Threat Intelligence Update 06 Dec - 11 Dec 2024 TLP: CLEAR

ID

Name

Tactic 

Procedure

Description

Logs

T1564.003

Hidden Window

Defense Evasion

Detects hidden processes or windows.

Attackers hide processes to execute malicious activity.

Process creation logs, Window management logs.

T1587.001

Malware

Resource Development

Monitor malware creation or deployment activity.

Malware is developed or used by attackers for system access.

Malware samples, Threat intelligence feeds.

T1021.005

VNC

Lateral Movement

Monitor VNC connections and unusual remote access.

VNC allows lateral movement within the network.

Remote desktop logs, Authentication logs.

T1056.001

Keylogging

Credential Access

Detects keylogging tools or suspicious input capture.

Keylogging steals user credentials by capturing keystrokes.

Process logs, Endpoint detection logs.

T1526

Cloud Service Discovery

Discovery

Detects cloud API calls and service discovery patterns.

Attackers enumerate cloud resources for exploitation.

Cloud service logs, API logs.

T1027

Obfuscated Files or Information

Defense Evasion

Identify and analyze obfuscated files or scripts.

Obfuscation hides malicious files to avoid detection.

Command line logs, Process creation logs.

T1543.003

Windows Service

Persistence

Check for unauthorized service creation in Windows.

Attackers create malicious Windows services for persistence.

Event ID: 7045, Service control logs.

T1056

Input Capture

Credential Access

Detect unauthorized input capture techniques.

Attackers capture input to steal sensitive information.

Process logs, Endpoint logs.

T1113

Screen Capture

Collection

Monitor for screen capture tools or activities.

Screen captures collect sensitive information for exfiltration.

Application logs, Process logs.

T1027.013

Encrypted/Encoded File

Defense Evasion

Detect encrypted or encoded files in unusual locations.

Encrypted files are used to evade detection during exfiltration.

File system logs, Endpoint logs.

T1071.003

Mail Protocols

Command and Control

Monitor mail protocol traffic for potential C2 activity.

Mail protocols like SMTP may be used for C2 communication.

Email traffic logs, Network logs.

T1562

Impair Defenses

Defense Evasion

Check for disabled security mechanisms or misconfigured defenses.

Attackers impair security to bypass detection systems.

Security logs, Event ID: 7036.

T1008

Fallback Channels

Command and Control

Detects backup C2 channels during main channel disruption.

Fallback channels ensure continued communication for C2.

Network traffic logs, IDS logs.

T1048.001

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration

Monitor encrypted traffic for data exfiltration attempts.

Encrypted protocols are used to exfiltrate data covertly.

Network logs, TLS/SSL inspection logs.

T1132

Data Encoding

Command and Control

Detects encoded payloads in network traffic.

Encoding obfuscates data to evade detection during transfer.

Network traffic logs, Proxy logs.

T1573.001

Symmetric Cryptography

Command and Control

Look for symmetric encryption used for C2 communications.

Symmetric cryptography ensures secure C2 communication.

Network traffic logs, Encrypted session logs.

T1573

Encrypted Channel

Command and Control

Monitor encrypted channels for malicious activity.

Encrypted channels ensure that C2 is secured against detection.

Network logs, TLS/SSL inspection logs.

T1560

Archive Collected Data

Collection

Detects large archive files being created or exfiltrated.

Archiving data facilitates bulk exfiltration.

File system logs, Archive tool logs.

T1600.001

Reduce Key Space

Defense Evasion

Analyze weak encryption by key length reduction.

Reducing key space makes it easier for attackers to break encryption.

Cryptographic configuration logs, Application logs.

T1584.008

Network Devices

Resource Development

Monitor for changes in network devices.

Network devices are targeted to expand attacker infrastructure.

Network device logs, Configuration logs.

T1543.002

Systemd Service

Persistence

Check for unauthorized systems service entries.

Systems services can be used to maintain persistence on Linux.

System logs, Service creation logs.

T1583.004

Server

Resource Development

Monitor server setup for suspicious activity.

Servers are used for command and control by attackers.

Hosting logs, Threat intelligence feeds.

T1590.002

DNS

Reconnaissance

Monitor DNS queries for reconnaissance activity.

DNS queries help attackers map network infrastructure.

DNS logs, Network logs.

T1590.006

Network Security Appliances

Reconnaissance

Monitor network device configuration changes.

Attackers gather details about security appliances.

Network device logs, Configuration logs.

T1583.005

Botnet

Resource Development

Monitor traffic patterns suggesting botnet recruitment.

Botnets expand an attacker's control for large-scale attacks.

Network traffic logs, IDS logs.

T1040

Network Sniffing

Credential Access

Detect unauthorized packet sniffing activities.

Sniffing network traffic captures credentials and sensitive data.

Network traffic logs, IDS/IPS logs.

T1608

Stage Capabilities

Resource Development

Monitor for tools or infrastructure used for staging attacks.

Staging capabilities prepare attackers for future operations.

System logs, Tool installation logs.

T1589.001

Credentials

Credential Access

Monitor for stolen or compromised credentials in use.

Stolen credentials enable lateral movement and access.

