G0112 Windshift
Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.123
| Item | Value |
|---|---|
| ID | G0112 |
| Associated Names | Bahamut |
| Version | 1.1 |
| Created | 25 June 2020 |
| Last Modified | 26 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| Bahamut | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Windshift has used tools that communicate with C2 over HTTP.4 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Windshift has created LNK files in the Startup folder to establish persistence.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | Windshift has used Visual Basic 6 (VB6) payloads.4 |
| enterprise | T1189 | Drive-by Compromise | Windshift has used compromised websites to register custom URL schemes on a remote system.2 |
| enterprise | T1105 | Ingress Tool Transfer | Windshift has used tools to deploy additional payloads to compromised hosts.4 |
| enterprise | T1036 | Masquerading | Windshift has used icons mimicking MS Office files to mask malicious executables.2 Windshift has also attempted to hide executables by changing the file extension to “.scr” to mimic Windows screensavers.4 |
| enterprise | T1036.001 | Invalid Code Signature | Windshift has used revoked certificates to sign malware.21 |
| enterprise | T1027 | Obfuscated Files or Information | Windshift has used string encoding with floating point calculations.4 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.1 |
| enterprise | T1566.002 | Spearphishing Link | Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.1 |
| enterprise | T1566.003 | Spearphishing via Service | Windshift has used fake personas on social media to engage and target victims.1 |
| enterprise | T1057 | Process Discovery | Windshift has used malware to enumerate active processes.4 |
| enterprise | T1518 | Software Discovery | Windshift has used malware to identify installed software.4 |
| enterprise | T1518.001 | Security Software Discovery | Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.4 |
| enterprise | T1082 | System Information Discovery | Windshift has used malware to identify the computer name of a compromised host.4 |
| enterprise | T1033 | System Owner/User Discovery | Windshift has used malware to identify the username on a compromised host.4 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Windshift has used links embedded in e-mails to lure victims into executing malicious code.1 |
| enterprise | T1204.002 | Malicious File | Windshift has used e-mail attachments to lure victims into executing malicious code.1 |
| enterprise | T1047 | Windows Management Instrumentation | Windshift has used WMI to collect information about target machines.4 |
| mobile | T1429 | Audio Capture | Windshift has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.4 |
| mobile | T1533 | Data from Local System | Windshift has exfiltrated local account data and calendar information as part of Operation ROCK.4 |
| mobile | T1407 | Download New Code at Runtime | Windshift has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.4 |
| mobile | T1521 | Encrypted Channel | - |
| mobile | T1521.001 | Symmetric Cryptography | Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.4 |
| mobile | T1627 | Execution Guardrails | - |
| mobile | T1627.001 | Geofencing | Windshift has region-locked their malicious applications during their Operation BULL campaign.4 |
| mobile | T1420 | File and Directory Discovery | Windshift has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.4 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | Windshift has included keylogging capabilities as part of Operation ROCK.4 |
| mobile | T1430 | Location Tracking | Windshift has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.4 |
| mobile | T1406 | Obfuscated Files or Information | Windshift has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application’s launcher icon file.4 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Windshift has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.4 |
| mobile | T1636.004 | SMS Messages | Windshift has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.4 |
| mobile | T1632 | Subvert Trust Controls | - |
| mobile | T1632.001 | Code Signing Policy Modification | Windshift has installed malicious MDM profiles on iOS devices as part of Operation ROCK.4 |
| mobile | T1426 | System Information Discovery | Windshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.4 |
| mobile | T1512 | Video Capture | Windshift has included video recording in the malicious apps deployed as part of Operation BULL.4 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | Windshift has deployed anti-analysis capabilities during their Operation BULL campaign.4 |
Software
References
-
Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020. ↩↩↩↩↩↩↩↩↩
-
Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 1). Retrieved October 3, 2019. ↩↩↩↩↩
-
Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019. ↩↩
-
The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