Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive operations to collect intelligence, dating back as early as 2014. The group typically targets U.S. and the Middle Eastern military, as well as other organizations with government personnel, via complex social engineering campaigns.
Associated Group Descriptions
Based on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy.
Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish.
|Ajax Security Team||
Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team.
|Operation Saffron Rose||
Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose.
|Enterprise||T1098||.002||Account Manipulation: Exchange Email Delegate Permissions||
Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.
|Enterprise||T1071||Application Layer Protocol|
|Enterprise||T1560||.001||Archive Collected Data: Archive via Utility|
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|Enterprise||T1059||.005||Command and Scripting Interpreter: Visual Basic|
|.003||Command and Scripting Interpreter: Windows Command Shell|
|.001||Command and Scripting Interpreter: PowerShell|
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers|
|Enterprise||T1114||.001||Email Collection: Local Email Collection|
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1564||.003||Hide Artifacts: Hidden Window|
|Enterprise||T1070||.004||Indicator Removal on Host: File Deletion|
|Enterprise||T1105||Ingress Tool Transfer||
Magic Hound has downloaded additional code and files from servers onto victims. Magic Hound used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.
|Enterprise||T1056||.001||Input Capture: Keylogging|
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1003||.001||OS Credential Dumping: LSASS Memory|
|Enterprise||T1566||.002||Phishing: Spearphishing Link||
Magic Hound sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.
|.001||Phishing: Spearphishing Attachment|
|.003||Phishing: Spearphishing via Service|
|Enterprise||T1082||System Information Discovery||
Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1033||System Owner/User Discovery|
|Enterprise||T1204||.002||User Execution: Malicious File|
|Enterprise||T1102||.002||Web Service: Bidirectional Communication|
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Burt, T.. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.
- Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
- Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.
- Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.