Authentication logs, Access logs.

ID

Name

Tactic 

Procedure

Description

Logs

T1566.001

Spearphishing Attachment

Initial Access

Malicious email attachments targeted at specific users.

Attackers use spearphishing emails with malicious attachments to gain access.

Email logs, Attachment metadata, Antivirus logs, Email filtering logs.

T1059.005

Visual Basic

Execution

Executing Visual Basic scripts via email attachments or macros.

Malicious Visual Basic code is used for executing exploits or payloads.

Process creation logs, Script execution logs.

T1059.007

JavaScript

Execution

Malicious JavaScript executed through web or email attachments.

JavaScript-based exploits or payloads are delivered to execute on the victim's machine.

Web traffic logs, Email logs, Script execution logs.

T1204.002

Malicious File

Execution

Execution of malicious files via social engineering.

Malicious files are executed, often disguised as legitimate documents or software.

File execution logs, Antivirus logs, Process creation logs.

T1547.001

Registry Run Keys / Startup Folder

Persistence

Modifying registry keys or adding files to startup folders.

Malware adds registry keys or files to start automatically on boot.

Registry modification logs, Process creation logs, System startup logs.

T1027.006

HTML Smuggling

Defense Evasion

Encapsulating malicious payloads within HTML tags or content.

Attackers use HTML smuggling to hide payloads in web traffic, bypassing security checks.

Web traffic logs, IDS/IPS logs, File system logs.

T1027.013

Encrypted/Encoded File

Defense Evasion

Using encryption or encoding to hide malicious files.

Attackers encrypt or encode files to evade detection by security tools.

File system logs, Antivirus logs, Network traffic logs (if file is transmitted).

T1071.001

Web Protocols

Command and Control

Use of HTTP/HTTPS for C2 communication.

Command and control communications use web protocols to bypass firewalls or proxies.

Web traffic logs, DNS logs, Proxy logs.

T1568.001

Fast Flux DNS

Command and Control

Using fast-flux DNS techniques to dynamically change IP addresses.

Attackers use fast-flux DNS to hide C2 servers and make tracking difficult.

DNS query logs, Network traffic logs, DNS resolution logs.

T1590.002

DNS

Reconnaissance

Conducting DNS queries for reconnaissance.

DNS queries are used to gather information about the network or systems.

DNS logs, Network traffic logs, Firewall logs.

T1566

Phishing

Initial Access

Sending malicious emails to trick users into providing information or downloading malware.

Phishing emails are crafted to appear legitimate, and users are tricked into revealing credentials or downloading malicious attachments.

Email logs, User login logs, Antivirus logs, Web filtering logs.

T1140

Deobfuscate/Decode Files or Information

Defense Evasion

Deobfuscating or decoding files and information to reveal malicious code.

Attackers use techniques like base64 encoding to obfuscate the malicious code in files.

Antivirus logs, File system logs, Process logs, Memory analysis.

T1562

Impair Defenses

Defense Evasion

Disabling security mechanisms to bypass detection.

Attackers disable security software like antivirus or firewall to avoid detection.

Security tool logs, Event logs, IDS/IPS logs.

T1569

System Services

Persistence

Modifying or installing system services to maintain access.

Attackers install system services to maintain persistence across reboots.

Service creation logs, Process creation logs, System logs.

ID

Name

Tactic 

Procedure

Description

Logs

T1005

Data from Local System

Collection

Harvesting Local Files

Collects files and sensitive information from the local file system.

File access logs: Unusual access to sensitive directories or file downloads.

T1007

System Service Discovery

Discovery

Enumerating Running Services

Identifies services running on the system for further exploitation.

Service logs: Commands querying running services such as sc query.

T1016

System Network Configuration Discovery

Discovery

Identifying Network Configurations

Gathers information about network configurations, interfaces, and routing.

Network logs: Commands querying configurations like ipconfig or ifconfig.

T1033

System Owner/User Discovery

Discovery

Identifying System User Information

Retrieves user account information on the system.

System logs: Commands querying user accounts like whoami or id.

T1041

Exfiltration Over C2 Channel

Exfiltration

Data Exfiltration via Command and Control

Exfiltrates sensitive data through established C2 channels.

Network logs: Large or continuous data transfers to external IPs/domains.

T1059.002

AppleScript

Execution

Using AppleScript for Execution

Executes malicious payloads using macOS AppleScript.

macOS logs: AppleScript execution logs or scripting activity.

T1070.004

File Deletion

Defense Evasion

Deleting Files to Remove Evidence

Deletes files to remove traces of malicious activity.

File system logs: Sudden deletion of logs or critical files.

T1071.001

Web Protocols

Command and Control

Command and Control Over HTTPS

Uses web protocols like HTTPS for secure communication with C2 servers.

Network logs: Encrypted traffic to known or suspicious C2 endpoints.

T1074

Data Staged

Collection

Preparing Data for Exfiltration

Stores collected data in a staging area before exfiltration.

File system logs: Creation of staging directories or unusual compression activity.

T1082

System Information Discovery

Discovery

Enumerating System Details

Gathers information about the target system, such as OS version and hardware details.

