build_downer
build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
build_downer has added itself to the Registry Run key as "NVIDIA" to appear legitimate.[1] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
build_downer has the ability to add itself to the Registry Run key for persistence.[1] |
| Enterprise | T1106 | 本机API |
build_downer has the ability to use the |
|
| Enterprise | T1027 | .003 | 混淆文件或信息: Steganography |
build_downer can extract malware from a downloaded JPEG.[1] |
| Enterprise | T1082 | 系统信息发现 |
build_downer has the ability to send system volume information to C2.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.[1] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
build_downer has the ability to detect if the infected host is running an anti-virus process.[1] |
| Enterprise | T1105 | 输入工具传输 |
build_downer has the ability to download files from C2 to the infected host.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER |