Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution

Mohammed Rauf Ali Khan; Ahmad Almulhem

doi:10.1109/ISDFS65363.2025.11012042

Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution

Mohammed Rauf Ali Khan
, Ahmad Almulhem

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Various advanced persistent threat (APT) groups are emerging with different tactics, techniques, and procedures (TTPs) for targeting enterprises and organizations. Traditional methods that use either static or dynamic analysis might struggle to detect polymorphic and packed zero-day attacks. In this paper, we propose an approach that allows mal ware analysts to consider all aspects of an attack, including not just sample analysis but also a view into TTP-based attack vectors. By correlating observed TTPs with known threat intelligence, our approach facilitates attack attribution, helping analysts identify the threat actor behind an attack campaign. We applied our approach to a recent APT attack by the Black Basta group on Keytronics, which utilized unique delivery mechanisms for initial access. This paper then describes the entire attack vector, explaining how email bombing was used to deliver payloads like SystemBC and Black Basta ransomware. We also list the indicators of compromise, command and control traffic, persistence mechanisms, detection rules, and other unique identifiers from this attack campaign. By integrating sample-based analysis with TTP-based attack vector examination, our approach enhances existing attribution methods, providing a more comprehensive perspective on APT attack strategies.

Original language	English
Title of host publication	ISDFS 2025 - 13th International Symposium on Digital Forensics and Security
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9798331509934
DOIs	https://doi.org/10.1109/ISDFS65363.2025.11012042
State	Published - 2025
Event	13th International Symposium on Digital Forensics and Security, ISDFS 2025 - Boston, United States Duration: 24 Apr 2025 → 25 Apr 2025

Publication series

Name	ISDFS 2025 - 13th International Symposium on Digital Forensics and Security

Conference

Conference	13th International Symposium on Digital Forensics and Security, ISDFS 2025
Country/Territory	United States
City	Boston
Period	24/04/25 → 25/04/25

Bibliographical note

Publisher Copyright:
© 2025 IEEE.

Keywords

APT
Attack Attribution
Black Basta
Phishing
Ran-somware
Social Engineering

ASJC Scopus subject areas

Computer Networks and Communications
Computer Vision and Pattern Recognition
Information Systems
Information Systems and Management
Safety, Risk, Reliability and Quality
Law
Artificial Intelligence

Access to Document

10.1109/ISDFS65363.2025.11012042

Cite this

Ali Khan, M. R., & Almulhem, A. (2025). Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution. In ISDFS 2025 - 13th International Symposium on Digital Forensics and Security (ISDFS 2025 - 13th International Symposium on Digital Forensics and Security). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ISDFS65363.2025.11012042

@inproceedings{9739229baee544b68deb599e0f1e95eb,

title = "Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution",

abstract = "Various advanced persistent threat (APT) groups are emerging with different tactics, techniques, and procedures (TTPs) for targeting enterprises and organizations. Traditional methods that use either static or dynamic analysis might struggle to detect polymorphic and packed zero-day attacks. In this paper, we propose an approach that allows mal ware analysts to consider all aspects of an attack, including not just sample analysis but also a view into TTP-based attack vectors. By correlating observed TTPs with known threat intelligence, our approach facilitates attack attribution, helping analysts identify the threat actor behind an attack campaign. We applied our approach to a recent APT attack by the Black Basta group on Keytronics, which utilized unique delivery mechanisms for initial access. This paper then describes the entire attack vector, explaining how email bombing was used to deliver payloads like SystemBC and Black Basta ransomware. We also list the indicators of compromise, command and control traffic, persistence mechanisms, detection rules, and other unique identifiers from this attack campaign. By integrating sample-based analysis with TTP-based attack vector examination, our approach enhances existing attribution methods, providing a more comprehensive perspective on APT attack strategies.",

keywords = "APT, Attack Attribution, Black Basta, Phishing, Ran-somware, Social Engineering",

author = "\{Ali Khan\}, \{Mohammed Rauf\} and Ahmad Almulhem",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 13th International Symposium on Digital Forensics and Security, ISDFS 2025 ; Conference date: 24-04-2025 Through 25-04-2025",

