cyber-espionage and cyber-crime group, uses API hooking to capture credentials from infected systems. They employ malware that hooks into functions like CredRead and CredEnumerate to intercept credentials used by applications and services. This allows them to gather a wide range of credential types, including those for remote desktop sessions and network shares. APT41's ability to blend cyber-espionage with financially motivated attacks makes them a versatile and dangerous threat actor. Their use of API hooking to capture credentials is a key component of their multi-faceted attack strategy .

Credentials from Password Stores: Windows Credential Manager

  • TeamTNT: TeamTNT is a cybercriminal group known for targeting cloud environments, particularly Docker and Kubernetes. They search for AWS credentials and Docker API tokens stored in configuration files, including Windows Credential Manager, to gain unauthorized access to cloud resources. Once these credentials are found, they upload them to their command-and-control (C2) servers. TeamTNT uses these credentials to deploy additional malware and create local users with SSH access, ensuring they can return to the infected system. Their focus on credential theft highlights the need for robust security measures to protect cloud environments .

  • Blue Mockingbird: Blue Mockingbird is a threat group known for exploiting vulnerabilities in web servers to deploy Monero cryptocurrency miners. They use tools like Mimikatz to dump credentials from LSASS memory and also extract credentials stored in Windows Credential Manager. By accessing these credentials, they can move laterally within the network using Remote Desktop Protocol (RDP) and other methods. Blue Mockingbird's operations emphasize the importance of securing credential storage and monitoring for unusual activity within networks ​​.

  • UNC2596 (Cuba Ransomware): UNC2596, associated with Cuba Ransomware, leverages vulnerabilities in Microsoft Exchange to gain initial access and deploy webshells. They use tools like ProcDump and Mimikatz to dump credentials from LSASS memory and access Windows Credential Manager. These credentials are used to escalate privileges and facilitate lateral movement within the network. The group's sophisticated use of legitimate tools and stolen credentials highlights the need for comprehensive endpoint security measures to detect and prevent such attacks .

  • FIN7 (Carbanak): FIN7, also known as Carbanak, targets banking and hospitality sectors using a variety of techniques, including credential theft. They deploy malware that captures credentials from Windows Credential Manager, allowing them to access critical systems and data. FIN7's operations often involve extensive network reconnaissance and the use of stolen credentials to maintain persistence and evade detection. Their sophisticated tactics underscore the importance of robust credential management and monitoring .

  • APT41 (Double Dragon): APT41, a Chinese cyber-espionage and cyber-crime group, uses a combination of custom malware and legitimate tools to steal credentials from Windows Credential Manager. They target various sectors, leveraging these credentials to perform lateral movement and gain access to sensitive systems. APT41's ability to blend cyber-espionage with financially motivated attacks makes them a versatile and dangerous threat actor. Their use of credential theft techniques emphasizes the need for strong security policies and regular audits of credential storage​​.

  • Lazarus Group: Lazarus Group, a North Korean state-sponsored actor, employs tools like Mimikatz to dump credentials from LSASS memory and access Windows Credential Manager. By obtaining these credentials, they can gain unauthorized access to various systems and perform lateral movement within the network. Lazarus Group's advanced techniques and persistent attacks highlight the importance of securing credential storage and implementing robust monitoring solutions to detect suspicious activities .

OS Credential Dumping: Cached Domain Credentials

  • Volt Typhoon: Volt Typhoon targets critical infrastructure sectors and employs several techniques to access credentials, including dumping LSASS memory and using Ntdsutil.exe to create installation media from domain controllers. This tool helps them crack password hashes offline, allowing them to use valid domain account credentials. They conduct extensive system and network discovery using PowerShell, WMIC, and other commands, gathering data on file systems, processes, and network configurations. Volt Typhoon stages collected data in password-protected archives for exfiltration, using custom versions of open-source tools to establish command and control channels. Their sophisticated methods highlight the importance of robust security measures and continuous monitoring to detect such attacks .

  • Naikon APT Group: Naikon is known for its sophisticated and stealthy approach to cyber-espionage, leveraging legitimate software vulnerabilities and advanced persistence mechanisms. They use tools like QuarksPwDump to collect local and domain cached credentials, which aids in lateral movement within the network. Naikon also employs network inspection tools and proxy tools for command and control communication, making detection challenging. Their operations are characterized by comprehensive data exfiltration and network compromise, showcasing the group's capability to evade detection and maintain long-term access .

  • BISMUTH: BISMUTH conducts extensive reconnaissance on compromised networks and uses PowerShell scripts for credential dumping and further discovery. They utilize Base64-encoded Mimikatz commands to dump credentials from the Security Account Manager (SAM) database and Active Directory, focusing on cached domain credentials. BISMUTH's operational security includes deleting event logs and using tools like Nltest.exe to gather domain trust information. Their techniques emphasize the need for strong, randomized passwords and multi-factor authentication to prevent such credential theft .

  • FIN8: FIN8 is a financially motivated threat group that uses tools like ProcDump and CertMig to escalate privileges and dump credentials from memory. They create administrator accounts with unusual naming patterns and use RDP connections with stolen credentials for lateral movement. FIN8 employs tools like WMIExec and Netscan for further network exploration and data exfiltration. Their operations often involve using custom malware to monitor web browsers and gather credentials, demonstrating the critical need for securing cached domain credentials .

  • Lazarus Group: Lazarus Group, a North Korean state-sponsored actor, uses tools like Mimikatz to dump credentials from LSASS memory and access cached domain credentials stored in NTDS.dit. By obtaining these credentials, they can perform lateral movement within the network. Lazarus Group's operations include the use of sophisticated evasion techniques, such as disabling security features and blending activities with normal network traffic. Their advanced methods highlight the need for robust security measures and continuous monitoring to detect and mitigate such threats .

  • APT41 (Double Dragon): APT41 targets various sectors and uses tools like Mimikatz and custom malware to dump cached domain credentials. They exploit these credentials for lateral movement and to escalate privileges within the network. APT41's operations often involve using sophisticated malware and leveraging legitimate tools to maintain persistence and evade detection. Their ability to blend cyber-espionage with financially motivated attacks makes them a versatile and dangerous threat actor .

PreviousTechnique TaxonomyNextDetection

Last updated