GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
No groups
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. Windshift

Windshift

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.[1][2][3]

ID: G0112
Associated Groups: Bahamut
Version: 1.0
Created: 25 June 2020
Last Modified: 26 June 2020
Version Permalink

Associated Group Descriptions

Name Description
Bahamut

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

Windshift has used compromised websites to register custom URL schemes on a remote system.[2]
Enterprise T1036 Masquerading

Windshift has used icons mimicking MS Office files to mask malicious executables.[2]
.001 Invalid Code Signature

Windshift has used revoked certificates to sign malware.[2][1]
Enterprise T1566 .002 Phishing: Spearphishing Link

Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.[1]
.001 Phishing: Spearphishing Attachment

Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.[1]
.003 Phishing: Spearphishing via Service

Windshift has used fake personas on social media to engage and target victims.[1]

Enterprise T1204 .002 User Execution: Malicious File

Windshift has used e-mail attachments to lure victims into executing malicious code.[1]
.001 User Execution: Malicious Link

Windshift has used links embedded in e-mails to lure victims into executing malicious code.[1]

Software

ID Name References Techniques
S0466 WindTail [1][2][3] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Automated Collection, Command and Scripting Interpreter: Unix Shell, Deobfuscate/Decode Files or Information, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, File and Directory Discovery, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Masquerading: Invalid Code Signature, Masquerading, Native API, Obfuscated Files or Information, System Time Discovery

References

  1. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.
  2. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  1. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.