1. Home
  2. Groups
  3. Magic Hound

Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

ID: G0059
Associated Groups: TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35
Contributors: Anastasios Pingios; Bryan Lee; Daniyal Naeem, BT Security
Version: 4.1
Created: 16 January 2018
Last Modified: 17 April 2022

Associated Group Descriptions

Name Description
TA453

[6][5][7]
COBALT ILLUSION

[4]
Charming Kitten

[8][9][10][2][6][7]
ITG18

[11]
Phosphorus

[12][13][14][3][6][7]
Newscaster

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).[15][1]
APT35

[1][3][7]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1098 .002 Account Manipulation: Additional Email Delegate Permissions

Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.[1]

Enterprise T1583 .001 Acquire Infrastructure: Domains

Magic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.[3]
.006 Acquire Infrastructure: Web Services

Magic Hound has acquired Amazon S3 buckets to use in C2.[7]
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to Log4j (CVE-2021-44228).[7]
Enterprise T1071 Application Layer Protocol

Magic Hound malware has used IRC for C2.[15]
.001 Web Protocols

Magic Hound malware has used HTTP for C2.[15]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Magic Hound has used RAR to stage and compress local folders.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Magic Hound malware has used Registry Run keys to establish persistence.[15]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Magic Hound has used PowerShell for execution and privilege escalation.[15][1]
.003 Command and Scripting Interpreter: Windows Command Shell

Magic Hound has used the command-line interface.[15]
.005 Command and Scripting Interpreter: Visual Basic

Magic Hound malware has used VBS scripts for execution.[15]
Enterprise T1586 .002 Compromise Accounts: Email Accounts

Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.[11]
Enterprise T1584 .001 Compromise Infrastructure: Domains

Magic Hound has used compromised domains to host links targeted to specific phishing victims.[2][5][3]
Enterprise T1189 Drive-by Compromise

Magic Hound has conducted watering-hole attacks through media and magazine websites.[2]
Enterprise T1114 Email Collection

Magic Hound has compromised email credentials in order to steal sensitive data.[3]
.001 Local Email Collection

Magic Hound has collected .PST archives.[1]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Magic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.[2]
.002 Establish Accounts: Email Accounts

Magic Hound has established email accounts using fake personas for spearphishing operations.[11][6]
Enterprise T1190 Exploit Public-Facing Application

Magic Hound has used open-source JNDI exploit kits to leverage the Log4j (CVE-2021-44228) vulnerability.[7]
Enterprise T1083 File and Directory Discovery

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[15]
Enterprise T1589 Gather Victim Identity Information

Magic Hound has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations.[5]
.001 Credentials

Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites.[11]
.002 Email Addresses

Magic Hound has acquired the personal email addresses of some individuals they intend to target.[5]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.[15]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Magic Hound has deleted and overwrote files to cover tracks.[15][1]
Enterprise T1105 Ingress Tool Transfer

Magic Hound has downloaded additional code and files from servers onto victims.[15]

Enterprise T1056 .001 Input Capture: Keylogging

Magic Hound malware is capable of keylogging.[15]
Enterprise T1571 Non-Standard Port

Magic Hound malware has communicated with its C2 server over TCP port 4443 using HTTP.[15]
Enterprise T1027 Obfuscated Files or Information

Magic Hound malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.[15]
Enterprise T1588 .002 Obtain Capabilities: Tool

Magic Hound has obtained and used open-source penetration testing tools like Havij, sqlmap, Metasploit, and Mimikatz.[16][1][7]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Magic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.[1]
Enterprise T1566 .002 Phishing: Spearphishing Link

Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.[17][2][3]
.003 Phishing: Spearphishing via Service

Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.[18][12][2]
Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Magic Hound has used SMS and email messages with links designed to steal credentials.[3][2][6][5]
Enterprise T1057 Process Discovery

Magic Hound malware can list running processes.[15]
Enterprise T1113 Screen Capture

Magic Hound malware can take a screenshot and upload the file to its C2 server.[15]
Enterprise T1082 System Information Discovery

Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[15]
Enterprise T1016 System Network Configuration Discovery

Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[15]
Enterprise T1033 System Owner/User Discovery

Magic Hound malware has obtained the victim username and sent it to the C2 server.[15]
Enterprise T1204 .001 User Execution: Malicious Link

Magic Hound has attempted to lure victims into opening malicious links embedded in emails.[2][3]
.002 User Execution: Malicious File

Magic Hound has attempted to lure victims into opening malicious email attachments.[2]
Enterprise T1102 .002 Web Service: Bidirectional Communication

Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[15]

Software

ID Name References Techniques
S0674 CharmPower [7] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Modify Registry, Process Discovery, Query Registry, Screen Capture, Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Web Service, Web Service: Dead Drop Resolver, Windows Management Instrumentation
S0186 DownPaper [8] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Query Registry, System Information Discovery, System Owner/User Discovery
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0192 Pupy [15][1][17] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: PowerShell, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Systemd Service, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Network Service Discovery, Network Share Discovery, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: LSA Secrets, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Ticket, Video Capture, Virtualization/Sandbox Evasion: System Checks

References

  1. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  2. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
  3. Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
  4. Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.
  5. Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.
  6. Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.
  7. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  8. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  9. Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.
  1. ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.
  2. Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.
  3. Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.
  4. Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.
  5. US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.
  6. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  7. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  8. Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
  9. Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.