Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
Name | Description |
---|---|
TA453 | |
COBALT ILLUSION | |
Charming Kitten | |
ITG18 | |
Phosphorus | |
Newscaster |
Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).[14][1] |
APT35 |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1098 | .002 | Account Manipulation: Exchange Email Delegate Permissions |
Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.[1] |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Magic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.[3] |
Enterprise | T1071 | Application Layer Protocol |
Magic Hound malware has used IRC for C2.[14] |
|
.001 | Web Protocols |
Magic Hound malware has used HTTP for C2.[14] |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Magic Hound has used RAR to stage and compress local folders.[1] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Magic Hound malware has used Registry Run keys to establish persistence.[14] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Magic Hound has used PowerShell for execution and privilege escalation.[14][1] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Magic Hound has used the command-line interface.[14] |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Magic Hound malware has used VBS scripts for execution.[14] |
||
Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.[10] |
Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
Magic Hound has used compromised domains to host links targeted to specific phishing victims.[2][5] |
Enterprise | T1114 | Email Collection |
Magic Hound has compromised email credentials in order to steal sensitive data.[3] |
|
.001 | Local Email Collection |
Magic Hound has collected .PST archives.[1] |
||
Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Magic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.[2] |
.002 | Establish Accounts: Email Accounts |
Magic Hound has established email accounts using fake personas for spearphishing operations.[10][6] |
||
Enterprise | T1083 | File and Directory Discovery |
Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[14] |
|
Enterprise | T1589 | Gather Victim Identity Information |
Magic Hound has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations.[5] |
|
.001 | Credentials |
Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites.[10] |
||
.002 | Email Addresses |
Magic Hound has acquired the personal email addresses of some individuals they intend to target.[5] |
||
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.[14] |
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Magic Hound has deleted and overwrote files to cover tracks.[14][1] |
Enterprise | T1105 | Ingress Tool Transfer |
Magic Hound has downloaded additional code and files from servers onto victims.[14] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Magic Hound malware is capable of keylogging.[14] |
Enterprise | T1571 | Non-Standard Port |
Magic Hound malware has communicated with its C2 server over TCP port 4443 using HTTP.[14] |
|
Enterprise | T1027 | Obfuscated Files or Information |
Magic Hound malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.[14] |
|
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Magic Hound has obtained and used open-source penetration testing tools like Havij, sqlmap, Metasploit, and Mimikatz.[15][1] |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Magic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.[1] |
Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.[16][2] |
.003 | Phishing: Spearphishing via Service |
Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.[17][11][2] |
||
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Magic Hound has used SMS and email messages with links designed to steal credentials.[3][2][6][5] |
Enterprise | T1057 | Process Discovery |
Magic Hound malware can list running processes.[14] |
|
Enterprise | T1113 | Screen Capture |
Magic Hound malware can take a screenshot and upload the file to its C2 server.[14] |
|
Enterprise | T1082 | System Information Discovery |
Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[14] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[14] |
|
Enterprise | T1033 | System Owner/User Discovery |
Magic Hound malware has obtained the victim username and sent it to the C2 server.[14] |
|
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Magic Hound has attempted to lure victims into opening malicious links embedded in emails.[2] |
.002 | User Execution: Malicious File |
Magic Hound has attempted to lure victims into opening malicious email attachments.[2] |
||
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[14] |