AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
AuTo Stealer can use |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
AuTo Stealer can use HTTP to communicate with its C2 servers.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
AuTo Stealer can store collected data from an infected host to a file named |
| Enterprise | T1082 | 系统信息发现 |
AuTo Stealer has the ability to collect the hostname and OS information from an infected host.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
AuTo Stealer has the ability to collect the username from an infected host.[1] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
AuTo Stealer has the ability to collect information about installed AV products from an infected host.[1] |
| Enterprise | T1041 | 通过C2信道渗出 |
AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.[1] |
|
| Enterprise | T1095 | 非应用层协议 |
AuTo Stealer can use TCP to communicate with command and control servers.[1] |
|