For this week’s TTP Tuesday we are releasing a new APT29 themed chain based on Operation Ghost, a campaign against embassies in the United States. ESET has identified and attributed the attack to APT29. This operation stands out due to its length (assumed to have lasted at minimum 6 years) and sophisticated evasion techniques.
This week's kill chain focused on the staging process of APT29’s malware (collectively referred to as the Dukes). The malware used in this operation consisted of 4 stages. Steganography was used in the first two stages to store payloads and commands for the C2. We emulated this staging process by encoding Schism (a fully modular Python based HTTP agent) into a PNG file, running a decoder to obtain its contents, and executing Schism. We hope this kill chain will demonstrate defense evasion techniques by adversaries.
Watch a demonstration: APT29 Operation Ghost
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg