Skip to content

G0100 Inception

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.123

Item Value
ID G0100
Associated Names Inception Framework, Cloud Atlas
Version 1.1
Created 08 May 2020
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Inception Framework 2
Cloud Atlas 3

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Inception has used HTTP, HTTPS, and WebDav in network communications.31
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Inception has maintained persistence by modifying Registry run key value
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Inception has used PowerShell to execute malicious commands and payloads.13
enterprise T1059.005 Visual Basic Inception has used VBScript to execute malicious commands and payloads.13
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.2
enterprise T1005 Data from Local System Inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.4
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Inception has encrypted network communications with AES.3
enterprise T1203 Exploitation for Client Execution Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution.4321
enterprise T1083 File and Directory Discovery Inception used a file listing plugin to collect information about file and directories both on local and remote drives.2
enterprise T1027 Obfuscated Files or Information Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.3
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Inception has obtained and used open-source tools such as LaZagne.4
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups Inception has used specific malware modules to gather domain membership.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.3214
enterprise T1057 Process Discovery Inception has used a reconnaissance module to identify active processes and other associated loaded modules.2
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.2
enterprise T1518 Software Discovery Inception has enumerated installed software on compromised systems.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Inception has used malicious HTA files to drop and execute malware.4
enterprise T1218.010 Regsvr32 Inception has ensured persistence at system boot by setting the value regsvr32 %path%\ctfmonrn.dll /s.3
enterprise T1082 System Information Discovery Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.2
enterprise T1221 Template Injection Inception has used decoy documents to load malicious remote payloads via HTTP.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.3421
enterprise T1102 Web Service Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.32

Software

ID Name References Techniques
S0349 LaZagne 4 Keychain:Credentials from Password Stores Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores /etc/passwd and /etc/shadow:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0441 PowerShower 1 Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Exfiltration Over C2 Channel Hidden Window:Hide Artifacts File Deletion:Indicator Removal Modify Registry Process Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0442 VBShower 4 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter File Deletion:Indicator Removal Ingress Tool Transfer

References

  1. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. 

  2. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020. 

  3. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. 

  4. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.