Telsy Threat Intelligence team identified a possible Grunt Covenant multi-stage attack aimed at a major telecommunications company in Iran.
In this article, we will look at the different steps the attacker took in order to distribute a Grunt Covenant to his victims.
Telsy does not have much information on the exact intention of this attack, in fact there are no elements to attribute it to a specific cyber espionage operation and a specific threat actor or a simple Red Team operation.
Covenant is a C#-based command and control framework that allows an attacker to create payloads based on several infection vectors.
The Covenant framework has its own post-exploitation set of implants called Grunts. Grunts provide infrastructure for building communications with C2 servers. The tasks are sent to the infected system in a format of obfuscated C# assemblies which get loaded and executed by Grunts
The attack started by sending an email with the following subject “The License Resource Overs the Threshold on TA_eSight” and with an attachment named “TA_eSight.docx”. The subject of the email seems to simulate a possible problem with the license of the eSight platform.
eSight is Huawei's unified software suite for planning, operating, and maintaining complex enterprise ICT infrastructure — from global, converged networks and data centers to multimedia and video communications — that includes the facilities necessary for delivering high-performance, resilient IT services.
The eSight Platform provides a variety of functions, including supports remote monitoring and maintenance of Customer-Premises Equipment (CPE), eNodeBs, and core network devices, helping users rapidly deploy eLTE networks and locate faults at lower costs with higher efficiency and greater stability.
Both the recipient and the sender of the email are two engineers from the PS Core area of the mobile telecom network. In fact, the sender is an “Evolved Packet Core Planning Engineer” of Irancell, a company partly owned by the South African group MTN, and it could be a legitimate account probably compromised.
Opening the attachment will show a blank document while the different stages of the infection are run in the background until the distribution of the Covenant Grunt.
Fill the form below to download the full report
Check other cyber reports on our blog.
This report was produced by Telsy’s “Cyber Threat Intelligence” team with the help of its CTI platform, which allows to analyze and stay updated on adversaries and threats that could impact customers’ business.