Windshift

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.[1][2][3]

ID: G0112
Associated Groups: Bahamut
Version: 1.1
Created: 25 June 2020
Last Modified: 26 April 2021

Associated Group Descriptions

Name Description
Bahamut

[1]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Windshift has used tools that communicate with C2 over HTTP.[4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Windshift has created LNK files in the Startup folder to establish persistence.[4]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Windshift has used Visual Basic 6 (VB6) payloads.[4]

Enterprise T1189 Drive-by Compromise

Windshift has used compromised websites to register custom URL schemes on a remote system.[2]

Enterprise T1105 Ingress Tool Transfer

Windshift has used tools to deploy additional payloads to compromised hosts.[4]

Enterprise T1036 Masquerading

Windshift has used icons mimicking MS Office files to mask malicious executables.[2] Windshift has also attempted to hide executables by changing the file extension to ".scr" to mimic Windows screensavers.[4]

.001 Invalid Code Signature

Windshift has used revoked certificates to sign malware.[2][1]

Enterprise T1027 Obfuscated Files or Information

Windshift has used string encoding with floating point calculations.[4]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.[1]

.002 Phishing: Spearphishing Link

Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.[1]

.003 Phishing: Spearphishing via Service

Windshift has used fake personas on social media to engage and target victims.[1]

Enterprise T1057 Process Discovery

Windshift has used malware to enumerate active processes.[4]

Enterprise T1518 Software Discovery

Windshift has used malware to identify installed software.[4]

.001 Security Software Discovery

Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.[4]

Enterprise T1082 System Information Discovery

Windshift has used malware to identify the computer name of a compromised host.[4]

Enterprise T1033 System Owner/User Discovery

Windshift has used malware to identify the username on a compromised host.[4]

Enterprise T1204 .001 User Execution: Malicious Link

Windshift has used links embedded in e-mails to lure victims into executing malicious code.[1]

.002 User Execution: Malicious File

Windshift has used e-mail attachments to lure victims into executing malicious code.[1]

Enterprise T1047 Windows Management Instrumentation

Windshift has used WMI to collect information about target machines.[4]

Mobile T1432 Access Contact List

Windshift has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.[4]

Mobile T1429 Capture Audio

Windshift has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4]

Mobile T1512 Capture Camera

Windshift has included video recording in the malicious apps deployed as part of Operation BULL.[4]

Mobile T1412 Capture SMS Messages

Windshift has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4]

Mobile T1533 Data from Local System

Windshift has exfiltrated local account data and calendar information as part of Operation ROCK.[4]

Mobile T1475 Deliver Malicious App via Authorized App Store

Windshift has distributed malicious apps via the Google Play Store and Apple App Store.[4]

Mobile T1476 Deliver Malicious App via Other Means

Windshift has distributed malicious apps via their own websites during Operation BULL.[4]

Mobile T1407 Download New Code at Runtime

Windshift has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.[4]

Mobile T1523 Evade Analysis Environment

Windshift has deployed anti-analysis capabilities during their Operation BULL campaign.[4]

Mobile T1420 File and Directory Discovery

Windshift has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4]

Mobile T1581 Geofencing

Windshift has region-locked their malicious applications during their Operation BULL campaign.[4]

Mobile T1417 Input Capture

Windshift has included keylogging capabilities as part of Operation ROCK.[4]

Mobile T1478 Install Insecure or Malicious Configuration

Windshift has installed malicious MDM profiles on iOS devices as part of Operation ROCK.[4]

Mobile T1430 Location Tracking

Windshift has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4]

Mobile T1406 Obfuscated Files or Information

Windshift has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application’s launcher icon file.[4]

Mobile T1521 Standard Cryptographic Protocol

Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.[4]

Mobile T1426 System Information Discovery

Windshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[4]

Software

ID Name References Techniques
S0466 WindTail [1][2][3] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Automated Collection, Command and Scripting Interpreter: Unix Shell, Deobfuscate/Decode Files or Information, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, File and Directory Discovery, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Masquerading: Invalid Code Signature, Masquerading, Native API, Obfuscated Files or Information, System Time Discovery

References