GlassWorm Campaign Deploying Wave 3 Windows Payload

The GlassWorm campaign has been identified deploying a Wave 3 Windows payload. This indicates a continuation of the threat actor’s operations, with an updated payload targeting Windows systems. The specifics of the delivery mechanism and the exact functionality of the Wave 3 payload are currently unknown. Defenders should be aware of the ongoing GlassWorm activity and implement detections for suspicious Windows executables. Further analysis is required to fully understand the capabilities of the Wave 3 payload and the scope of the campaign.

Attack Chain

1. Initial Access: The initial access vector is unknown.
2. Payload Delivery: A Wave 3 Windows payload is delivered to the system.
3. Execution: The Windows payload is executed.
4. Persistence: The payload establishes persistence on the system.
5. Command and Control: The payload connects to a command and control server for instructions.
6. Data Collection: The payload gathers sensitive data from the system.
7. Exfiltration: The collected data is exfiltrated to the attacker.

Impact

The successful deployment of the GlassWorm Wave 3 payload could lead to data theft, system compromise, and potential financial loss. The impact depends on the specific objectives of the threat actor and the sensitivity of the data compromised. The lack of specific information about victimology makes determining the overall scope impossible.

Recommendation

• Monitor process creation events for unknown or unsigned executables, especially those with network connections (reference: process_creation and network_connection log sources).
• Investigate any alerts related to the execution of potentially malicious Windows executables.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.