Operation Ghost

Drops an image encoded with an agent to the system, decodes the contents, and starts Schism. This chain is based on a steganographic staging methodology in APT 29's Operation Ghost.

TTP Tuesday: APT29 - Operation Ghost

Decode and execute steganographic payloads

Theme Overview

For this week’s TTP Tuesday we are releasing a new APT29 themed chain based on Operation Ghost, a campaign against embassies in the United States. ESET has identified and attributed the attack to APT29. This operation stands out due to its length (assumed to have lasted at minimum 6 years) and sophisticated evasion techniques.

Steganography: Stealth through obscurity

This week's kill chain focused on the staging process of APT29’s malware (collectively referred to as the Dukes). The malware used in this operation consisted of 4 stages. Steganography was used in the first two stages to store payloads and commands for the C2. We emulated this staging process by encoding Schism (a fully modular Python based HTTP agent) into a PNG file, running a decoder to obtain its contents, and executing Schism. We hope this kill chain will demonstrate defense evasion techniques by adversaries.

Watch a demonstration: APT29 Operation Ghost

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VV_X_7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Decode Schism from PNG
Stage PNG encoded payload
Launch Schism agent