1. Home
  2. Groups
  3. WIRTE

WIRTE

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.[1][2]

ID: G0090
Contributors: Lab52 by S2 Grupo
Version: 2.0
Created: 24 May 2019
Last Modified: 15 April 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WIRTE has used HTTP for network communication.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WIRTE has used PowerShell for script execution.[1]
.005 Command and Scripting Interpreter: Visual Basic

WIRTE has used VBScript in its operations.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

WIRTE has used Base64 to decode malicious VBS script.[1]
Enterprise T1105 Ingress Tool Transfer

WIRTE has downloaded PowerShell code from the C2 server to be executed.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

WIRTE has named a first stage dropper Kaspersky Update Agent in order to appear legitimate.[2]
Enterprise T1571 Non-Standard Port

WIRTE has used HTTPS over ports 2083 and 2087 for C2.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

WIRTE has obtained and used Empire for post-exploitation activities.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.[2]
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

WIRTE has used regsvr32.exe to trigger the execution of a malicious script.[1]
Enterprise T1204 .002 User Execution: Malicious File

WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.[2]

Software

ID Name References Techniques
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0679 Ferocious [2] Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Event Triggered Execution: Component Object Model Hijacking, Indicator Removal: File Deletion, Modify Registry, Peripheral Device Discovery, Software Discovery: Security Software Discovery, System Information Discovery, Virtualization/Sandbox Evasion: System Checks
S0680 LitePower [2] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Exfiltration Over C2 Channel, Ingress Tool Transfer, Native API, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery

References

  1. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  1. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.