🇪🇬

Sphinx

APT Group Information theft and espionage ETDA ✓

Also Known As

No alias recorded

Target Countries 8

Countries highlighted in red

United Arab Emirates Germany Egypt Israel Palestine Saudi Arabia Turkey United States

Sectors Targeted

Space Research and Technology 927 Public Administration 92

Details

Origin 🇪🇬 EG

Last Updated 11 May 2024

Malware Families 1

zeus_sphinx

MITRE ATT&CK 28

T1027 - Obfuscated Files or Information T1030 - Data Transfer Size Limits T1036 - Masquerading T1056 - Input Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1070 - Indicator Removal on Host T1078 - Valid Accounts T1083 - File and Directory Discovery T1090 - Proxy T1105 - Ingress Tool Transfer T1106 - Native API T1119 - Automated Collection T1134 - Access Token Manipulation T1134.002 - Create Process with Token T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1190 T1210 T1485 - Data Destruction T1486 - Data Encrypted for Impact T1489 - Service Stop T1490 - Inhibit System Recovery T1547 - Boot or Logon Autostart Execution T1560 - Archive Collected Data T1561 - Disk Wipe T1566 - Phishing T1566.001

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 2 entries

Sphinx Qihoo 360

APT-C-15 Qihoo 360

Observed Target Countries 2

Based on ETDA data — countries highlighted in red

Egypt Israel

Description

(Qihoo 360) Operation Sphinx is a cyber-espionage activity in the Middle East. The main victims are political and military organizations in Egypt, Israel and possibly other countries. Sensitive data theft is what the attackers plotted for during the period from June, 2014 to November, 2015 when the activity was in its prime. We encountered some timestamps of the samples to be as early as December, 2011 which suggests the attack might be started much earlier, though further sound proof is needed. The main approach of Sphinx is watering hole attack on social web sites. Until now, we have obtained 314 pieces of sample malicious codes and 7 C2 domains.

Tools Used 4

AnubisSpy Havex RAT njRAT ROCK

Reports & References 2

https://docplayer.net/83717233-Sphinx-apt-c-15-targeted-cyber-attack-in-the-middle-east-table-of-contents.html https://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/

ETDA Profile

Sphinx

Origin

[Unknown]

First Seen 2014

Motivation

Information theft and espionage

View on ETDA APT Groups ↗