Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.
Associated Group Descriptions
|Rocket Kitten||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the adversary group Rocket Kitten.  |
|Operation Saffron Rose||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose. |
|Ajax Security Team||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team. |
|Operation Woolen-Goldfish||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish. |
|Newscaster||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).  |
|Cobalt Gypsy||Based on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy. |
Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.
|Enterprise||T1043||Commonly Used Port|
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1060||Registry Run Keys / Startup Folder|
|Enterprise||T1105||Remote File Copy|
|Enterprise||T1194||Spearphishing via Service|
|Enterprise||T1071||Standard Application Layer Protocol|
|Enterprise||T1082||System Information Discovery||
Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1033||System Owner/User Discovery|
|Enterprise||T1065||Uncommonly Used Port|
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.
- Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
- Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.