Avenger
Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Avenger has the ability to decrypt files downloaded from C2.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Avenger has the ability to use HTTP in communication with C2.[1] |
| Enterprise | T1083 | 文件和目录发现 |
Avenger has the ability to browse files in directories such as Program Files and the Desktop.[1] |
|
| Enterprise | T1027 | .003 | 混淆文件或信息: Steganography |
Avenger can extract backdoor malware from downloaded images.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Avenger has the ability to XOR encrypt files to be sent to C2.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Avenger has the ability to identify installed anti-virus products on a compromised host.[1] |
| Enterprise | T1105 | 输入工具传输 |
Avenger has the ability to download files from C2 to a compromised host.[1] |
|
| Enterprise | T1057 | 进程发现 |
Avenger has the ability to use Tasklist to identify running processes.[1] |
|
| Enterprise | T1055 | 进程注入 |
Avenger has the ability to inject shellcode into svchost.exe.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER |