otx.alienvault.com Open in urlscan Pro
143.204.98.16  Public Scan

Form analysis
0 forms found in the DOM

Text Content

×

   
 * Browse
 * Scan Endpoints
 * Create Pulse
 * Submit Sample
 * API Integration
   
   
 * Login | Sign Up
   

All
   
 * Login | Sign Up
   
 * 
   


Share
Actions
Subscribers (159801)
Suggest Edit
Clone
Embed
Download
Report Spam



MASTERS OF MIMICRY: NEW APT GROUP CHAMELGANG AND ITS ARSENAL

   
 * Created 33 minutes ago by AlienVault
 * Public
 * TLP: White

In Q2 2021, the PT Expert Security Center incident response team conducted an
investigation in an energy company. The investigation revealed that the
company's network had been compromised by an unknown group for the purpose of
data theft. They gave the group the name ChamelGang (from the word "chameleon"),
because the group disguised its malware and network infrastructure under
legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google. The
attackers employed two methods. They acquired domains that imitate legitimate
ones (newtrendmicro.com, centralgoogle.com, microsoft-support.net,
cdn-chrome.com, mcafee-upgrade.com). In addition, the APT group placed SSL
certificates that also imitated legitimate ones (github.com, www.ibm.com,
jquery.com, update.microsoft-support.net) on its servers. To achieve their goal,
the attackers used a trending penetration method—supply chain. The group
compromised a subsidiary and penetrated the target company's network through it.

Reference:
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/
Tags:
cobalt strike, doorme, beaconloader, chamelgang, doorme backdoor, apt group,
oilrig, powershell
Adversary:
ChamelGang
Industries:
Government, Aviation
Malware Families:
Cobalt Strike , DoorMe , BeaconLoader
Att&ck IDs:
T1114 - Email Collection , T1187 - Forced Authentication , T1547 - Boot or Logon
Autostart Execution , T1056 - Input Capture , T1021 - Remote Services , T1012 -
Query Registry , T1016 - System Network Configuration Discovery , T1018 - Remote
System Discovery , T1036 - Masquerading , T1041 - Exfiltration Over C2 Channel ,
T1047 - Windows Management Instrumentation , T1049 - System Network Connections
Discovery , T1055 - Process Injection , T1057 - Process Discovery , T1059 -
Command and Scripting Interpreter , T1068 - Exploitation for Privilege
Escalation , T1069 - Permission Groups Discovery , T1070 - Indicator Removal on
Host , T1071 - Application Layer Protocol , T1078 - Valid Accounts , T1082 -
System Information Discovery , T1087 - Account Discovery , T1090 - Proxy , T1105
- Ingress Tool Transfer , T1140 - Deobfuscate/Decode Files or Information ,
T1190 - Exploit Public-Facing Application , T1199 - Trusted Relationship , T1210
- Exploitation of Remote Services , T1218 - Signed Binary Proxy Execution ,
T1505 - Server Software Component , T1560 - Archive Collected Data , T1564 -
Hide Artifacts , T1572 - Protocol Tunneling , T1574 - Hijack Execution Flow ,
T1583 - Acquire Infrastructure , T1587 - Develop Capabilities , T1588 - Obtain
Capabilities

Endpoint Security
Scan your endpoints for IOCs from this Pulse!
Learn more
 * Indicators of Compromise (189)
 * Related Pulses (8)
 * Comments (0)
 * History (0)


COMMENTS

You must be logged in to leave a comment.

Refresh Comments

 * © Copyright 2021 AlienVault, Inc.
   
 * Legal
   
 * Status