Threat Actor Uses AutoHotKeys and PowerShell for Data Collection

Source: https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/

Targeted Industries: Transportation, Utilities, Financial and Insurance Services, Public Administration, and Information

The DFIR Report's latest incident report details an intrusion they assess was likely conducted by a threat actor tracked by Proofpoint as #TA452. The initial access involved a macro-enabled Word document. The macro creates a directory with the user's name in %AppData% and saves several scripts and one LNK file to this directory. Discovery commands were all executed via PowerShell or built-in Windows utilities. The threat actors dropped an AutoHotkey binary that performed #keylogger functions and executed them by a scheduled task. The threat actors exfiltrated the data collected during discovery to the C2 server via POST requests. The DFIR Report assesses TA452 (#OilRig/#APT34) as the likely threat group behind this intrusion. They base this on observing two Proofpoint ruleset signatures, the custom PowerShell framework, and all activity observed aligns with Tehran local time. However, the time frame of the activity also aligns with Moscow's local time (6:00 AM to 7:00 PM), and other threat groups or cybercriminals could have employed the same tactics, techniques, and procedures (TTPs) as a means of deception to avoid proper attribution.

#CTI #ThreatIntel