SideCopy
Associated Group Descriptions |
|
| Name | Description |
|---|---|
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
SideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling `mshta.exe`.(Citation: MalwareBytes SideCopy Dec 2021) |
| Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
SideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware.(Citation: MalwareBytes SideCopy Dec 2021) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
SideCopy has used a malicious loader DLL file to execute the `credwiz.exe` process and side-load the malicious payload `Duser.dll`.(Citation: MalwareBytes SideCopy Dec 2021) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
SideCopy has used a legitimate DLL file name, `Duser.dll` to disguise a malicious remote access tool.(Citation: MalwareBytes SideCopy Dec 2021) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
SideCopy has sent spearphishing emails with malicious hta file attachments.(Citation: MalwareBytes SideCopy Dec 2021) |
| Enterprise | T1598 | .002 | Phishing for Information: Spearphishing Attachment |
SideCopy has crafted generic lures for spam campaigns to collect emails and credentials for targeting efforts.(Citation: MalwareBytes SideCopy Dec 2021) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
SideCopy uses a loader DLL file to collect AV product names from an infected host.(Citation: MalwareBytes SideCopy Dec 2021) |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
SideCopy has used compromised domains to host its malicious payloads.(Citation: MalwareBytes SideCopy Dec 2021) |
| Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
SideCopy has utilized `mshta.exe` to execute a malicious hta file.(Citation: MalwareBytes SideCopy Dec 2021) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
SideCopy has attempted to lure victims into clicking on malicious embedded archive files sent via spearphishing campaigns.(Citation: MalwareBytes SideCopy Dec 2021) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S1028 | Action RAT | (Citation: MalwareBytes SideCopy Dec 2021) | Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Windows Management Instrumentation, Web Protocols, System Network Configuration Discovery, Obfuscated Files or Information, System Information Discovery, File and Directory Discovery, System Owner/User Discovery, Security Software Discovery, Data from Local System, Windows Command Shell |
| S1029 | AuTo Stealer | (Citation: MalwareBytes SideCopy Dec 2021) | Local Data Staging, Registry Run Keys / Startup Folder, System Owner/User Discovery, Non-Application Layer Protocol, Windows Command Shell, Exfiltration Over C2 Channel, Web Protocols, Data from Local System, System Information Discovery, Security Software Discovery |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.