Yes, there are verified malware programs out there for both the Macintosh and for Linux. Equally importantly, if you don't at least run an antivirus program, you run the risk of passing a virus on to your Windows friends (assuming any of them actually talk to you). So I've split the Tango into parts - Windows, Linux, the Macintosh, etc. But you get to all of them by that same "Let's Dance! This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). and international partners, DHS and FBI identified victims in these sectors.This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.Forensic analysis identified that threat actors are conducting open-source reconnaissance of their targets, gathering information posted on company-controlled websites.This is a common tactic for collecting the information needed for targeted spear-phishing attempts.In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information.As an example, the threat actors downloaded a small photo from a publically accessible human resources page.As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the requested file.
The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as “intended target.”The threat actors in this campaign employed a variety of TTPs, including: DHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity.
Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective.
This section will provide a high-level overview of activity within this framework.
Stage 2: Weaponization Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol.
(An example of this request is: file[:]///Normal.dotm).