WARPWIRE - S1116 (a5818d36-e9b0-46da-842d-b727a5e36ea6)

WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.(Citation: Mandiant Cutting Edge January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	WARPWIRE - S1116 (a5818d36-e9b0-46da-842d-b727a5e36ea6)	Malware	1
WARPWIRE - S1116 (a5818d36-e9b0-46da-842d-b727a5e36ea6)	Malware	Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	1
WARPWIRE - S1116 (a5818d36-e9b0-46da-842d-b727a5e36ea6)	Malware	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	WARPWIRE - S1116 (a5818d36-e9b0-46da-842d-b727a5e36ea6)	Malware	1
WARPWIRE - S1116 (a5818d36-e9b0-46da-842d-b727a5e36ea6)	Malware	Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e)	Attack Pattern	1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	2
Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2