Closed cat-alyst closed 2 years ago
Email document updated with an example of an email used against a human rights org https://www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/
https://docs.google.com/document/d/1TCVn-5Cu83BZZUSUM9VYPm0AkaXs5akUQZMcPBIqfRE/edit#
Added details/characteristics to https://docs.google.com/document/d/1oUvmMpcBbB4y-XkDVuYQJXU23q4cRqayCRfAK1NNxsQ/edit document. Covers services the infra uses, characteristics of binaries, such as compiled with two languages.
Outlook C2 - also used for exfil is considered a signature characteristic of OceanLotus.
Windows commands used apart of Outlook C2:
cmd.exe /C “ ipconfig > %temp%.log.txt
cmd.exe /C “ c:\Users\[redacted]\Desktop\[Redacted_File_name].xls %temp%”
https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
There are a couple of reports for pass-the-ticket for lateral movement. So far the pattern I've seen is local discovery, credential dumping, network discovery, then valid accounts, pass-the-hash, and/or network shares.
Old report but detailed with commands https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
map out commands for lateral movement map out commands exfil Any other human characteristics
Stretch- dirty machine with useless files - find research institutions that have already accumulated these docos. Write script to deploy on machine.
Craft email message for victim