year = "2025",

doi = "10.1109/ISDFS65363.2025.11012042",

language = "English",

series = "ISDFS 2025 - 13th International Symposium on Digital Forensics and Security",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "ISDFS 2025 - 13th International Symposium on Digital Forensics and Security",

address = "United States",

}

Ali Khan, MR & Almulhem, A 2025, Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution. in ISDFS 2025 - 13th International Symposium on Digital Forensics and Security. ISDFS 2025 - 13th International Symposium on Digital Forensics and Security, Institute of Electrical and Electronics Engineers Inc., 13th International Symposium on Digital Forensics and Security, ISDFS 2025, Boston, United States, 24/04/25. https://doi.org/10.1109/ISDFS65363.2025.11012042

Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution. / Ali Khan, Mohammed Rauf; Almulhem, Ahmad.
ISDFS 2025 - 13th International Symposium on Digital Forensics and Security. Institute of Electrical and Electronics Engineers Inc., 2025. (ISDFS 2025 - 13th International Symposium on Digital Forensics and Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution

AU - Ali Khan, Mohammed Rauf

AU - Almulhem, Ahmad

PY - 2025

Y1 - 2025

N2 - Various advanced persistent threat (APT) groups are emerging with different tactics, techniques, and procedures (TTPs) for targeting enterprises and organizations. Traditional methods that use either static or dynamic analysis might struggle to detect polymorphic and packed zero-day attacks. In this paper, we propose an approach that allows mal ware analysts to consider all aspects of an attack, including not just sample analysis but also a view into TTP-based attack vectors. By correlating observed TTPs with known threat intelligence, our approach facilitates attack attribution, helping analysts identify the threat actor behind an attack campaign. We applied our approach to a recent APT attack by the Black Basta group on Keytronics, which utilized unique delivery mechanisms for initial access. This paper then describes the entire attack vector, explaining how email bombing was used to deliver payloads like SystemBC and Black Basta ransomware. We also list the indicators of compromise, command and control traffic, persistence mechanisms, detection rules, and other unique identifiers from this attack campaign. By integrating sample-based analysis with TTP-based attack vector examination, our approach enhances existing attribution methods, providing a more comprehensive perspective on APT attack strategies.

AB - Various advanced persistent threat (APT) groups are emerging with different tactics, techniques, and procedures (TTPs) for targeting enterprises and organizations. Traditional methods that use either static or dynamic analysis might struggle to detect polymorphic and packed zero-day attacks. In this paper, we propose an approach that allows mal ware analysts to consider all aspects of an attack, including not just sample analysis but also a view into TTP-based attack vectors. By correlating observed TTPs with known threat intelligence, our approach facilitates attack attribution, helping analysts identify the threat actor behind an attack campaign. We applied our approach to a recent APT attack by the Black Basta group on Keytronics, which utilized unique delivery mechanisms for initial access. This paper then describes the entire attack vector, explaining how email bombing was used to deliver payloads like SystemBC and Black Basta ransomware. We also list the indicators of compromise, command and control traffic, persistence mechanisms, detection rules, and other unique identifiers from this attack campaign. By integrating sample-based analysis with TTP-based attack vector examination, our approach enhances existing attribution methods, providing a more comprehensive perspective on APT attack strategies.

KW - APT

KW - Attack Attribution

KW - Black Basta

KW - Phishing

KW - Ran-somware

KW - Social Engineering

UR - https://www.scopus.com/pages/publications/105008495885

U2 - 10.1109/ISDFS65363.2025.11012042

DO - 10.1109/ISDFS65363.2025.11012042

M3 - Conference contribution

AN - SCOPUS:105008495885

T3 - ISDFS 2025 - 13th International Symposium on Digital Forensics and Security

BT - ISDFS 2025 - 13th International Symposium on Digital Forensics and Security

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 13th International Symposium on Digital Forensics and Security, ISDFS 2025

Y2 - 24 April 2025 through 25 April 2025

ER -

Ali Khan MR, Almulhem A. Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution. In ISDFS 2025 - 13th International Symposium on Digital Forensics and Security. Institute of Electrical and Electronics Engineers Inc. 2025. (ISDFS 2025 - 13th International Symposium on Digital Forensics and Security). doi: 10.1109/ISDFS65363.2025.11012042

Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this