Novel malicious software discovered by ESET continues to grow the MITRE ATT&CK™ knowledge base

Rene Holt

Since going public in 2015, the MITRE ATT&CKTM knowledge base has witnessed a boon of contributions from the cybersecurity community. ATT&CK collates this information to provide a common language and structured intelligence on adversary behaviors across multiple threat groups. ESET’s most recent contributions comprise four entries in the Software and one extension in the Groups categories of ATT&CK.



Software:
1. Attor (S0438)
Attor is a previously unreported cyberespionage platform used in targeted attacks since at least 2013 against diplomatic missions and governmental institutions located mainly in Russia. Attor’s architecture consists of a dispatcher and loadable plugins.

ESET discovered and named the malware based on two notable features of its plugins: the Device monitor plugin’s capability of using AT commands to fingerprint GSM devices and the Tor client plugin’s use of Tor for command and control communication and exfiltration.

Attor’s functionality maps to 32 ATT&CK Enterprise techniques and 18 sub-techniques.

2. Okrum (S0439)
Okrum is a previously unknown backdoor that ESET first detected in late 2016 in attacks against diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil. The malicious actors behind Okrum employed several tactics to remain undetected, such as embedding the malicious payload within a legitimate PNG image, employing several anti-emulation and anti-sandbox tricks, and making frequent changes in implementation.

ESET discovered the Okrum backdoor delivering a Ketrican sample linking it back to the work of the Ke3chang (APT15) group. The Okrum entry comprises 28 ATT&CK Enterprise techniques and 24 sub-techniques.

3. ComRAT (S0126)
ComRAT, a favorite backdoor used by the Turla threat group since at least 2007, was discovered by ESET in its latest version (version four) released in 2017 targeting two ministries of foreign affairs and a national parliament. The operators were using the backdoor to discover, steal and exfiltrate confidential documents.

ESET researchers found 16 ATT&CK Enterprise techniques and 11 sub-techniques deployed.

4. DEFENSOR ID (S0479)
DEFENSOR ID is an Android banking trojan that unleashes its fury when users grant permission to activate accessibility services. The app is packed with a host of malicious features, including stealing login credentials, SMS and email messages, displayed cryptocurrency private keys, and software-generated multifactor authentication codes; clearing bank accounts and cryptocurrency wallets; and taking over email and social media accounts.

DEFENSOR ID’s functionality maps to 6 ATT&CK Mobile techniques.

Groups:
1. Turla (G0010)
ESET researchers identified several links between ComRAT v4 and the Turla threat group. Version four of the backdoor uses the internal name “Chinch” as in previous versions, uses the same custom command and control protocol over HTTP as ComRAT v3, shares part of its network infrastructure with Mosquito (another backdoor used by Turla), and was seen either dropped by or dropping other Turla malware families.

By linking ComRAT v4 to Turla, ESET provided extensions of 13 ATT&CK Enterprise techniques and 6 sub-techniques of the Turla group.

MITRE ATT&CK evaluations: Simulating the Carbanak/FIN7 APT group

MITRE ATT&CK is also notable for its evaluations. Running in its third round, the evaluations use simulated attacks to test the prevention and detection capabilities of security products against the techniques employed by high-profile adversaries. ESET and MITRE ATT&CK teams will be engaging in red and blue team activities putting ESET to the test against the techniques of the Carbanak/FIN7 APT group.

FIN7 is infamous for creating a front company called Combi Security that hired black hat recruits under the guise of various cybersecurity roles, such as penetration tester. The U.S. Department of Justice has arrested and charged four members of the group to date. ESET discovered Carbanak malware targeting point of sale systems for credit card data at a casino. Carbanak is known for targeting the finance and retail industries, including banks, forex trading companies, casinos, hotels and restaurants.

How does ATT&CK benefit ESET?

As of August 2020, the number of ESET contributions to MITRE ATT&CK has continued to grow, with ESET being one of the top referenced and engaged vendors directly involved in refinement and population of the MITRE ATT&CK knowledge base. ESET’s engagement with ATT&CK continues to inform product R&D, malware research practice and its ongoing cybersecurity awareness work. These ongoing contributions also help provide additional possibilities to transfer knowledge to that close-knit community.

More details on ESET’s work with MITRE ATT&CK can be found here:

  1. Collective Security: ESET improves cyber armor with MITRE ATT&CK(TM) knowledge base
  2. Advancing enterprise threat hunting with the MITRE ATT&CK™ knowledge base
  3. Malware Researcher + Threat Analyst: two perspectives on the MITRE ATT&CK™ knowledge base