Windshift

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.[1][2][3]

ID: G0112
Associated Groups: Bahamut
Version: 1.0
Created: 25 June 2020
Last Modified: 26 June 2020

Associated Group Descriptions

Name Description
Bahamut [1]

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

Windshift has used compromised websites to register custom URL schemes on a remote system.[2]

Enterprise T1036 Masquerading

Windshift has used icons mimicking MS Office files to mask malicious executables.[2]

.001 Invalid Code Signature

Windshift has used revoked certificates to sign malware.[2][1]

Enterprise T1566 .002 Phishing: Spearphishing Link

Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.[1]

.001 Phishing: Spearphishing Attachment

Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.[1]

.003 Phishing: Spearphishing via Service

Windshift has used fake personas on social media to engage and target victims.[1]

Enterprise T1204 .002 User Execution: Malicious File

Windshift has used e-mail attachments to lure victims into executing malicious code.[1]

.001 User Execution: Malicious Link

Windshift has used links embedded in e-mails to lure victims into executing malicious code.[1]

Software

ID Name References Techniques
S0466 WindTail

[1][2][3]

Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Automated Collection, Command and Scripting Interpreter: Unix Shell, Deobfuscate/Decode Files or Information, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, File and Directory Discovery, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Masquerading: Invalid Code Signature, Masquerading, Native API, Obfuscated Files or Information, System Time Discovery

References