System logs: Commands querying system information like uname or systeminfo.

T1114

Email Collection

Collection

Harvesting Email Data

Accesses email content through compromised accounts or email servers to collect sensitive information.

Email server logs: Unusual access patterns or bulk email export activities.

T1204

User Execution

Execution

Execution Triggered by User Action

Relies on user interaction, such as opening malicious attachments or clicking links, to execute malware.

Email and web logs: Monitor user actions leading to execution of suspicious files or links.

T1217

Browser Information Discovery

Discovery

Gathering Browser Information

Collects information about browser settings, extensions, and history.

Browser logs: Access to browser configuration or settings files.

T1497.001

System Checks

Defense Evasion

Detecting Analysis Environments

Performs checks to determine if the malware is running in a sandbox or virtualized environment.

System logs: Queries for virtualization or debugging indicators.

T1539

Steal Web Session Cookie

Credential Access

Stealing Session Cookies

Captures and uses session cookies to hijack user sessions.

Network logs: Look for unauthorized session cookie use or exports.

T1547.001

Registry Run Keys / Startup Folder

Persistence

Persistence via Registry Keys

Adds malicious entries to the registry or startup folders to ensure execution on system boot.

Registry logs: Changes to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

T1553.001

Gatekeeper Bypass

Defense Evasion

Bypassing macOS Gatekeeper

Evades security checks on macOS by bypassing Gatekeeper.

macOS security logs: Attempts to disable or bypass Gatekeeper.

T1553.002

Code Signing

Defense Evasion

Using or Forging Code Signatures

Signs malicious code to make it appear legitimate or trusted.

File integrity logs: Verification of code signatures for discrepancies.

T1555.001

Keychain

Credential Access

Accessing macOS Keychain

Extracts credentials and sensitive information stored in the macOS Keychain.

macOS logs: Unauthorized access or dumps of keychain data.

T1555.003

Credentials from Web Browsers

Credential Access

Harvesting Stored Browser Credentials

Extracts credentials and session data stored in web browsers.

Application logs: Access to browser credential storage files.

T1556.004

Network Device Authentication

Credential Access

Compromising Network Device Authentication

Exploits network device authentication mechanisms to gain access.

Device logs: Authentication anomalies or failed login attempts.

T1562.011

Spoof Security Alerting

Defense Evasion

Generating Fake Security Alerts

Generates or spoofs alerts to mislead defenders and hide activity.

Security tool logs: Unexpected alert configurations or spoofed alert messages.

T1574.005

Executable Installer File Permissions Weakness

Defense Evasion

Abusing Installer File Permissions

Exploits weak permissions on installer files to escalate privileges.

File integrity logs: Changes to installer files or permissions.

T1587.001

Malware

Resource Development

Developing or Procuring Malware

Creates or acquires malware for use in operations.

Threat intelligence logs: Detection of known malware signatures or variants.

T1606

Forge Web Credentials

Credential Access

Generating Fake Web Credentials

Creates forged web credentials for malicious purposes.

Web server logs: Access attempts using fake or invalid credentials.

T1608

Stage Capabilities

Resource Development

Staging Malware or Tools

Uploads or prepares tools and payloads on infrastructure for operations.

Network and server logs: Uploads or transfers of suspicious files to staging environments.

T1657

Financial Theft

Impact

Stealing Financial Information

Targets financial information, such as bank account details or credit card numbers.

Application and transaction logs: Unusual access or modifications to financial data.

Type

Value

File Name

CallCSSetup.pkg

File Name

Meeten.exe

File Name

UpdateMC.exe

File Name

MicrosoftRuntimeComponentsX64.exe

File Name

MeetenApp.exe

File Name

Package.json

File Name

index.js

File Name

Node.js

File Name

AdditionalFilesForMeet.zip

File Name

UpdateMC.zip

Hash

9b2d4837572fb53663fffece9415ec5a

Hash

6a925b71afa41d72e4a7d01034e8501b

Hash

209af36bb119a5e070bad479d73498f7

Hash

d74a885545ec5c0143a172047094ed59

Hash

09b7650d8b4a6d8c8fbb855d6626e25d

Domain

clusee[.]com

Domain

cuesee[.]com

Domain

meeten[.]gg

Domain

meeten[.]us

Domain

meetone[.]gg

Domain

deliverynetwork[.]observer

Domain

www[.]meeten[.]us

Domain

www[.]meetio[.]one

Domain

www[.]meetone[.]gg

Domain

www[.]clusee[.]com

IP Address

139[.]162[.]179[.]170:8080/new_analytics

IP Address

139[.]162[.]179[.]170:8080/opened

IP Address

172[.]104[.]133[.]212/opened

IP Address

172[.]104[.]133[.]212

IP Address

199[.]247[.]4[.]86

IP Address

139[.]162[.]179[.]170:8080

URL

http[:]//172[.]104[.]133[.]212:8880/new_analytics

URL

http[:]//172[.]104[.]133[.]212:8880/opened

URL

http[:]//172[.]104[.]133[.]212:8880/metrics

URL

http[:]//172[.]104[.]133[.]212:8880/sede