Attor

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.^[1]

ID: S0438

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: ESET

Version: 1.1

Created: 06 May 2020

Last Modified: 11 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1090	.003	代理: Multi-hop Proxy	Attor has used Tor for C2 communication.^[1]
Enterprise	T1036	.004	伪装: Masquerade Task or Service	Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).^[1]
Enterprise	T1112		修改注册表	Attor's dispatcher can modify the Run registry key.^[1]
Enterprise	T1129		共享模块	Attor's dispatcher can execute additional plugins by loading the respective DLLs.^[1]
Enterprise	T1543	.003	创建或修改系统进程: Windows Service	Attor's dispatcher can establish persistence by registering a new service.^[1]
Enterprise	T1115		剪贴板数据	Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.^[1]
Enterprise	T1573	.001	加密通道: Symmetric Cryptography	Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.^[1]
		.002	加密通道: Asymmetric Cryptography	Attor's Blowfish key is encrypted with a public RSA key.^[1]
Enterprise	T1037	.001	启动或登录初始化脚本: Logon Script (Windows)	Attor's dispatcher can establish persistence via adding a Registry key with a logon script `HKEY_CURRENT_USER\Environment "UserInitMprLogonScript"` .^[1]
Enterprise	T1120		外围设备发现	Attor has a plugin that collects information about inserted storage devices, modems, and phone devices.^[1]
Enterprise	T1113		屏幕捕获	Attor's has a plugin that captures screenshots of the target applications.^[1]
Enterprise	T1071	.002	应用层协议: File Transfer Protocols	Attor has used FTP protocol for C2 communication.^[1]
Enterprise	T1010		应用窗口发现	Attor can obtain application window titles and then determines which windows to perform Screen Capture on.^[1]
Enterprise	T1560	.003	归档收集数据: Archive via Custom Method	Attor encrypts collected data with a custom implementation of Blowfish and RSA ciphers.^[1]
Enterprise	T1074	.001	数据分段: Local Data Staging	Attor has staged collected data in a central upload directory prior to exfiltration.^[1]
Enterprise	T1083		文件和目录发现	Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.^[1]
Enterprise	T1106		本机API	Attor's dispatcher has used CreateProcessW API for execution.^[1]
Enterprise	T1012		查询注册表	Attor has opened the registry and performed query searches.^[1]
Enterprise	T1027	.013	混淆文件或信息: Encrypted/Encoded File	Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.^[1]
Enterprise	T1070	.004	移除指标: File Deletion	Attor’s plugin deletes the collected files and log files after exfiltration.^[1]
		.006	移除指标: Timestomp	Attor has manipulated the time of last access to files and registry keys after they have been created or modified.^[1]
Enterprise	T1218	.011	系统二进制代理执行: Rundll32	Attor's installer plugin can schedule rundll32.exe to load the dispatcher.^[1]
Enterprise	T1082		系统信息发现	Attor monitors the free disk space on the system.^[1]
Enterprise	T1569	.002	系统服务: Service Execution	Attor's dispatcher can be executed as a service.^[1]
Enterprise	T1119		自动化收集	Attor has automatically collected data about the compromised system.^[1]
Enterprise	T1020		自动化渗出	Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.^[1]
Enterprise	T1497	.001	虚拟化/沙盒规避: System Checks	Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.^[1]
Enterprise	T1105		输入工具传输	Attor can download additional plugins, updates and other files. ^[1]
Enterprise	T1056	.001	输入捕获: Keylogging	One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.^[1]
Enterprise	T1055		进程注入	Attor's dispatcher can inject itself into running processes to gain higher privileges and to evade detection.^[1]
		.004	Asynchronous Procedure Call	Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API.^[1]
Enterprise	T1041		通过C2信道渗出	Attor has exfiltrated data over the C2 channel.^[1]
Enterprise	T1564	.001	隐藏伪装: Hidden Files and Directories	Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.^[1]
Enterprise	T1123		音频捕获	Attor's has a plugin that is capable of recording audio using available input sound devices.^[1]
Enterprise	T1053	.005	预定任务/作业: Scheduled Task	Attor's installer plugin can schedule a new task that loads the dispatcher on boot/logon.^[1]

References

Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.

Attor

Enterprise Layer

Techniques Used

References