Skip to content

G0090 WIRTE

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.12

Item Value
ID G0090
Associated Names
Version 2.0
Created 24 May 2019
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols WIRTE has used HTTP for network communication.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell WIRTE has used PowerShell for script execution.1
enterprise T1059.005 Visual Basic WIRTE has used VBScript in its operations.1
enterprise T1140 Deobfuscate/Decode Files or Information WIRTE has used Base64 to decode malicious VBS script.1
enterprise T1105 Ingress Tool Transfer WIRTE has downloaded PowerShell code from the C2 server to be executed.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location WIRTE has named a first stage dropper Kaspersky Update Agent in order to appear legitimate.2
enterprise T1571 Non-Standard Port WIRTE has used HTTPS over ports 2083 and 2087 for C2.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool WIRTE has obtained and used Empire for post-exploitation activities.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 WIRTE has used regsvr32.exe to trigger the execution of a malicious script.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.2

Software

ID Name References Techniques
S0363 Empire - Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Bookmark Discovery Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Exfiltration to Code Repository:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Timestomp:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Golden Ticket:Steal or Forge Kerberos Tickets Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Private Keys:Unsecured Credentials Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0679 Ferocious - Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Component Object Model Hijacking:Event Triggered Execution File Deletion:Indicator Removal on Host Modify Registry Peripheral Device Discovery Security Software Discovery:Software Discovery System Information Discovery System Checks:Virtualization/Sandbox Evasion
S0680 LitePower - Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Exfiltration Over C2 Channel Ingress Tool Transfer Native API Query Registry Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Owner/User Discovery

References

Back to top