Full Report
From May 1 to July 31, 2024, ReliaQuest analyzed customer incident data and cybercriminal forums to identify common MITRE ATT&CK TTPs and gather additional intelligence.
Analysis Summary
This summary is based on the provided context describing recent threat trends, focusing on the identified malware families and attack techniques.
# Tool/Technique: SocGholish
## Overview
SocGholish is a frequently observed malware family in customer incidents, often associated with phishing campaigns responsible for initial access.
## Technical Details
- Type: Malware family
- Platform: Not explicitly specified, but context suggests Windows/desktop environments targeted by phishing.
- Capabilities: Primary capability is likely initial access and subsequent payload delivery facilitated by phishing campaigns.
- First Seen: Not available in the context.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Implied, as phishing links are a primary vector)
- T1566.001 - Spearphishing Attachment (Implied, as phishing attachments are a primary vector)
## Functionality
### Core Capabilities
- Delivering malicious payloads through email-borne phishing attacks (links or attachments).
- Serving as a high-volume malware observed in critical incidents.
### Advanced Features
- Not explicitly detailed in the provided context, but its prevalence suggests effective C2 communication and persistence mechanisms (often associated with previous SocGholish variants).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Execution in response to user interaction with phishing content.
## Associated Threat Actors
- Not explicitly named, but frequently associated with IABs and groups utilizing readily available phishing kits.
## Detection Methods
- Signature-based detection (on known malware artifacts).
- Behavioral detection for email delivery filtering and process execution following phishing interactions.
## Mitigation Strategies
- Employee training to recognize and report phishing attempts.
- Implementing robust email filtering solutions.
## Related Tools/Techniques
- LummaC2 (observed alongside SocGholish).
# Tool/Technique: LummaC2
## Overview
LummaC2 is a Command and Control (C2) framework or malware variant that has been frequently observed in customer incidents, often alongside SocGholish.
## Technical Details
- Type: Malware/C2 Framework
- Platform: Not explicitly specified.
- Capabilities: Functioning as a C2 channel for compromised systems, likely used for secondary staging or data exfiltration following initial access.
- First Seen: Not available in the context.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control** (Implied, based on the name 'C2').
- Techniques related to communication pathways post-compromise (e.g., T1071 Application Layer Protocol).
## Functionality
### Core Capabilities
- Maintaining remote access to compromised systems.
- Potentially for data staging or execution of secondary payloads.
### Advanced Features
- Not explicitly detailed in the provided context, but C2 frameworks typically involve encrypted communication and modular capabilities.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Defanged placeholder)
- Behavioral Indicators: Suspicious outbound network connections indicative of C2 communication.
## Associated Threat Actors
- Not explicitly named, but observed being deployed in connection with high-volume initial access techniques.
## Detection Methods
- Network traffic analysis for anomalous C2 beacons.
- Heuristic analysis identifying framework-specific behaviors.
## Mitigation Strategies
- Network segmentation and egress filtering to block unauthorized external communication.
- Implementing strong host-based detection and response capabilities.
## Related Tools/Techniques
- SocGholish (Observed frequently in conjunction).
# Technique: Spearphishing (General Phishing Trend)
## Overview
Phishing incidents have significantly increased, utilizing both links and attachments to gain Initial Access. This trend is cited as the primary driver for incident volume, linked to high turnover and easy availability of phishing kits.
## Technical Details
- Type: Technique (Initial Access Vector)
- Platform: Cross-platform (via email clients and general web browsing).
- Capabilities: Social engineering to trick users into executing malicious files, visiting malicious sites, or revealing credentials.
- First Seen: Ongoing, but reporting period shows a 16% increase from the previous investigation.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link
- T1566.001 - Spearphishing Attachment
## Functionality
### Core Capabilities
- Establishing initial foothold on victim networks through user interaction.
### Advanced Features
- Leveraging high-quality, accessible phishing kits to automate campaign execution.
## Indicators of Compromise
- File Hashes: N/A (Depends on the specific payload delivered).
- File Names: N/A (Highly variable).
- Registry Keys: N/A
- Network Indicators: Malicious URLs or domains used in phishing lures (defanged placeholders required).
- Behavioral Indicators: Excessive alerts for malicious file execution or unauthorized link interaction.
## Associated Threat Actors
- Initial Access Brokers (IABs).
- Various financially motivated cybercriminal groups.
## Detection Methods
- Email gateway security features inspecting message headers, content, and links.
- User awareness training programs.
## Mitigation Strategies
- Multi-Factor Authentication (MFA) enforcement.
- Strict application control policies.
## Related Tools/Techniques
- Phishing Kits (underlying technology enabling the trend).
# Tool/Technique: LockBit Ransomware
## Overview
LockBit ransomware remains noted as a key player, despite recent activity slowdown attributed to law enforcement efforts and loss of affiliate trust.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Primarily Windows.
- Capabilities: Encryption of files and systems demanding ransom payment.
- First Seen: Not available in the context, but known to be active through 2024.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Data encryption and extortion.
### Advanced Features
- Historically known for Ransomware-as-a-Service (RaaS) model leveraging affiliates.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Known C2 infrastructure associated with LockBit operations (defanged placeholders required).
- Behavioral Indicators: Rapid mass encryption processes; presence of ransom notes.
## Associated Threat Actors
- LockBit Affiliates (previously).
## Detection Methods
- Signature detection for known binaries.
- Behavioral monitoring detecting high-volume file encryption activity.
## Mitigation Strategies
- Comprehensive, offline, and tested backups.
- Application whitelisting to prevent unauthorized executable running.
## Related Tools/Techniques
Pertains to various Initial Access techniques used by RaaS affiliates.