Skip to content

G0059 Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.10731311

Item Value
ID G0059
Associated Names TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35
Version 5.1
Created 16 January 2018
Last Modified 13 January 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
TA453 12114
COBALT ILLUSION 13
Charming Kitten 5867124
ITG18 15
Phosphorus 12143124
Newscaster Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).910
APT35 1034

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account Magic Hound has used Powershell to discover email accounts.19
enterprise T1098 Account Manipulation Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.19
enterprise T1098.002 Additional Email Delegate Permissions Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim’s OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.10
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Magic Hound has registered fraudulent domains such as “mail-newyorker.com” and “news12.com.recover-session-service.site” to target specific victims with phishing attacks.3
enterprise T1583.006 Web Services Magic Hound has acquired Amazon S3 buckets to use in C2.4
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to CVE-2021-44228 in Log4j and ProxyShell vulnerabilities; CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in on-premises MS Exchange Servers; and CVE-2018-13379 in Fortinet FortiOS SSL VPNs.418
enterprise T1071 Application Layer Protocol Magic Hound malware has used IRC for C2.916
enterprise T1071.001 Web Protocols Magic Hound has used HTTP for C2.91916
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.101916
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Magic Hound malware has used Registry Run keys to establish persistence.91618
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Magic Hound has used PowerShell for execution and privilege escalation.910191618
enterprise T1059.003 Windows Command Shell Magic Hound has used the command-line interface for code execution.91916
enterprise T1059.005 Visual Basic Magic Hound malware has used VBS scripts for execution.9
enterprise T1586 Compromise Accounts -
enterprise T1586.002 Email Accounts Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.15
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains Magic Hound has used compromised domains to host links targeted to specific phishing victims.711317
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Magic Hound has created local accounts named help and DefaultAccount on compromised machines.1918
enterprise T1486 Data Encrypted for Impact Magic Hound has used BitLocker and DiskCryptor to encrypt targeted workstations. 1618
enterprise T1005 Data from Local System Magic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.1916
enterprise T1482 Domain Trust Discovery Magic Hound has used a web shell to execute nltest /trusted_domains to identify trust relationships.16
enterprise T1189 Drive-by Compromise Magic Hound has conducted watering-hole attacks through media and magazine websites.7
enterprise T1114 Email Collection Magic Hound has compromised email credentials in order to steal sensitive data.3
enterprise T1114.001 Local Email Collection Magic Hound has collected .PST archives.10
enterprise T1114.002 Remote Email Collection Magic Hound has exported emails from compromised Exchange servers including through use of the cmdlet New-MailboxExportRequest.1916
enterprise T1573 Encrypted Channel Magic Hound has used an encrypted http proxy in C2 communications.16
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Magic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them–through messages and voice communications–to open malicious links.7
enterprise T1585.002 Email Accounts Magic Hound has established email accounts using fake personas for spearphishing operations.1512
enterprise T1567 Exfiltration Over Web Service Magic Hound has used the Telegram API sendMessage to relay data on compromised devices.17
enterprise T1190 Exploit Public-Facing Application Magic Hound has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via “ProxyShell” (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379).419201618
enterprise T1083 File and Directory Discovery Magic Hound malware can list a victim’s logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory’s contents.9
enterprise T1592 Gather Victim Host Information -
enterprise T1592.002 Software Magic Hound has captured the user-agent strings from visitors to their phishing sites.17
enterprise T1589 Gather Victim Identity Information Magic Hound has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations.11
enterprise T1589.001 Credentials Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites. Magic Hound has also collected credentials from over 900 Fortinet VPN servers in the US, Europe, and Israel.1518
enterprise T1589.002 Email Addresses Magic Hound has identified high-value email accounts in academia, journalism, NGO’s, foreign policy, and national security for targeting.1117
enterprise T1590 Gather Victim Network Information -
enterprise T1590.005 IP Addresses Magic Hound has captured the IP addresses of visitors to their phishing sites.17
enterprise T1591 Gather Victim Org Information -
enterprise T1591.001 Determine Physical Locations Magic Hound has collected location information from visitors to their phishing sites.17
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.9
enterprise T1562 Impair Defenses Magic Hound has disabled LSA protection on compromised hosts using "reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f.19
enterprise T1562.001 Disable or Modify Tools Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads.19
enterprise T1562.002 Disable Windows Event Logging Magic Hound has executed scripts to disable the event log service.16
enterprise T1562.004 Disable or Modify System Firewall Magic Hound has added the following rule to a victim’s Windows firewall to allow RDP traffic - "netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389.1916
enterprise T1070 Indicator Removal -
enterprise T1070.003 Clear Command History Magic Hound has removed mailbox export requests from compromised Exchange servers.19
enterprise T1070.004 File Deletion Magic Hound has deleted and overwrote files to cover tracks.91016
enterprise T1105 Ingress Tool Transfer Magic Hound has downloaded additional code and files from servers onto victims.9191618
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Magic Hound malware is capable of keylogging.9
enterprise T1570 Lateral Tool Transfer Magic Hound has copied tools within a compromised network using RDP.16
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Magic Hound has named a malicious script CacheTask.bat to mimic a legitimate task.16
enterprise T1036.005 Match Legitimate Name or Location Magic Hound has used dllhost.exe to mask Fast Reverse Proxy (FRP) and MicrosoftOutLookUpdater.exe for Plink.191618
enterprise T1112 Modify Registry Magic Hound has modified Registry settings for security tools.19
enterprise T1046 Network Service Discovery Magic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.16
enterprise T1571 Non-Standard Port Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.916
enterprise T1027 Obfuscated Files or Information Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.918
enterprise T1027.010 Command Obfuscation Magic Hound has used base64-encoded commands.918
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Magic Hound has obtained and used tools like Havij, sqlmap, Metasploit, Mimikatz, and Plink.231041618
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Magic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using Mimikatz.10191618
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.217318
enterprise T1566.003 Spearphishing via Service Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.2217
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link Magic Hound has used SMS and email messages with links designed to steal credentials or track victims.3712111718
enterprise T1057 Process Discovery Magic Hound malware can list running processes.9
enterprise T1572 Protocol Tunneling Magic Hound has used Plink to tunnel RDP over SSH.16
enterprise T1090 Proxy Magic Hound has used Fast Reverse Proxy (FRP) for RDP traffic.16
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Magic Hound has used Remote Desktop Services to copy tools on targeted systems.1916
enterprise T1018 Remote System Discovery Magic Hound has used Ping for discovery on targeted networks.16
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Magic Hound has used scheduled tasks to establish persistence and execution.1916
enterprise T1113 Screen Capture Magic Hound malware can take a screenshot and upload the file to its C2 server.9
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Magic Hound has used multiple web shells to gain execution.1916
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.19
enterprise T1082 System Information Discovery Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.91916
enterprise T1016 System Network Configuration Discovery Magic Hound malware gathers the victim’s local IP address, MAC address, and external IP address.91916
enterprise T1016.001 Internet Connection Discovery Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.16
enterprise T1049 System Network Connections Discovery Magic Hound has used quser.exe to identify existing RDP connections.19
enterprise T1033 System Owner/User Discovery Magic Hound malware has obtained the victim username and sent it to the C2 server.91916
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Magic Hound has attempted to lure victims into opening malicious links embedded in emails.73
enterprise T1204.002 Malicious File Magic Hound has attempted to lure victims into opening malicious email attachments.7
enterprise T1078 Valid Accounts -
enterprise T1078.001 Default Accounts Magic Hound enabled and used the default system managed account, DefaultAccount, via "powershell.exe" /c net user DefaultAccount /active:yes to connect to a targeted Exchange server over RDP.16
enterprise T1078.002 Domain Accounts Magic Hound has used domain administrator accounts after dumping LSASS process memory.16
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Magic Hound malware can use a SOAP Web service to communicate with its C2 server.9
enterprise T1047 Windows Management Instrumentation Magic Hound has used a tool to run cmd /c wmic computersystem get domain for discovery.19

