Incident Score: Analysis & Impact (DROROBNPMGIT1773476652)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) with high confidence (90%), supported by evidence indicating malicious npm packages such as bluelite-bot-manager and test-logsmodule-v-zisko. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: JavaScript (T1059.007) with moderate to high confidence (80%), supported by evidence indicating obfuscated JavaScript in 321MB archive downloaded via pre-install scripts and User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), supported by evidence indicating windows executable downloaded from Dropbox acted as a dropper. Under the Persistence tactic, the analysis identified Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (70%), supported by evidence indicating modified Discord’s installation files to auto-execute malicious script. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with moderate to high confidence (80%), supported by evidence indicating elevate.exe, a legitimate tool repurposed to escalate privileges. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with high confidence (90%), supported by evidence indicating 321MB archive containing obfuscated JavaScript and embedded Python script, Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (80%), supported by evidence indicating disguised as Roblox script executor named Solara, and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (70%), supported by evidence indicating patched BetterDiscord core files to disable webhook protections. Under the Credential Access tactic, the analysis identified Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with high confidence (90%), supported by evidence indicating stole passwords, cookies, autofill data from Chrome, Edge, Brave, Opera, Yandex, Steal Application Access Token (T1528) with moderate to high confidence (80%), supported by evidence indicating captured Discord credentials, 2FA codes, and credit card details, and Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (70%), supported by evidence indicating decrypted Exodus wallet seed files using local libraries. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating system-wide sweep for browser data, cryptocurrency wallets, Discord credentials and Automated Collection (T1119) with moderate to high confidence (80%), supported by evidence indicating malware conducted automated data collection from browsers and wallets. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate to high confidence (80%), supported by evidence indicating stolen data transmitted to attackers via command-and-control server and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate to high confidence (70%), supported by evidence indicating stolen data compressed into ZIP and sent via file-sharing services. Under the Impact tactic, the analysis identified Resource Hijacking (T1496) with moderate confidence (50%), supported by evidence indicating potential misuse of compromised systems for further attacks. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.