Velvet Ant
Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | Application Layer Protocol |
Velvet Ant has used reverse SSH tunnels to communicate to victim devices.[1] |
|
| Enterprise | T1037 | .004 | Boot or Logon Initialization Scripts: RC Scripts |
Velvet Ant used a modified |
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
Velvet Ant used a custom tool, VELVETSTING, to parse encoded inbound commands to compromised F5 BIG-IP devices and then execute them via the Unix shell.[1] |
| Enterprise | T1132 | Data Encoding |
Velvet Ant sent commands to compromised F5 BIG-IP devices in an encoded format requiring a passkey before interpretation and execution.[1] |
|
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Velvet Ant has used a reverse SSH shell to securely communicate with victim devices.[1] |
| Enterprise | T1211 | Exploitation for Defense Evasion |
Velvet Ant exploited CVE-2024-20399 in Cisco Switches to which the threat actor was already able to authenticate in order to escape the NX-OS command line interface and gain access to the underlying operating system for arbitrary command execution.[2] |
|
| Enterprise | T1133 | External Remote Services |
Velvet Ant has leveraged access to internet-facing remote services to compromise and retain access to victim environments.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
Velvet Ant has enumerated local files and folders on victim devices.[1] |
|
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
Velvet Ant has used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to launch follow-on payloads such as PlugX.[1] |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Velvet Ant attempted to disable local security tools and endpoint detection and response (EDR) software during operations.[1] |
| .004 | Impair Defenses: Disable or Modify System Firewall |
Velvet Ant modified system firewall settings during PlugX installation using |
||
| Enterprise | T1570 | Lateral Tool Transfer |
Velvet Ant transferred files laterally within victim networks through the Impacket toolkit.[1] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
Velvet Ant used a malicious DLL, |
| Enterprise | T1040 | Network Sniffing |
Velvet Ant has used a custom tool, "VELVETTAP", to perform packet capture from compromised F5 BIG-IP devices.[1] |
|
| Enterprise | T1571 | Non-Standard Port |
Velvet Ant has used random high number ports for PlugX listeners on victim devices.[1] |
|
| Enterprise | T1055 | Process Injection |
Velvet Ant initial execution included launching multiple |
|
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Velvet Ant has tunneled traffic from victims through an internal, compromised host to proxy communications to command and control nodes.[1] |
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Velvet Ant has transferred tools within victim environments using SMB.[1] |
| Enterprise | T1049 | System Network Connections Discovery |
Velvet Ant has enumerated existing network connections on victim devices.[1] |
|
| Enterprise | T1569 | .002 | System Services: Service Execution |
Velvet Ant executed and installed PlugX as a Windows service.[1] |
| Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
Velvet Ant accessed vulnerable Cisco switch devices using accounts with administrator privileges.[2] |
| Enterprise | T1047 | Windows Management Instrumentation |
Velvet Ant used the |
|