Incident Score: Analysis & Impact (MOO1770130358)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing (T1566) with high confidence (95%), with evidence including phishing campaign targeting macOS users, and emails requesting basic company details and Phishing: Spearphishing Attachment (T1566.001) with high confidence (90%), supported by evidence indicating attachments masquerading as Word or PDF files (AppleScript files). Under the Execution tactic, the analysis identified Command and Scripting Interpreter: AppleScript (T1059.002) with high confidence (90%), supported by evidence indicating malicious AppleScript files with double extensions (e.g., .docx.scpt) and User Execution: Malicious File (T1204.002) with moderate to high confidence (85%), supported by evidence indicating trick victims into executing malicious AppleScript files. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (90%), supported by evidence indicating attachments masquerading as Word or PDF files (double extensions), Subvert Trust Controls: SIP and Trust Provider Hijacking (T1553.003) with moderate to high confidence (80%), supported by evidence indicating bypass macOS Transparency, Consent, and Control (TCC) protections, Reflective Code Loading (T1620) with moderate to high confidence (70%), supported by evidence indicating injecting SQL commands into the privacy database, and Process Injection (T1055) with moderate to high confidence (70%), supported by evidence indicating granting itself camera access, screen recording, and keylogging. Under the Credential Access tactic, the analysis identified Input Capture: Keylogging (T1056.001) with moderate to high confidence (85%), supported by evidence indicating keylogging capabilities granted via TCC bypass and Credentials from Password Stores (T1555) with moderate to high confidence (80%), supported by evidence indicating counterfeit permission dialogs tricking users into entering admin passwords. Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with moderate to high confidence (85%), supported by evidence indicating collects system details (CPU architecture, macOS version). Under the Collection tactic, the analysis identified Screen Capture (T1113) with moderate to high confidence (80%), supported by evidence indicating screen recording capabilities granted via TCC bypass, Audio Capture (T1123) with moderate to high confidence (70%), supported by evidence indicating camera access granted via TCC bypass, and Data from Local System (T1005) with moderate to high confidence (80%), supported by evidence indicating collects system details and credentials. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating downloads additional payloads from sevrrhst.com and Ingress Tool Transfer (T1105) with moderate to high confidence (85%), supported by evidence indicating downloads additional payloads from attacker-controlled domain. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating base64-encoded credentials exfiltrated to attacker’s server. Under the Persistence tactic, the analysis identified Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (70%), supported by evidence indicating node.js runtime environment for persistence. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.