Skip to content

T1583.006 Web Services

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

Item Value
ID T1583.006
Sub-techniques T1583.001, T1583.002, T1583.003, T1583.004, T1583.005, T1583.006, T1583.007, T1583.008
Tactics TA0042
Platforms PRE
Version 1.2
Created 01 October 2020
Last Modified 12 April 2023

Procedure Examples

ID Name Description
G0025 APT17 APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.19
G0007 APT28 APT28 has used newly-created Blogspot pages for credential harvesting operations.5
G0016 APT29 APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS. APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.1617
G0050 APT32 APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.11
G0142 Confucius Confucius has obtained cloud storage service accounts to host stolen data.3
G1006 Earth Lusca Earth Lusca has established GitHub accounts to host their malware.21
G0125 HAFNIUM HAFNIUM has acquired web services for use in C2 and exfiltration.12
G0136 IndigoZebra IndigoZebra created Dropbox accounts for their operations.910
G0094 Kimsuky Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.18
G0032 Lazarus Group Lazarus Group has hosted malicious downloads on Github.2
G0140 LazyScripter LazyScripter has established GitHub accounts to host its toolsets.4
G0059 Magic Hound Magic Hound has acquired Amazon S3 buckets to use in C2.8
G0069 MuddyWater MuddyWater has used file sharing services including OneHub to distribute tools.1314
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.23
C0013 Operation Sharpshooter For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.22
G1005 POLONIUM POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.20
G0010 Turla Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.15
G0128 ZIRCONIUM ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.67

Mitigations

ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component
DS0035 Internet Scan Response Content

References

  1. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. 

  2. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  3. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group’s Cyberespionage Operations. Retrieved December 26, 2021. 

  4. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  5. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022. 

  6. Huntley, S. (2020, October 16). How We’re Tackling Evolving Online Threats. Retrieved March 24, 2021. 

  7. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  8. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  9. Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021. 

  10. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  11. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  12. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. 

  13. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. 

  14. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  15. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  16. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. 

  17. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. 

  18. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  19. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016. 

  20. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. 

  21. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  22. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  23. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.