Magic Hound

Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. [1] [2]

ID: G0059
Associated Groups: Rocket Kitten, Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish, Newscaster, Cobalt Gypsy, APT35
Contributors: Bryan Lee
Version: 1.0

Associated Group Descriptions

Name Description
Rocket Kitten Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the adversary group Rocket Kitten. [1] [6]
Operation Saffron Rose Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose. [1]
Ajax Security Team Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team. [1]
Operation Woolen-Goldfish Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish. [1]
Newscaster Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters). [1] [2]
Cobalt Gypsy Based on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy. [5]
APT35 [2]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Magic Hound has used the command-line interface.[1]
Enterprise T1043 Commonly Used Port Magic Hound malware has communicated with C2 servers over port 6667 (for IRC) and port 8080.[1]
Enterprise T1003 Credential Dumping Magic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.[2]
Enterprise T1002 Data Compressed Magic Hound has used RAR to stage and compress local folders.[2]
Enterprise T1114 Email Collection Magic Hound has collected .PST archives.[2]
Enterprise T1083 File and Directory Discovery Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[1]
Enterprise T1107 File Deletion Magic Hound has deleted and overwrote files to cover tracks.[1][2]
Enterprise T1056 Input Capture Magic Hound malware is capable of keylogging.[1]
Enterprise T1027 Obfuscated Files or Information Magic Hound malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.[1]
Enterprise T1086 PowerShell Magic Hound has used PowerShell for execution and privilege escalation.[1][2]
Enterprise T1057 Process Discovery Magic Hound malware can list running processes.[1]
Enterprise T1060 Registry Run Keys / Startup Folder Magic Hound malware has used Registry Run keys to establish persistence.[1]
Enterprise T1105 Remote File Copy Magic Hound has downloaded additional code and files from servers onto victims.[1]
Enterprise T1113 Screen Capture Magic Hound malware can take a screenshot and upload the file to its C2 server.[1]
Enterprise T1064 Scripting Magic Hound malware has used .vbs scripts for execution.[1]
Enterprise T1193 Spearphishing Attachment Magic Hound sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy.[3]
Enterprise T1192 Spearphishing Link Magic Hound sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.[3]
Enterprise T1194 Spearphishing via Service Magic Hound used various social media channels to spearphish victims.[3]
Enterprise T1071 Standard Application Layer Protocol Magic Hound malware has used HTTP and IRC for C2.[1]
Enterprise T1082 System Information Discovery Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[1]
Enterprise T1016 System Network Configuration Discovery Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[1]
Enterprise T1033 System Owner/User Discovery Magic Hound malware has obtained the victim username and sent it to the C2 server.[1]
Enterprise T1065 Uncommonly Used Port Magic Hound malware has communicated with its C2 server over ports 4443 and 3543.[1]
Enterprise T1204 User Execution Magic Hound has attempted to get users to execute malware via social media and spearphishing emails.[3]
Enterprise T1102 Web Service Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[1]

Software

ID Name References Techniques
S0224 Havij [4] Exploit Public-Facing Application
S0002 Mimikatz [2] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029 PsExec [2] Service Execution, Windows Admin Shares
S0192 Pupy [1] [5] [3] [2] Access Token Manipulation, Account Discovery, Audio Capture, Bypass User Account Control, Create Account, Credential Dumping, Data Compressed, Email Collection, Exfiltration Over Command and Control Channel, File and Directory Discovery, Indicator Removal on Host, Input Capture, LLMNR/NBT-NS Poisoning and Relay, Multilayer Encryption, Network Service Scanning, Network Share Discovery, PowerShell, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Systemd Service, Video Capture, Virtualization/Sandbox Evasion
S0225 sqlmap [4] Exploit Public-Facing Application

References