Software

ID Name References Techniques
S0674 CharmPower 4 Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration Over C2 Channel Fallback Channels File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Modify Registry Process Discovery Query Registry Screen Capture Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery Web Service Dead Drop Resolver:Web Service Windows Management Instrumentation
S0186 DownPaper 5 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Query Registry System Information Discovery System Owner/User Discovery
S0357 Impacket 16 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0100 ipconfig 1916 System Network Configuration Discovery
S0002 Mimikatz 10 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 1916 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0108 netsh 19 Netsh Helper DLL:Event Triggered Execution Disable or Modify System Firewall:Impair Defenses Proxy Security Software Discovery:Software Discovery
S0097 Ping 16 Remote System Discovery
S1012 PowerLess 20 Archive Collected Data Browser Information Discovery PowerShell:Command and Scripting Interpreter Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture
S0029 PsExec 10 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0192 Pupy 91021 Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Python:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Systemd Service:Create or Modify System Process Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Clear Windows Event Logs:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Network Service Discovery Network Share Discovery LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Remote Desktop Protocol:Remote Services Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services Credentials In Files:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Video Capture System Checks:Virtualization/Sandbox Evasion
S0096 Systeminfo 16 System Information Discovery

References


  1. Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020. 

  2. Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021. 

  3. Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. 

  4. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  5. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. 

  6. ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021. 

  7. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021. 

  8. Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021. 

  9. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  10. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. 

  11. Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021. 

  12. Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021. 

  13. Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021. 

  14. US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021. 

  15. Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021. 

  16. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  17. Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023. 

  18. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  19. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. 

  20. Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017. 

  21. Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018. 

  22. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.