Skip to content

G1020 Mustard Tempest

Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.3241

Item Value
ID G1020
Associated Names DEV-0206, TA569, GOLD PRELUDE, UNC1543
Version 1.0
Created 06 December 2023
Last Modified 25 March 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
DEV-0206 2
TA569 4
GOLD PRELUDE 4
UNC1543 4

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.004 Server Mustard Tempest has acquired servers to host second-stage payloads that remain active for a period of either days, weeks, or months.5
enterprise T1583.008 Malvertising Mustard Tempest has posted false advertisements including for software packages and browser updates in order to distribute malware.3
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains Mustard Tempest operates a global network of compromised websites that redirect into a traffic distribution system (TDS) to select victims for a fake browser update page.4156
enterprise T1189 Drive-by Compromise Mustard Tempest has used drive-by downloads for initial infection, often using fake browser updates as a lure.1564
enterprise T1105 Ingress Tool Transfer Mustard Tempest has deployed secondary payloads and third stage implants to compromised hosts.3
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Resource Name or Location Mustard Tempest has used the filename AutoUpdater.js to mimic legitimate update files and has also used the Cyrillic homoglyph characters С (0xd0a1) and а (0xd0b0), to produce the filename Сhrome.Updаte.zip.61
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link Mustard Tempest has sent victims emails containing links to compromised websites.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware Mustard Tempest has hosted payloads on acquired second-stage servers for periods of either days, weeks, or months.5
enterprise T1608.004 Drive-by Target Mustard Tempest has injected malicious JavaScript into compromised websites to infect victims via drive-by download.1564
enterprise T1608.006 SEO Poisoning Mustard Tempest has poisoned search engine results to return fake software updates in order to distribute malware.31
enterprise T1082 System Information Discovery Mustard Tempest has used implants to perform system reconnaissance on targeted systems.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Mustard Tempest has lured users into downloading malware through malicious links in fake advertisements and spearphishing emails.31

Software

ID Name References Techniques
S0154 Cobalt Strike 3 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S1124 SocGholish 341 JavaScript:Command and Scripting Interpreter Local Data Staging:Data Staged Domain Trust Discovery Drive-by Compromise Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Encrypted/Encoded File:Obfuscated Files or Information Compression:Obfuscated Files or Information Spearphishing Link:Phishing Process Discovery Software Discovery System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Malicious Link:User Execution Web Service Windows Management Instrumentation

References

  1. Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024. 

  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  3. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. 

  4. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024. 

  5. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024. 

  6. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.