WIRTE

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.[1][2]

ID: G0090
Contributors: Lab52 by S2 Grupo
Version: 2.0
Created: 24 May 2019
Last Modified: 15 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WIRTE has used HTTP for network communication.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WIRTE has used PowerShell for script execution.[1]

.005 Command and Scripting Interpreter: Visual Basic

WIRTE has used VBScript in its operations.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

WIRTE has used Base64 to decode malicious VBS script.[1]

Enterprise T1105 Ingress Tool Transfer

WIRTE has downloaded PowerShell code from the C2 server to be executed.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

WIRTE has named a first stage dropper Kaspersky Update Agent in order to appear legitimate.[2]

Enterprise T1571 Non-Standard Port

WIRTE has used HTTPS over ports 2083 and 2087 for C2.[2]

Enterprise T1588 .002 Obtain Capabilities: Tool

WIRTE has obtained and used Empire for post-exploitation activities.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.[2]

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

WIRTE has used regsvr32.exe to trigger the execution of a malicious script.[1]

Enterprise T1204 .002 User Execution: Malicious File

WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.[2]

Software

ID Name References Techniques
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation, Access Token Manipulation: SID-History Injection, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Domain Account, Create Account: Local Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Credential API Hooking, Input Capture: Keylogging, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Private Keys, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0679 Ferocious [2] Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Event Triggered Execution: Component Object Model Hijacking, Indicator Removal on Host: File Deletion, Modify Registry, Peripheral Device Discovery, Software Discovery: Security Software Discovery, System Information Discovery, Virtualization/Sandbox Evasion: System Checks
S0680 LitePower [2] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Exfiltration Over C2 Channel, Ingress Tool Transfer, Native API, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery

References