MITRE ATT&CK in action

Just got another phishing email today (surprise, surprise). So now i turn to understanding a little bit more about what i just received (ie what was in the link/url), here's what i find.

Email from: LEIF GUSTAVSON <[email protected]>

looks pretty well done, in fairness, compared to most lures. When you take the link and take a closer look what you find is that it will a) set a windows hook to intercept mouse events and b) contact a host of domains reporting back on the hit.

The connection to the domain ocsp.pki.goog [ GET /gsr2/<<redacted>> HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.pki.goog ] is a known malicious site. This will be followed up with a javascript element GET "/gtm.js?id=GTM-5SR238"

and so on... and so on :)

You can see that if the user clicks on the link they will be presented with a browser popup asking them to make a deposit in return for other "funds" which is the basis of the scam.

Linking to ATT&CK

What I like though is how you can map these techniques to the MITRE framework. Amongst a number of the activities that occur if you run the sample, one is the hooking of APIs to track what the user is doing, in this case it is tracking mouse movements. This links to the Tactic: "Credential Access, Persistence, Privilege Escalation", due to the fact that if one can track my mouse movements, they can see what i have clicked on, when i did it and if that was human operated or automated (e.g. a sandbox).

This is just a basic example of mapping elements of a killchain to the Mitre ATT&CK framework to help you with a) knowing what methods are being employed , b) what stage of the attack are they employed and c) what do i need to have to be able to detect and respond to these tactics.... In this case, how would i know my mouse was being monitored??

HTH

Stuart

#MITRE #ATT&CK @mitre