{"description": "Enterprise techniques used by Operation Spalax, ATT&CK campaign C0005 (v1.1)", "name": "Operation Spalax (C0005)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors registered hundreds of domains using Duck DNS and DNS Exit.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors used Nullsoft Scriptable Install System (NSIS) scripts to install malware.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors used a variety of packers and droppers to decrypt malicious payloads.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors used packers that read pixel data from images contained in PE files' resource sections and build the next layer of execution from the data.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors used XOR-encrypted payloads.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.001", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors obtained malware, including [Remcos](https://attack.mitre.org/software/S0332), [njRAT](https://attack.mitre.org/software/S0385), and AsyncRAT.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors obtained packers such as CyaX.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "During [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors sent phishing emails that included a PDF document that in some cases led to the download and execution of malware.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "During [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors sent phishing emails to victims that contained a malicious link.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "For [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "During [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors used `rundll32.exe` to execute malicious installers.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "During [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors relied on a victim to click on a malicious link distributed via phishing emails.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "During [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware.(Citation: ESET Operation Spalax Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "During [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "comment": "During [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors used OneDrive and MediaFire to host payloads.(Citation: ESET Operation Spalax Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Operation Spalax", "color": "#66b1ff"}]}