Our last release looked at the APT40 targeting the defense industry with multi-stage Office documents to gain initial access.
For this week’s TTP Tuesday we are releasing a new APT40 themed chain based on persistence techniques used while targeting the maritime industry. Rather than persisting malware used by APT40 during their maritime-related targeting, each technique in this week’s chain will enable you to persist and spawn a new Pneuma session.
BITSAdmin is a Microsoft tool for managing Background Intelligent Transfer Service that is used to download or upload files from HTTP servers, SMB shares, and Windows updates. BITSAdmin is notable because an attacker may use this signed binary to download their payloads, or even execute code, and potentially evade detection or prevention. More information on BITSadmin abuse can be found on the LOLBAS project.
This week’s release contains a technique that uses BITSadmin to download a Pneuma agent from Operator and place it in a staging directory.
The Windows Startup folder is used to launch applications and open documents automatically at Windows Startup. APT40 placed Windows Shortcuts (.lnk files) in the Startup folder to execute malware.
We’re releasing two methods of Startup persistence in this week’s chain; execution of a VBScript to download and run a Pneuma agent, and a .lnk file that executes a Pneuma agent from a staging directory.
As an added bonus, this week’s chain includes a WMI event subscription technique to start a new Pneuma session from a staging directory. Where our previous WMI persistence technique was used to execute disarmed malware, this week you’ll be able to spawn a new agent session back to Operator.
Thanks for reading! We’ll be back next week with more examples of APT40 tradecraft!
Watch a demonstration: APT40 Maritime Industry
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman