1. Home
  2. Groups
  3. Mustard Tempest

Mustard Tempest

Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.[1][2][3][4]

ID: G1020
Associated Groups: DEV-0206, TA569, GOLD PRELUDE, UNC1543
Version: 1.0
Created: 06 December 2023
Last Modified: 25 March 2024
Version Permalink

Associated Group Descriptions

Name Description
DEV-0206

[2]
TA569

[3]
GOLD PRELUDE

[3]
UNC1543

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .004 Acquire Infrastructure: Server

Mustard Tempest has acquired servers to host second-stage payloads that remain active for a period of either days, weeks, or months.[5]
.008 Acquire Infrastructure: Malvertising

Mustard Tempest has posted false advertisements including for software packages and browser updates in order to distribute malware.[1]
Enterprise T1584 .001 Compromise Infrastructure: Domains

Mustard Tempest operates a global network of compromised websites that redirect into a traffic distribution system (TDS) to select victims for a fake browser update page.[3][4][5][6]
Enterprise T1189 Drive-by Compromise

Mustard Tempest has used drive-by downloads for initial infection, often using fake browser updates as a lure.[4][5][6][3]
Enterprise T1105 Ingress Tool Transfer

Mustard Tempest has deployed secondary payloads and third stage implants to compromised hosts.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Mustard Tempest has used the filename AutoUpdater.js to mimic legitimate update files and has also used the Cyrillic homoglyph characters С (0xd0a1) and а (0xd0b0), to produce the filename Сhrome.Updаte.zip.[6][4]
Enterprise T1566 .002 Phishing: Spearphishing Link

Mustard Tempest has sent victims emails containing links to compromised websites.[4]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Mustard Tempest has hosted payloads on acquired second-stage servers for periods of either days, weeks, or months.[5]
.004 Stage Capabilities: Drive-by Target

Mustard Tempest has injected malicious JavaScript into compromised websites to infect victims via drive-by download.[4][5][6][3]
.006 Stage Capabilities: SEO Poisoning

Mustard Tempest has poisoned search engine results to return fake software updates in order to distribute malware.[1][4]
Enterprise T1082 System Information Discovery

Mustard Tempest has used implants to perform system reconnaissance on targeted systems.[1]
Enterprise T1204 .001 User Execution: Malicious Link

Mustard Tempest has lured users into downloading malware through malicious links in fake advertisements and spearphishing emails.[1][4]

Software

ID Name References Techniques
S0154 Cobalt Strike [1] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S1124 SocGholish [1][3][4] Command and Scripting Interpreter: JavaScript, Data Staged: Local Data Staging, Domain Trust Discovery, Drive-by Compromise, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Encrypted/Encoded File, Phishing: Spearphishing Link, Process Discovery, Software Discovery, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious Link, Web Service, Windows Management Instrumentation

References

  1. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
  1. Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
  2. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
  3. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.