Dragonfly 2.0

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. [1] [2] There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. [3][4]

ID: G0074
Associated Groups: IRON LIBERTY, DYMALLOY, Berserk Bear
Version: 2.0
Created: 17 October 2018
Last Modified: 26 April 2021

Associated Group Descriptions

Name Description
IRON LIBERTY

[5][6]

DYMALLOY

[4]

Berserk Bear

[3]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller.[1]

Enterprise T1098 Account Manipulation

Dragonfly 2.0 added newly created accounts to the administrators group to maintain elevated access.[1][7]

Enterprise T1071 Application Layer Protocol

Dragonfly 2.0 used SMB for C2.[1]

Enterprise T1560 Archive Collected Data

Dragonfly 2.0 compressed data into .zip files prior to exfiltrating it.[1]

Enterprise T1547 .009 Boot or Logon Autostart Execution: Shortcut Modification

Dragonfly 2.0 manipulated .lnk files to gather user credentials in conjunction with Forced Authentication.[1]

.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Dragonfly 2.0 added the registry value ntdll to the Registry Run key to establish persistence.[1]

Enterprise T1110 .002 Brute Force: Password Cracking

Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec.[1][7][8]

Enterprise T1059 Command and Scripting Interpreter

Dragonfly 2.0 used command line for execution.[1]

.003 Windows Command Shell

Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts.[1][7]

.001 PowerShell

Dragonfly 2.0 used PowerShell scripts for execution.[1][2][7]

.006 Python

Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.[1][7]

Enterprise T1136 .001 Create Account: Local Account

Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.[1][7]

Enterprise T1005 Data from Local System

Dragonfly 2.0 collected data from local victim systems.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Dragonfly 2.0 created a directory named "out" in the user's %AppData% folder and copied files to it.[1]

Enterprise T1189 Drive-by Compromise

Dragonfly 2.0 compromised legitimate organizations' websites to create watering holes to compromise victims.[1]

Enterprise T1114 .002 Email Collection: Remote Email Collection

Dragonfly 2.0 accessed email accounts using Outlook Web Access.[7]

Enterprise T1133 External Remote Services

Dragonfly 2.0 used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.[1][7]

Enterprise T1083 File and Directory Discovery

Dragonfly 2.0 used a batch script to gather folder and file names from victim hosts.[1]

Enterprise T1187 Forced Authentication

Dragonfly 2.0 has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.[1][7]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Dragonfly 2.0 has disabled host-based firewalls. The group has also globally opened port 3389.[1][7]

Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.[1][7]

.004 Indicator Removal on Host: File Deletion

Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.[1][7]

Enterprise T1105 Ingress Tool Transfer

Dragonfly 2.0 copied and installed tools for operations once in the victim environment.[1][7]

Enterprise T1036 Masquerading

Dragonfly 2.0 created accounts disguised as legitimate backup and service accounts as well as an email administration account.[1][7]

Enterprise T1112 Modify Registry

Dragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg.[1]

Enterprise T1135 Network Share Discovery

Dragonfly 2.0 identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.[1][7]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.[1][7]

.003 OS Credential Dumping: NTDS

Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers. [1][7][9]

.004 OS Credential Dumping: LSA Secrets

Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.[1][7][9]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims.[1][7]

.002 Phishing: Spearphishing Link

Dragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.[1]

Enterprise T1012 Query Registry

Dragonfly 2.0 queried the Registry to identify victim information.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Dragonfly 2.0 moved laterally via RDP.[1][7]

Enterprise T1018 Remote System Discovery

Dragonfly 2.0 likely obtained a list of hosts in the victim environment.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.[1][7]

Enterprise T1113 Screen Capture

Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).[1][2]

Enterprise T1505 .003 Server Software Component: Web Shell

Dragonfly 2.0 commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.[1][7]

Enterprise T1016 System Network Configuration Discovery

Dragonfly 2.0 used batch scripts to enumerate network information, including information about trusts, zones, and the domain.[1]

Enterprise T1033 System Owner/User Discovery

Dragonfly 2.0 used the command query user on victim hosts.[1]

Enterprise T1221 Template Injection

Dragonfly 2.0 has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.[1][7]

Enterprise T1204 .002 User Execution: Malicious File

Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open attachments.[1][7]

.001 User Execution: Malicious Link

Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links.[1][7]

Enterprise T1078 Valid Accounts

Dragonfly 2.0 compromised user credentials and used valid accounts for operations.[1]

Software

ID Name References Techniques
S0488 CrackMapExec [1] Account Discovery: Domain Account, Brute Force: Password Guessing, Brute Force, Brute Force: Password Spraying, Command and Scripting Interpreter: PowerShell, File and Directory Discovery, Modify Registry, Network Share Discovery, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, Scheduled Task/Job: At (Windows), System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S0357 Impacket [1][7][9] Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0500 MCMD [5] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Hide Artifacts: Hidden Window, Indicator Removal on Host, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Scheduled Task/Job: Scheduled Task
S0039 Net [1] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0108 netsh [1] Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0029 PsExec [1][2] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0075 Reg [1] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0094 Trojan.Karagany [2][10] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Staged: Local Data Staging, Encrypted Channel: Asymmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, OS Credential Dumping, Process Discovery, Process Injection: Thread Execution Hijacking, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion: System Checks

References