Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

ID: G0059
Associated Groups: TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, Mint Sandstorm
Contributors: Anastasios Pingios; Bryan Lee; Daniyal Naeem, BT Security
Version: 6.1
Created: 16 January 2018
Last Modified: 10 July 2024

Associated Group Descriptions

Name Description
TA453

[6][5][7]

COBALT ILLUSION

[4]

Charming Kitten

[8][9][10][2][6][7]

ITG18

[11]

Phosphorus

[12][13][14][3][6][7]

Newscaster

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).[15][1]

APT35

[1][3][7]

Mint Sandstorm

[16]

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

Magic Hound has used Powershell to discover email accounts.[17]

Enterprise T1098 .002 Account Manipulation: Additional Email Delegate Permissions

Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.[1]

.007 Account Manipulation: Additional Local or Domain Groups

Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.[17]

Enterprise T1583 .001 Acquire Infrastructure: Domains

Magic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.[3]

.006 Acquire Infrastructure: Web Services

Magic Hound has acquired Amazon S3 buckets to use in C2.[7]

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to CVE-2021-44228 in Log4j and ProxyShell vulnerabilities; CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in on-premises MS Exchange Servers; and CVE-2018-13379 in Fortinet FortiOS SSL VPNs.[7][18]

Enterprise T1071 Application Layer Protocol

Magic Hound malware has used IRC for C2.[15][19]

.001 Web Protocols

Magic Hound has used HTTP for C2.[15][17][19]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.[1][17][19]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Magic Hound malware has used Registry Run keys to establish persistence.[15][19][18]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Magic Hound has used PowerShell for execution and privilege escalation.[15][1][17][19][18]

.003 Command and Scripting Interpreter: Windows Command Shell

Magic Hound has used the command-line interface for code execution.[15][17][19]

.005 Command and Scripting Interpreter: Visual Basic

Magic Hound malware has used VBS scripts for execution.[15]

Enterprise T1586 .002 Compromise Accounts: Email Accounts

Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.[11]

Enterprise T1584 .001 Compromise Infrastructure: Domains

Magic Hound has used compromised domains to host links targeted to specific phishing victims.[2][5][3][20]

Enterprise T1136 .001 Create Account: Local Account

Magic Hound has created local accounts named help and DefaultAccount on compromised machines.[17][18]

Enterprise T1486 Data Encrypted for Impact

Magic Hound has used BitLocker and DiskCryptor to encrypt targeted workstations. [19][18]

Enterprise T1005 Data from Local System

Magic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.[17][19]

Enterprise T1482 Domain Trust Discovery

Magic Hound has used a web shell to execute nltest /trusted_domains to identify trust relationships.[19]

Enterprise T1189 Drive-by Compromise

Magic Hound has conducted watering-hole attacks through media and magazine websites.[2]

Enterprise T1114 Email Collection

Magic Hound has compromised email credentials in order to steal sensitive data.[3]

.001 Local Email Collection

Magic Hound has collected .PST archives.[1]

.002 Remote Email Collection

Magic Hound has exported emails from compromised Exchange servers including through use of the cmdlet New-MailboxExportRequest.[17][19]

Enterprise T1573 Encrypted Channel

Magic Hound has used an encrypted http proxy in C2 communications.[19]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Magic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.[2]

.002 Establish Accounts: Email Accounts

Magic Hound has established email accounts using fake personas for spearphishing operations.[11][6]

Enterprise T1567 Exfiltration Over Web Service

Magic Hound has used the Telegram API sendMessage to relay data on compromised devices.[20]

Enterprise T1190 Exploit Public-Facing Application

Magic Hound has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via "ProxyShell" (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379).[7][17][21][19][18][22]

Enterprise T1083 File and Directory Discovery

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[15]

Enterprise T1592 .002 Gather Victim Host Information: Software

Magic Hound has captured the user-agent strings from visitors to their phishing sites.[20]

Enterprise T1589 Gather Victim Identity Information

Magic Hound has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations.[5]

.001 Credentials

Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites. Magic Hound has also collected credentials from over 900 Fortinet VPN servers in the US, Europe, and Israel.[11][18]

.002 Email Addresses

Magic Hound has identified high-value email accounts in academia, journalism, NGO's, foreign policy, and national security for targeting.[5][20]

Enterprise T1590 .005 Gather Victim Network Information: IP Addresses

Magic Hound has captured the IP addresses of visitors to their phishing sites.[20]

Enterprise T1591 .001 Gather Victim Org Information: Determine Physical Locations

Magic Hound has collected location information from visitors to their phishing sites.[20]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.[15]

Enterprise T1562 Impair Defenses

Magic Hound has disabled LSA protection on compromised hosts using "reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f.[17]

.001 Disable or Modify Tools

Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads.[17]

.002 Disable Windows Event Logging

Magic Hound has executed scripts to disable the event log service.[19]

.004 Disable or Modify System Firewall

Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic - "netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389.[17][19]

Enterprise T1070 .003 Indicator Removal: Clear Command History

Magic Hound has removed mailbox export requests from compromised Exchange servers.[17]

.004 Indicator Removal: File Deletion

Magic Hound has deleted and overwrote files to cover tracks.[15][1][19]

Enterprise T1105 Ingress Tool Transfer

Magic Hound has downloaded additional code and files from servers onto victims.[15][17][19][18]

Enterprise T1056 .001 Input Capture: Keylogging

Magic Hound malware is capable of keylogging.[15]

