Analysis of MITRE ATT&CK Techniques and Tactics based on NÚKIB Reports for 2023

Author: Ondřej Hummel

Introduction

This report presents the results of an analysis of the most frequently used MITRE ATT&CK techniques and tactics identified in the monthly reports of the National Cyber and Informtion Security Agency (NÚKIB) for the year 2023. The analysis focused on the period from January 2023 to December 2023 and included an examination of specific techniques, malware, and ransomware mentioned in these reports.

In this report, you will find:

1. Methodology used for data collection, subsequent analysis, and reporting

2. Overview of malware and ransomware reported by NÚKIB

3. Most frequent MITRE techniques

4. Detailed overview of sub-techniques

5. TTP of the month according to NÚKIB

6. Conclusion

7. References used

1. Methodology

1. Data collecion: I conducted an analysis of NÚKIB's monthly reports for 2023, which are available on the official NÚKIB website [1]

2. Threat identification: I extracted all mentions of specific techniques, malware, and ransomware from the reports

3. Technique analysis: For each idetified threat, I conducted a detailed analysis of the techniques used. I utilized both the MITRE ATT&CK framework, which provides a standardized language for describing atackers' tactics and techniques, as well as other freely available OSINT sources that analyzed individual threats, such as IC3, CISA, BlackBerry, and others.

4. Quantficaion: Based on the frequency of occurrence, I created a list of the most common techniques

2. Overview of Malware and Ransomware Reported by NÚKIB

The NÚKIB reports for 2023 mention 17 ransomware and 4 malware:

Ransomware: 

Play, Dark Power, LockBit 2.0, LockBit 3.0, LokiLocker, MedusaLocker, Monster, Snatch, DarkTrace, Trigonal, BlackBasta, Cryptolocker, Monti, Conti, BIDON, Phobos, Cuba

Malware: Agent Tesla, PlugX, Vjw0rm, QakBot (NÚKIB claims with 55%-75% certainty)

Out of the total number of identified threats, I was able to successfully analyze 13 ransomware and all 4 malware. For the remaining 4 ransomware (LokiLocker, DarkTrace, Cryptolocker, and BIDON), I unfortunately couldn't find enough information to conduct a MITRE analysis.

Detailed Overview of Analyzed Threats

This section provides an overview of individual threats identified during 2023, with an emphasis on techniques and tools used by atackers.

Malware

Here is a concise description of the malware identified in the reports.

1. Agent Tesla: 

This is a remote access trojan (RAT) writen in .NET that has been targeting Windows system users since 2014. It steals sensitive information, records keystrokes, captures screenshots, and is sold as malware-as-a-service, o􀅌en spread through phishing emails disguised as legitimate messages.

2. PlugX: An old malware used since at least 2008, originally only by Chinese hacking groups, some of which still use it with digitally signed so􀅌ware to load encrypted payloads. This modular malware is o􀅌en associated with APT group operations and allows atackers full control over the infected system.

3. QakBot: Qakbot (also known as Qbot or Pinkslipbot) is a modular second-stage malware with backdoor capabilities, originally designed to steal credentials. It was designated by CISA as one of the most dangerous malware threats of 2021. Classified as a banking trojan, worm, and remote access trojan (RAT), Qakbot steals senstitive data, spreads to other systems in the network, and allows remote code execution (RCE), enabling atackers to perform manual atacks to achieve secondary objectives such as scanning the compromised network or deploying ransomware.

4. Vjw0rm: 

Also known as Vengeance Justice Worm, it is a modular remote access trojan (RAT) writen in JavaScript that was released in November 2016 by its author v_B01 as part of the DevPoint Arabic community focused on malware development. It belongs to a series of similar RAT tools with variants in different programming languages, all with the same functionalities.

Ransomware

This section offers a description of significant ransomware that were mentioned in NÚKIB reports during 2023.

1. Play: Also known as PlayCript, is ransomware that encrypts data and demands a ransom for its decryption. A􀅌er encrypting files, it adds the ".PLAY" extension and creates a text file on the desktop named "ReadMe.txt", which contains instructions for paying the ransom.

2. LockBit (2.0 and 3.0): Is ransomware that gains access to systems through vulnerabilities and insider access, then steals and encrypts data. It then demands a ransom for their decryption and promises not to publish the data, but even a􀅌er paying the ransom, it doesn't delete the data.

3. BlackBasta: A new ransomware discovered in April 2022, likely emerged as a rebrand of a previous top-tier ransomware group. Due to its ability to quickly acquire new victims and a specific negotiation style, it appears to be a continuation of a previous operation that also brought its affiliate partners.

4. Conti: This is a highly dangerous ransomware that spreads quickly and encrypts data. It was first recorded in 2020 and is presumed to be led by the Russian cybercriminal group Wizard Spider. In May 2022, the US government announced a reward of up to $10 million for information leading to the capture of this group.

5. Cuba: Windows-based ransomware that has been used against financial institutions, technology and logistics organizations in North and South America and Europe since at least December 2019.

Other identified ransomware included Dark Power, MedusaLocker, Monster, Snatch, Trigonal, Monti, Phobos, and others.

3. MITRE ATT&CK Top 10 Techniques Summary

This section summarizes the ten most frequently used MITRE ATT&CK techniques identified during 2023 based on threat analysis.

