Introduction
DEV-0569, also known as Storm-0569, is a threat actor group that has been observed deploying the Royal ransomware. They utilize malicious ads and phishing techniques to distribute malware and gain initial access to networks. The group has been linked to the distribution of payloads such as Batloader and has forged relationships with other threat actors. DEV-0569 has targeted various sectors, including healthcare, communications, manufacturing, and education in the United States and Brazil.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- SHIPSHAPE
- UNITEDRAKE
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | AccountRestore, Mimikatz, NirSoft Dialupass, NirSoft IEPassView (iepv), NirSoft MailPassView, NirSoft Netpass, NirSoft RouterPassView |
| Defense Evasion | Eraser, GMER, Inno Setup, PowerTool |
| Discovery | AdFind, Advanced IP Scanner, SharpHound, SharpShares, SoftPerfect NetScan |
| Exfiltration | Bublup, Catbox[.]moe, RClone, Temp[.]sh |
| LOLBAS | PsExec, attrib |
| Networking | Chisel, Cloudflared, Ligolo, Ngrok, OpenSSH |
| OffSec | Brute Ratel C4, Cobalt Strike, Rubeus |
| RMM Tools | AnyDesk, Atera, LogMeIn, MeshAgent, MobaXterm |
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.