#
Snake Emulation Scenario 📖
Based on open-source intelligence, the ATT&CK ® Evaluations team created the below scenario leveraging techniques seen from Turla in the wild. We have adapted the scenario based on tools and resources available at the time. Below is a
#
Overview
This scenario is a continuation of Turla’s multi-phase operation, as part of an ongoing intelligence collection campaign. The attackers establish a typo-squatting website to target entities with a high value of information. Turla targets the victim with a drive-by compromise, through user interaction Adobe Flash installer bundled with EPIC, is installed on the victim’s Windows workstation. EPIC communicates to the C2 server via proxy web server with HTTPS requests, persists via process injection, and performs enumeration on the victim’s workstation. SNAKE is then deployed to maintain foothold, elevate privileges and communicates to the C2 via HTTP/SMTP/DNS.
Next, the attackers move laterally onto a Microsoft IIS server, install SNAKE, and create an admin account. They then proceed to move laterally onto an Exchange workstation, and install SNAKE. Finally, the attackers move laterally onto an Exchange Server and install LIGHTNERON. LIGHTNERON enables email collection, and staging for exfiltrating stolen data via benign email PDF/JPG attachments. In this, the threat actors are able to collect and exfiltrate sensitive communications in an effort to identify new information sources and collect up-to-date information to further their the mission objectives.
Phase 1: EglÄ—, an IIS Admin visits a legitimate but compromised website. The website contains a JavaScript that fingerprints users with an MD5 hash. Now identified as a target, the next time EglÄ— visits the website, the JavaScript initiates a drive-by compromise via malicious adobe flash installer. Through EglÄ—'s interaction, the malicious Adobe Flash installer bundled with EPIC, is installed on the victim Windows workstation. EPIC begins to communicate with the C2 server via proxy web server with HTTPS requests.
Phase 2: EPIC persists via process injection, conducting defense evasion, specifically searching for commonly named processes associated with network defense applications and executing guardrails to not persist on previously infected devices. The attackers then use EPIC to perform enumeration on EglÄ—'s workstation. The results are saved in a zip file for exfiltration, then deleted after exfiltration. Next, SNAKE is deployed as second-stage malware on EglÄ—'s workstation to maintain a foothold and elevate privileges while communicating with C2 via HTTP/SMTP/DNS. With Kernel access via SNAKE, the attackers collect user log-in information from EglÄ—'s workstation, enabling the collection and compromise of valid accounts.
Phase 3: An account found on Eglė's workstation is used to laterally move onto the Microsoft IIS server. SNAKE is installed on the IIS server and the attackers create their own admin account, gaining unrestricted access on the network. Next, the attackers laterally move to Žilvinas' Exchange Workstation and install SNAKE. A new user account Leshy is created under the domain admin group. The attackers then laterally move onto the Exchange Server and install LightNeuron. Rule modification from LIGHTNERON enables collection and staging for exfiltration. LIGHTNEURON exfiltrates stolen data via benign email PDF/JPG attachments to attacker-controlled email addresses.
#
Scenario Steps👣
#
Infrastructure Diagram