Description
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)
Adversaries may inject content to victim systems in various ways, including:
From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM) From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)
Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)
Platforms
Mitigations (2)
Restrict Web-Based ContentM1021
Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns.
Encrypt Sensitive InformationM1041
Where possible, ensure that online traffic is appropriately encrypted through services such as trusted VPNs.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1019 | MoustachedBouncer | [MoustachedBouncer](https://attack.mitre.org/groups/G1019) has injected content into DNS, HTTP, and SMB replies to redirect specifically-targeted vict... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1088 | Disco | Malware | [Disco](https://attack.mitre.org/software/S1088) has achieved initial access and execution through content injection into DNS, HTTP, and SMB replies ... |
References
- Budington, B. (2015, April 2). China Uses Unencrypted Websites to Hijack Browsers in GitHub Attack. Retrieved September 1, 2023.
- Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.
- Kaspersky IT Encyclopedia. (n.d.). Man-in-the-middle attack. Retrieved September 1, 2023.
- Starikova, A. (2023, February 14). Man-on-the-side – peculiar attack. Retrieved September 1, 2023.
Frequently Asked Questions
What is T1659 (Content Injection)?
T1659 is a MITRE ATT&CK technique named 'Content Injection'. It belongs to the Initial Access, Command and Control tactic(s). Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hoste...
How can T1659 be detected?
Detection of T1659 (Content Injection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1659?
There are 2 documented mitigations for T1659. Key mitigations include: Restrict Web-Based Content, Encrypt Sensitive Information.
Which threat groups use T1659?
Known threat groups using T1659 include: MoustachedBouncer.