JUST RELEASED: ATT&CK for Industrial Control Systems

Magic Hound

Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.[1][2]

ID: G0059
Associated Groups: Rocket Kitten, Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish, Newscaster, Cobalt Gypsy, APT35
Contributors: Bryan Lee
Version: 1.1
Created: 16 January 2018
Last Modified: 15 October 2019

Associated Group Descriptions

Name Description
Rocket Kitten Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the adversary group Rocket Kitten. [1] [6]
Operation Saffron Rose Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose. [1]
Ajax Security Team Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team. [1]
Operation Woolen-Goldfish Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish. [1]
Newscaster Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters). [1] [2]
Cobalt Gypsy Based on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy. [5]
APT35 [2]

Techniques Used

Domain ID Name Use
Enterprise T1098 Account Manipulation

Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.[2]

Enterprise T1059 Command-Line Interface

Magic Hound has used the command-line interface.[1]

Enterprise T1043 Commonly Used Port

Magic Hound malware has communicated with C2 servers over port 6667 (for IRC) and port 8080.[1]

Enterprise T1003 Credential Dumping

Magic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.[2]

Enterprise T1002 Data Compressed

Magic Hound has used RAR to stage and compress local folders.[2]

Enterprise T1114 Email Collection

Magic Hound has collected .PST archives.[2]

Enterprise T1083 File and Directory Discovery

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[1]

Enterprise T1107 File Deletion

Magic Hound has deleted and overwrote files to cover tracks.[1][2]

Enterprise T1143 Hidden Window

Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.[1]

Enterprise T1056 Input Capture

Magic Hound malware is capable of keylogging.[1]

Enterprise T1027 Obfuscated Files or Information

Magic Hound malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.[1]

Enterprise T1086 PowerShell

Magic Hound has used PowerShell for execution and privilege escalation.[1][2]

Enterprise T1057 Process Discovery

Magic Hound malware can list running processes.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Magic Hound malware has used Registry Run keys to establish persistence.[1]

Enterprise T1105 Remote File Copy

Magic Hound has downloaded additional code and files from servers onto victims.[1]

Enterprise T1113 Screen Capture

Magic Hound malware can take a screenshot and upload the file to its C2 server.[1]

Enterprise T1064 Scripting

Magic Hound malware has used .vbs scripts for execution.[1]

Enterprise T1193 Spearphishing Attachment

Magic Hound sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy.[3]

Enterprise T1192 Spearphishing Link

Magic Hound sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.[3]

Enterprise T1194 Spearphishing via Service

Magic Hound used various social media channels to spearphish victims.[3]

Enterprise T1071 Standard Application Layer Protocol

Magic Hound malware has used HTTP and IRC for C2.[1]

Enterprise T1082 System Information Discovery

Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[1]

Enterprise T1016 System Network Configuration Discovery

Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[1]

Enterprise T1033 System Owner/User Discovery

Magic Hound malware has obtained the victim username and sent it to the C2 server.[1]

Enterprise T1065 Uncommonly Used Port

Magic Hound malware has communicated with its C2 server over ports 4443 and 3543.[1]

Enterprise T1204 User Execution

Magic Hound has attempted to get users to execute malware via social media and spearphishing emails.[3]

Enterprise T1102 Web Service

Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[1]

Software

ID Name References Techniques
S0224 Havij [4] Exploit Public-Facing Application
S0002 Mimikatz [2] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029 PsExec [2] Service Execution, Windows Admin Shares
S0192 Pupy [1] [5] [3] [2] Access Token Manipulation, Account Discovery, Audio Capture, Bypass User Account Control, Create Account, Credential Dumping, Data Compressed, Email Collection, Exfiltration Over Command and Control Channel, File and Directory Discovery, Indicator Removal on Host, Input Capture, LLMNR/NBT-NS Poisoning and Relay, Multilayer Encryption, Network Service Scanning, Network Share Discovery, PowerShell, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Systemd Service, Video Capture, Virtualization/Sandbox Evasion
S0225 sqlmap [4] Exploit Public-Facing Application

References