Incident Score: Analysis & Impact (BLE1775291298)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (80%), supported by evidence indicating distributed via social engineering, masquerading as cracked tools and Drive-by Compromise (T1189) with moderate confidence (50%), supported by evidence indicating trojanized cracked tools for credential checking. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating malware installed via trojanized cracked tools. Under the Persistence tactic, the analysis identified Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate confidence (60%), supported by evidence indicating malware likely establishes persistence on infected devices. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001) with moderate confidence (50%), supported by evidence indicating malware manipulates user interfaces and system tools. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with high confidence (90%), supported by evidence indicating employs code virtualization and cross-platform programming languages, Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating mimics legitimate traffic using Spotify and Chess.com profiles, and Hide Artifacts: Hidden Window (T1564.003) with moderate to high confidence (70%), supported by evidence indicating malware operates stealthily to avoid detection. Under the Credential Access tactic, the analysis identified Credentials from Password Stores (T1555) with high confidence (90%), supported by evidence indicating steals credentials from Chromium-based browsers, crypto wallets, email clients, Steal Web Session Cookie (T1539) with moderate to high confidence (70%), supported by evidence indicating targets messengers (Telegram, Discord) and VPN apps, and Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (80%), supported by evidence indicating searches photo galleries for crypto-wallet seed phrases. Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with high confidence (90%), supported by evidence indicating collects system data, running processes, installed apps, File and Directory Discovery (T1083) with moderate to high confidence (80%), supported by evidence indicating scans for keywords in Japanese, Korean, and Chinese, and Process Discovery (T1057) with moderate to high confidence (70%), supported by evidence indicating collects running processes on infected devices. Under the Collection tactic, the analysis identified Screen Capture (T1113) with moderate to high confidence (80%), supported by evidence indicating collects screenshots from infected devices, Data from Local System (T1005) with high confidence (90%), supported by evidence indicating steals credentials, crypto-wallet seed phrases, and system data, and Data from Information Repositories (T1213) with moderate to high confidence (70%), supported by evidence indicating targets browser data, messenger data, and VPN app data. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating uses dead-drop C2 infrastructure via public profiles, Web Service (T1102) with moderate to high confidence (80%), supported by evidence indicating stores C2 addresses in Chess.com and Spotify profiles, and Data Obfuscation: Protocol Impersonation (T1001.003) with moderate to high confidence (70%), supported by evidence indicating mimics legitimate traffic to evade detection. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration confirmed via C2 infrastructure and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate confidence (60%), supported by evidence indicating potential exfiltration via public profiles or cloud services. Under the Impact tactic, the analysis identified Defacement: Internal Defacement (T1491.001) with moderate to high confidence (70%), supported by evidence indicating manipulates user interfaces (rotating screens, jittering cursors), Data Encrypted for Impact (T1486) with lower confidence (40%), supported by evidence indicating potential encryption of crypto-wallet data for ransom, and Data Manipulation: Transmitted Data Manipulation (T1565.002) with moderate to high confidence (80%), supported by evidence indicating swaps crypto-wallet addresses in the clipboard. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.