1. Home
  2. Software
  3. OutSteel

OutSteel

OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Saint Bear since at least March 2021.[1]

ID: S1017
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 09 June 2022
Last Modified: 08 October 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

OutSteel can collect information from a compromised host.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

OutSteel attempts to download and execute Saint Bot to a statically-defined location attempting to mimic svchost: %TEMP%\svjhost.exe.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

OutSteel has used cmd.exe to scan a compromised host for specific file extensions.[1]
.010 命令与脚本解释器: AutoHotKey & AutoIT

OutSteel was developed using the AutoIT scripting language.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

OutSteel has used HTTP for C2 communications.[1]
Enterprise T1083 文件和目录发现

OutSteel can search for specific file extensions, including zipped files.[1]
Enterprise T1570 横向工具传输

OutSteel can download the Saint Bot malware for follow-on execution.[1]
Enterprise T1204 .001 用户执行: Malicious Link

OutSteel has relied on a user to click a malicious link within a spearphishing email.[1]
.002 用户执行: Malicious File

OutSteel has relied on a user to execute a malicious attachment delivered via spearphishing.[1]
Enterprise T1070 .004 移除指标: File Deletion

OutSteel can delete itself following the successful execution of a follow-on payload.[1]
Enterprise T1119 自动化收集

OutSteel can automatically scan for and collect files with specific extensions.[1]
Enterprise T1020 自动化渗出

OutSteel can automatically upload collected files to its C2 server.[1]
Enterprise T1105 输入工具传输

OutSteel can download files from its C2 server.[1]
Enterprise T1057 进程发现

OutSteel can identify running processes on a compromised host.[1]
Enterprise T1041 通过C2信道渗出

OutSteel can upload files from a compromised host over its C2 channel.[1]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

OutSteel has been distributed as a malicious attachment within a spearphishing email.[1]
.002 钓鱼: Spearphishing Link

OutSteel has been distributed through malicious links contained within spearphishing emails.[1]

Groups That Use This Software

ID Name References
G1031 Saint Bear

OutSteel is uniquely associated with Saint Bear as a post-exploitation document collection and exfiltration tool.[1]

References

  1. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.