{"description": "Enterprise techniques used by CURIUM, ATT&CK group G1012 (v3.0)", "name": "CURIUM (G1012)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) created domains to facilitate strategic website compromise and credential capture activities.(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.003", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) created virtual private server instances to facilitate use of malicious domains and other items.(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.004", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has created dedicated servers for command and control and exfiltration purposes.(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has leveraged PowerShell scripts for initial process execution and data gathering in victim environments.(Citation: Symantec Tortoiseshell 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.006", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has compromised legitimate websites to enable strategic website compromise attacks.(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has exfiltrated data from a compromised machine.(Citation: Microsoft Iranian Threat Actor Trends November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1189", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has used strategic website compromise to infect victims with malware such as [IMAPLoader](https://attack.mitre.org/software/S1152).(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.001", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.(Citation: Microsoft Iranian Threat Actor Trends November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has created dedicated email accounts for use with tools such as [IMAPLoader](https://attack.mitre.org/software/S1152).(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.002", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has used SMTPS to exfiltrate collected data from victims.(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has used IMAP and SMTPS for exfiltration via tools such as [IMAPLoader](https://attack.mitre.org/software/S1152).(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has used phishing with malicious attachments for initial access to victim environments.(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.003", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor Trends November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) used malicious links to adversary-controlled resources for credential harvesting.(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has been linked to web shells following likely server compromise as an initial access vector into victim networks.(Citation: Symantec Tortoiseshell 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.004", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) used strategic website compromise to fingerprint then target victims.(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information.(Citation: Symantec Tortoiseshell 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) deployed mechanisms to check system time information following strategic website compromise attacks.(Citation: PWC Yellow Liderc 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[CURIUM](https://attack.mitre.org/groups/G1012) has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian Threat Actor Trends November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CURIUM", "color": "#66b1ff"}]}