Group: Magic Hound, Rocket Kitten, ...

From enterprise
Jump to: navigation, search
Magic Hound, Rocket Kitten, ...
Group
ID G0059
Aliases Magic Hound, Rocket Kitten, Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish, Newscaster, Cobalt Gypsy
Contributors Bryan Lee

Magic Hound is an espionage campaign operating primarily in the Middle East that dates back to at least mid-2016. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.1

Alias Descriptions

  • Magic Hound - 1
  • Rocket Kitten - Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the adversary group Rocket Kitten.12
  • Operation Saffron Rose - Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose.1
  • Ajax Security Team - Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team.1
  • Operation Woolen-Goldfish - Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish.1
  • Newscaster - Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).1
  • Cobalt Gypsy - Based on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy.3

Techniques Used

  • PowerShell - Magic Hound has used PowerShell for execution.1
  • Remote File Copy - Magic Hound has downloaded additional code and files from servers onto victims.1
  • System Information Discovery - Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.1
  • Commonly Used Port - Magic Hound malware has communicated with C2 servers over port 6667 (for IRC) and port 8080.1
  • Uncommonly Used Port - Magic Hound malware has communicated with its C2 server over ports 4443 and 3543.1
  • File and Directory Discovery - Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.1
  • Scripting - Magic Hound malware has used .vbs scripts for execution.1
  • Screen Capture - Magic Hound malware can take a screenshot and upload the file to its C2 server.1
  • Web Service - Magic Hound malware can use a SOAP Web service to communicate with its C2 server.1
  • Spearphishing Attachment - Magic Hound sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy.4
  • Spearphishing Link - Magic Hound sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.4
  • User Execution - Magic Hound has attempted to get users to execute malware via social media and spearphishing emails.4

Software