Overview list of top 10 techniques

This section provides a list of the ten most common techniques used by atackers that were identified in the analyzed threats.

1. T1027 Defense Evasion -> Obfuscated Files or Information (14)

2. T1059 Execution -> Command and Scripting Interpreter (14)

3. T1486 Impact -> Data Encrypted for Impact (12)

4. T1071 Command and Control -> Application Layer Protocol (10)

5. T1562 Defense Evasion -> Impair Defenses (9)

6. T1547 Persistence, Privilege Escalation -> Boot or Logon Autostart Execution (9)

7. T1036 Defense Evasion -> Masquerading (9)

8. T1566 Initial Access -> Phishing (8)

9. T1490 Impact -> Inhibit System Recovery (8)

10. T1057 Discovery -> Process Discovery (7)

4. Detailed List of Techniques and Sub-techniques

This section provides a detailed overview of individual techniques and their sub-techniques.

1. T1027 Obfuscated Files or Information (14)

   • T1027.001 Binary Padding (2)

   • T1027.002 Software Packing (1)

   • T1027.005 Indicator Removal from Tools (1)

   • T1027.006 HTML Smuggling (1)

   • T1027.010 Command Obfuscation (1)

   • T1027.011 Fileless Storage (1)

   • Unidentified sub-technique (7)

2. T1059 Command and Scripting Interpreter (14)

   • T1059.003 Windows Command Shell (7)

   • T1059.001 PowerShell (4)

   • T1059.005 Visual Basic (1)

   • T1059.007 JavaScript (1)

   • Unidentified sub-technique (1)

3. T1486 Data Encrypted for Impact (12)

4. T1071 Application Layer Protocol (10)

   • T1071.001 Web Protocols (4)

   • T1071.002 File Transfer Protocols (3)

   • T1071.003 Mail Protocols (1)

   • T1071.004 DNS (1)

   • Unidentified sub-technique (1)

5. T1562 Impair Defenses (9)

   • T1562.001 Disable or Modify Tools (6)

   • T1562.009 Safe Mode Boot (3)

6. T1547 Boot or Logon Autostart Execution (9)

   • T1547.001 Registry Run Keys / Startup Folder (5)

   • Unidentified sub-technique (4)

7. T1036 Masquerading (9)

   • T1036.005 Match Legitimate Name or Location (3)

   • T1036.004 Masquerade Task or Service (2)

   • T1036.008 Masquerade File Type (1)

   • Unidentified sub-technique (3)

8. T1566 Phishing (8)

   • T1566.001 Spearphishing Atachment (3)

   • T1566.002 Spearphishing Link (1)

   • Unidentified sub-technique (4)

9. T1490 Inhibit System Recovery (8)

10. T1057 Process Discovery (7)

TTP of the Month According tNÚKIB

In some monthly reports, NÚKIB alsmentions a technique of the month. Here's an overview:

Note: From July to December, NÚKIB does not specify MITRE techniques, however, based on the informa􀀁on provided, I have mapped them to the most appropriate MITRE ATT&CK techniques. This assignment was made considering the details provided in the NÚKIB overviews.

6. Conclusion

The analysis revealed that some techniques are significantly more frequently used by malicious so􀀃ware than others. Specifically, four techniques were identified in more than half of all analyzed threats, suggesting their key roles in current cybercrime. These techniques include:

• T1027 Obfuscated Files or Information (14 cases, 82.4%)

• T1059 Command and Scripting Interpreter (14 cases, 82.4%)

• T1486 Data Encrypted for Impact (12 cases, 70.6%)

• T1071 Application Layer Protocol (10 cases, 58.8%)

The most frequently identified sub-techniques were:

• T1059.003 Windows Command Shell (7 cases, 41.2%)

• T1562.001 Disable or Modify Tools (6 cases, 35.3%)

• T1547.001 Registry Run Keys / Startup Folder (5 cases, 29.4%)

• 
  

Special atention should be paid to technique T1486 (Data Encrypted for Impact), which was identified in the vast majority of analyzed ransomware. Specifically, 92.3% (12 out of 13 analyzed ransomware) used this technique (a􀀃er all, it is ransomware).

It is necessary to take into account the results of statistical analysis, because for some ransomware (specifically LokiLocker, DarkTrace, Cryptolocker, and BIDON), it was not possible to perform a detailed evaluation.

7. References

• NÚKIB: https://nukib.gov.cz/en/infoservis-en/publications-reports/

• IC3: https://www.ic3.gov/

• MITRE ATT&CK: https://atack.mitre.org/software/

• CISA: https://www.cisa.gov/

• BlackBerry: https://blogs.blackberry.com/en

• TrendMicro: htps://www.trendmicro.com/

• Polaryse: https://polaryse.github.io/posts/vjw0rm/

• NetManageIT: https://blog.netmanageit.com/content/files/2023/09/Report-The-Curious-Case-of--Monti--Ransomware_-A-Real-World-Doppelganger.pdf

• Malpedia: https://malpedia.caad.􀀄ie.fraunhofer.de/

8. Information about this report

• Date of creation : 21.08.2024

• Prepared by: Ondřej Hummel

• Reviewed by: Petr Hummel

• Version: 1.2