Enterprise T1570 Lateral Tool Transfer

Magic Hound has copied tools within a compromised network using RDP.[19]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Magic Hound has named a malicious script CacheTask.bat to mimic a legitimate task.[19]

.005 Masquerading: Match Legitimate Name or Location

Magic Hound has used dllhost.exe to mask Fast Reverse Proxy (FRP) and MicrosoftOutLookUpdater.exe for Plink.[17][19][18]

.010 Masquerading: Masquerade Account Name

Magic Hound has created local accounts named help and DefaultAccount on compromised machines.[17][18]

Enterprise T1112 Modify Registry

Magic Hound has modified Registry settings for security tools.[17]

Enterprise T1046 Network Service Discovery

Magic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.[19]

Enterprise T1571 Non-Standard Port

Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.[15][19]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Magic Hound has used base64-encoded commands.[15][18]

.013 Obfuscated Files or Information: Encrypted/Encoded File

Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.[15][18]

Enterprise T1588 .002 Obtain Capabilities: Tool

Magic Hound has obtained and used tools like Havij, sqlmap, Metasploit, Mimikatz, and Plink.[23][1][7][19][18]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Magic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using Mimikatz.[1][17][19][18]

Enterprise T1566 .002 Phishing: Spearphishing Link

Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.[24][2][3][18]

.003 Phishing: Spearphishing via Service

Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.[25][12][2]

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Magic Hound has used SMS and email messages with links designed to steal credentials or track victims.[3][2][6][5][20][18]

Enterprise T1057 Process Discovery

Magic Hound malware can list running processes.[15]

Enterprise T1572 Protocol Tunneling

Magic Hound has used Plink to tunnel RDP over SSH.[19]

Enterprise T1090 Proxy

Magic Hound has used Fast Reverse Proxy (FRP) for RDP traffic.[19]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Magic Hound has used Remote Desktop Services to copy tools on targeted systems.[17][19]

Enterprise T1018 Remote System Discovery

Magic Hound has used Ping for discovery on targeted networks.[19]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Magic Hound has used scheduled tasks to establish persistence and execution.[17][19]

Enterprise T1113 Screen Capture

Magic Hound malware can take a screenshot and upload the file to its C2 server.[15]

Enterprise T1505 .003 Server Software Component: Web Shell

Magic Hound has used multiple web shells to gain execution.[17][19]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.[17]

Enterprise T1082 System Information Discovery

Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[15][17][19]

Enterprise T1016 System Network Configuration Discovery

Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[15][17][19]

.001 Internet Connection Discovery

Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.[19]

.002 Wi-Fi Discovery

Magic Hound has collected names and passwords of all Wi-Fi networks to which a device has previously connected.[7]

Enterprise T1049 System Network Connections Discovery

Magic Hound has used quser.exe to identify existing RDP connections.[17]

Enterprise T1033 System Owner/User Discovery

Magic Hound malware has obtained the victim username and sent it to the C2 server.[15][17][19]

Enterprise T1204 .001 User Execution: Malicious Link

Magic Hound has attempted to lure victims into opening malicious links embedded in emails.[2][3]

.002 User Execution: Malicious File

Magic Hound has attempted to lure victims into opening malicious email attachments.[2]

Enterprise T1078 .001 Valid Accounts: Default Accounts

Magic Hound enabled and used the default system managed account, DefaultAccount, via "powershell.exe" /c net user DefaultAccount /active:yes to connect to a targeted Exchange server over RDP.[19]

.002 Valid Accounts: Domain Accounts

Magic Hound has used domain administrator accounts after dumping LSASS process memory.[19]

Enterprise T1102 .002 Web Service: Bidirectional Communication

Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[15]

Enterprise T1047 Windows Management Instrumentation

Magic Hound has used a tool to run cmd /c wmic computersystem get domain for discovery.[17]

Software

ID Name References Techniques
S0674 CharmPower [7] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Modify Registry, Process Discovery, Query Registry, Screen Capture, Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Web Service: Dead Drop Resolver, Web Service, Windows Management Instrumentation
S0186 DownPaper [8] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Query Registry, System Information Discovery, System Owner/User Discovery
S1144 FRP [19] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: JavaScript, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Network Service Discovery, Non-Application Layer Protocol, Protocol Tunneling, Proxy, Proxy: Multi-hop Proxy, System Network Connections Discovery
S0357 Impacket [19] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0100 ipconfig [17][19] System Network Configuration Discovery
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [17][19] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0108 netsh [17] Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0097 Ping [19] Remote System Discovery
S1012 PowerLess [21] Archive Collected Data, Browser Information Discovery, Command and Scripting Interpreter: PowerShell, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel, Ingress Tool Transfer, Input Capture: Keylogging
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0192 Pupy [15][1][24] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Audio Capture, Boot or Logon Autostart Execution: XDG Autostart Entries, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Create Account: Domain Account, Create Account: Local Account, Create or Modify System Process: Systemd Service, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Network Service Discovery, Network Share Discovery, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: LSA Secrets, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Ticket, Video Capture, Virtualization/Sandbox Evasion: System Checks
S0096 Systeminfo [19] System Information Discovery

References

  1. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  2. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
  3. Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
  4. Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.
  5. Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.
  6. Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.
  7. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  8. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  9. Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.
  10. ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.
  11. Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.
  12. Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.
  13. Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.
  1. US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.
  2. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  4. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  5. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  6. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  7. Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023.
  8. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  9. Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.
  10. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  11. Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
  12. Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.