S1015 Milan
Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been used by HEXANE since at least June 2020.23
| Item | Value |
|---|---|
| ID | S1015 |
| Associated Names | James |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 June 2022 |
| Last Modified | 31 August 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| James | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Milan has run C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1 to discover local accounts.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Milan can use HTTPS for communication with C2.231 |
| enterprise | T1071.004 | DNS | Milan has the ability to use DNS for C2 communications.231 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Milan can use cmd.exe for discovery actions on a targeted system.2 |
| enterprise | T1005 | Data from Local System | Milan can upload files from a compromised host.2 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Milan has saved files prior to upload from a compromised host to folders beginning with the characters a9850d2f.2 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Milan can use hardcoded domains as an input for domain generation algorithms.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Milan can delete files via C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q.2 |
| enterprise | T1105 | Ingress Tool Transfer | Milan has received files from C2 and stored them in log folders beginning with the character sequence a9850d2f.2 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | Milan can use a COM component to generate scheduled tasks.2 |
| enterprise | T1036 | Masquerading | Milan has used an executable named companycatalogue to appear benign.2 |
| enterprise | T1036.007 | Double File Extension | Milan has used an executable named companycatalog.exe.config to appear benign.2 |
| enterprise | T1106 | Native API | Milan can use the API DnsQuery_A for DNS resolution.3 |
| enterprise | T1027 | Obfuscated Files or Information | Milan can encode files containing information about the targeted system.23 |
| enterprise | T1572 | Protocol Tunneling | Milan can use a custom protocol tunneled through DNS or HTTP.3 |
| enterprise | T1012 | Query Registry | Milan can query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid to retrieve the machine GUID.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Milan can establish persistence on a targeted host with scheduled tasks.21 |
| enterprise | T1082 | System Information Discovery | Milan can enumerate the targeted machine’s name and GUID.21 |
| enterprise | T1016 | System Network Configuration Discovery | Milan can run C:\Windows\system32\cmd.exe /c cmd /c ipconfig /all 2>&1 to discover network settings.2 |
| enterprise | T1033 | System Owner/User Discovery | Milan can identify users registered to a targeted machine.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE | 31 |
References
-
Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. ↩↩↩↩↩↩↩↩
-
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. ↩↩↩↩↩↩↩