Magic Hound

Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. [1] [2]

ID: G0059
Contributors: Bryan Lee

Version: 1.0

Associated Group Descriptions

NameDescription
Rocket KittenLink analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the adversary group Rocket Kitten. [1] [4]
Operation Saffron RoseLink analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose. [1]
Ajax Security TeamLink analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team. [1]
Operation Woolen-GoldfishLink analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish. [1]
NewscasterLink analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters). [1] [2]
Cobalt GypsyBased on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy. [5]
APT35[2]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceMagic Hound has used the command-line interface.[1]
EnterpriseT1043Commonly Used PortMagic Hound malware has communicated with C2 servers over port 6667 (for IRC) and port 8080.[1]
EnterpriseT1003Credential DumpingMagic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.[2]
EnterpriseT1002Data CompressedMagic Hound has used RAR to stage and compress local folders.[2]
EnterpriseT1114Email CollectionMagic Hound has collected .PST archives.[2]
EnterpriseT1083File and Directory DiscoveryMagic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[1]
EnterpriseT1107File DeletionMagic Hound has deleted and overwrote files to cover tracks.[1][2]
EnterpriseT1056Input CaptureMagic Hound malware is capable of keylogging.[1]
EnterpriseT1027Obfuscated Files or InformationMagic Hound malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.[1]
EnterpriseT1086PowerShellMagic Hound has used PowerShell for execution and privilege escalation.[1][2]
EnterpriseT1057Process DiscoveryMagic Hound malware can list running processes.[1]
EnterpriseT1060Registry Run Keys / Startup FolderMagic Hound malware has used Registry Run keys to establish persistence.[1]
EnterpriseT1105Remote File CopyMagic Hound has downloaded additional code and files from servers onto victims.[1]
EnterpriseT1113Screen CaptureMagic Hound malware can take a screenshot and upload the file to its C2 server.[1]
EnterpriseT1064ScriptingMagic Hound malware has used .vbs scripts for execution.[1]
EnterpriseT1193Spearphishing AttachmentMagic Hound sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy.[3]
EnterpriseT1192Spearphishing LinkMagic Hound sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.[3]
EnterpriseT1194Spearphishing via ServiceMagic Hound used various social media channels to spearphish victims.[3]
EnterpriseT1071Standard Application Layer ProtocolMagic Hound malware has used HTTP and IRC for C2.[1]
EnterpriseT1082System Information DiscoveryMagic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[1]
EnterpriseT1016System Network Configuration DiscoveryMagic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[1]
EnterpriseT1033System Owner/User DiscoveryMagic Hound malware has obtained the victim username and sent it to the C2 server.[1]
EnterpriseT1065Uncommonly Used PortMagic Hound malware has communicated with its C2 server over ports 4443 and 3543.[1]
EnterpriseT1204User ExecutionMagic Hound has attempted to get users to execute malware via social media and spearphishing emails.[3]
EnterpriseT1102Web ServiceMagic Hound malware can use a SOAP Web service to communicate with its C2 server.[1]

Software

IDNameReferencesTechniques
S0224Havij[6]Exploit Public-Facing Application
S0002Mimikatz[2]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029PsExec[2]Service Execution, Windows Admin Shares
S0192Pupy[1][5][3][2]Access Token Manipulation, Account Discovery, Audio Capture, Bypass User Account Control, Create Account, Credential Dumping, Data Compressed, Email Collection, Exfiltration Over Command and Control Channel, File and Directory Discovery, Indicator Removal on Host, Input Capture, LLMNR/NBT-NS Poisoning and Relay, Multilayer Encryption, Network Service Scanning, Network Share Discovery, PowerShell, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Systemd Service, Video Capture, Virtualization/Sandbox Evasion
S0225sqlmap[6]Exploit Public-Facing Application

References