# Stuxbot Threat Intel Report #### Summary The "Stuxbot" cybercrime collective has initiated a broad phishing campaign, primarily targeting Microsoft Windows users without any specific targeting strategy. Their objective appears to be espionage, aiming for system control and escalation rather than financial gain. * **Platforms in Crosshairs:** Microsoft Windows * **Threatened Entities:** Windows Users * **Potential Impact:** Complete computer takeover / Domain escalation * **Risk Level:** Critical #### Attack Tactics and Techniques Stuxbot utilizes opportunistic phishing for initial access, leveraging breached email databases and publicly available data. The group has a modular Remote Access Tool (RAT) for espionage and maintains persistence with disk-based EXE files. #### Lifecycle Overview 1. **Initial Breach**: Phishing emails with links to OneNote files containing a malicious batch file. 2. **RAT Characteristics**: The modular RAT includes screen capture, Mimikatz, and interactive CMD tools. 3. **Persistence**: EXE files deployed on the disk. 4. **Lateral Movement**: Uses Microsoft-signed PsExec and WinRM for internal propagation. #### Indicators of Compromise (IOCs) **OneNote File**: * `https://transfer.sh/get/kNxU7/invoice.one` * `https://mega.io/dl9o1Dz/invoice.one` **Staging Entity (PowerShell Script)**: * `https://pastebin.com/raw/AvHtdKb2` * `https://pastebin.com/raw/gj58DKz` **C\&C Nodes**: * `91.90.213.14:443` * `103.248.70.64:443` * `141.98.6.59:443` **SHA256 Hashes**: * `226A723FFB4A91D9950A8B266167C5B354AB0DB1DC225578494917FE53867EF2` * `C346077DAD0342592DB753FE2AB36D2F9F1C76E55CF8556FE5CDA92897E99C7E` * `018D37CBD3878258C29DB3BC3F2988B6AE688843801B9ABC28E6151141AB66D4` #### Hunting For Stuxbot With The Elastic Stack The hunt for Stuxbot utilizes the Elastic Stack, with logs from multiple sources, including Windows, Sysmon, PowerShell, and Zeek. #### Available Data * **Windows audit logs** under `windows*` * **Sysmon logs** under `windows*` * **PowerShell logs** under `windows*` * **Zeek logs** under `zeek*` Our search covers logs dating back to March 2023, containing approximately 118,975 entries in Windows logs and 332,261 in Zeek logs. #### Environment Overview The company setup includes around 200 employees with primary use of Office applications, Gmail for email, and Microsoft Edge for browsing. TeamViewer is used for remote support, and Active Directory manages devices. #### Hunting Activities 1. **Invoice File Download Detection** * Query: `event.code:15 AND file.name:*invoice.one` * Result: Identified "invoice.one" file download by user Bob on 26th March 2023 at 22:05:47. 2. **File Execution Detection** * Query: `event.code:11 AND file.name:invoice.one*` * Hostname: `WS001` with IP `192.168.28.130`. * Further checks reveal `cmd.exe` initiated the execution of "invoice.bat" and PowerShell from Pastebin. 3. **Network Activity Review** * Query: `source.ip:192.168.28.130 AND dns.question.name:*` * Findings: File download from `file.io` verified with DNS and IP matches. 4. **Command Execution Tracing** * OneNote accessed "invoice.one" file and initiated `cmd.exe`. * PowerShell script download from Pastebin was detected with suspicious arguments. 5. **Persistence Mechanism Check** * Query: `process.name:"default.exe"` * Findings: "default.exe" initiated DNS resolutions and network connections consistent with C2 behavior. 6. **Further Lateral Movement Detection** * "SharpHound.exe" used for Active Directory reconnaissance on both `WS001` and `PKI`. * `svc-sql1` account credentials likely compromised. #### Conclusion and Next Steps Stuxbot’s activities have been mapped through multiple stages from initial access to lateral movement and persistence. The compromised `svc-sql1` account suggests critical exposure within the organization. Immediate steps for containment and further analysis are recommended to mitigate ongoing risks.