Skip to content

G0112 Windshift

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.123

Item Value
ID G0112
Associated Names Bahamut
Version 1.1
Created 25 June 2020
Last Modified 26 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Bahamut 1

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Windshift has used tools that communicate with C2 over HTTP.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Windshift has created LNK files in the Startup folder to establish persistence.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Windshift has used Visual Basic 6 (VB6) payloads.4
enterprise T1189 Drive-by Compromise Windshift has used compromised websites to register custom URL schemes on a remote system.2
enterprise T1105 Ingress Tool Transfer Windshift has used tools to deploy additional payloads to compromised hosts.4
enterprise T1036 Masquerading Windshift has used icons mimicking MS Office files to mask malicious executables.2 Windshift has also attempted to hide executables by changing the file extension to “.scr” to mimic Windows screensavers.4
enterprise T1036.001 Invalid Code Signature Windshift has used revoked certificates to sign malware.21
enterprise T1027 Obfuscated Files or Information Windshift has used string encoding with floating point calculations.4
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.1
enterprise T1566.002 Spearphishing Link Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.1
enterprise T1566.003 Spearphishing via Service Windshift has used fake personas on social media to engage and target victims.1
enterprise T1057 Process Discovery Windshift has used malware to enumerate active processes.4
enterprise T1518 Software Discovery Windshift has used malware to identify installed software.4
enterprise T1518.001 Security Software Discovery Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.4
enterprise T1082 System Information Discovery Windshift has used malware to identify the computer name of a compromised host.4
enterprise T1033 System Owner/User Discovery Windshift has used malware to identify the username on a compromised host.4
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Windshift has used links embedded in e-mails to lure victims into executing malicious code.1
enterprise T1204.002 Malicious File Windshift has used e-mail attachments to lure victims into executing malicious code.1
enterprise T1047 Windows Management Instrumentation Windshift has used WMI to collect information about target machines.4
mobile T1432 Access Contact List Windshift has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.4
mobile T1429 Capture Audio Windshift has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.4
mobile T1512 Capture Camera Windshift has included video recording in the malicious apps deployed as part of Operation BULL.4
mobile T1412 Capture SMS Messages Windshift has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.4
mobile T1533 Data from Local System Windshift has exfiltrated local account data and calendar information as part of Operation ROCK.4
mobile T1475 Deliver Malicious App via Authorized App Store Windshift has distributed malicious apps via the Google Play Store and Apple App Store.4
mobile T1476 Deliver Malicious App via Other Means Windshift has distributed malicious apps via their own websites during Operation BULL.4
mobile T1407 Download New Code at Runtime Windshift has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.4
mobile T1523 Evade Analysis Environment Windshift has deployed anti-analysis capabilities during their Operation BULL campaign.4
mobile T1420 File and Directory Discovery Windshift has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.4
mobile T1581 Geofencing Windshift has region-locked their malicious applications during their Operation BULL campaign.4
mobile T1417 Input Capture Windshift has included keylogging capabilities as part of Operation ROCK.4
mobile T1478 Install Insecure or Malicious Configuration Windshift has installed malicious MDM profiles on iOS devices as part of Operation ROCK.4
mobile T1430 Location Tracking Windshift has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.4
mobile T1406 Obfuscated Files or Information Windshift has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application’s launcher icon file.4
mobile T1521 Standard Cryptographic Protocol Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.4
mobile T1426 System Information Discovery Windshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.4

Software

ID Name References Techniques
S0466 WindTail 123 Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Automated Collection Unix Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol File and Directory Discovery Hidden Window:Hide Artifacts File Deletion:Indicator Removal on Host Invalid Code Signature:Masquerading Masquerading Native API Obfuscated Files or Information System Time Discovery

References

Back to top