Incident Score: Analysis & Impact (MOZPHAGITPROGOOGIT1780935989)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.001) with high confidence (90%), supported by evidence indicating sent over 250 malicious emails...fake job offers and code-review requests and Phishing: Spearphishing Attachment (T1566.002) with moderate to high confidence (80%), supported by evidence indicating lure victims into cloning malicious GitHub or GitLab repositories. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: JavaScript (T1059.007) with moderate to high confidence (80%), supported by evidence indicating windows ran JavaScript directly in the editor, leaving no disk footprint and Serverless Execution (T1648) with moderate to high confidence (70%), supported by evidence indicating exploiting a legitimate editor feature...tasks.json file executed automatically. Under the Persistence tactic, the analysis identified Browser Extensions (T1176) with high confidence (90%), supported by evidence indicating installed a fake Google-themed VS Code extension...persistence by relaunching and Create or Modify System Process: Windows Service (T1543.003) with moderate confidence (60%), supported by evidence indicating ensuring persistence by relaunching on macOS and Linux. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003) with moderate to high confidence (80%), supported by evidence indicating macOS/Linux displayed a fake password prompt...escalate privileges. Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with high confidence (90%), supported by evidence indicating after exfiltration, the malware deleted itself to evade detection, Deobfuscate/Decode Files or Information (T1140) with moderate to high confidence (70%), supported by evidence indicating self-contained payloads that persist even after infrastructure takedowns, and Exploitation for Defense Evasion (T1211) with moderate to high confidence (80%), supported by evidence indicating exploiting a legitimate editor feature...tasks.json file executed automatically. Under the Credential Access tactic, the analysis identified Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with high confidence (90%), supported by evidence indicating saved passwords & cookies from Chrome, Brave, Edge, and Firefox, Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (80%), supported by evidence indicating browser extensions such as MetaMask, Phantom, Keplr...Desktop wallets such as Exodus, Electrum, and Credentials from Password Stores: Keychain (T1555.001) with moderate to high confidence (80%), supported by evidence indicating macOS/Linux...dump keychains. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating targeted cryptocurrency wallets and browser credentials and Automated Collection (T1119) with moderate to high confidence (70%), supported by evidence indicating go-based remote access trojan (RAT) from the open-source Overlord framework. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data theft & wallet drainage...cryptocurrency wallets and browser credentials. Under the Impact tactic, the analysis identified Resource Hijacking (T1496) with moderate to high confidence (80%), supported by evidence indicating cryptocurrency wallet drainage. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.