Pteranodon
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Pterodo | (Citation: Symantec Shuckworm January 2022)(Citation: Secureworks IRON TILDEN Profile) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Pteranodon can use HTTP for C2.(Citation: Palo Alto Gamaredon Feb 2017) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Pteranodon copies itself to the Startup folder to establish persistence.(Citation: Palo Alto Gamaredon Feb 2017) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Pteranodon can use `cmd.exe` for execution on victim systems.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: Symantec Shuckworm January 2022) |
| .005 | Command and Scripting Interpreter: Visual Basic |
Pteranodon can use a malicious VBS file for execution.(Citation: Symantec Shuckworm January 2022) |
||
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Pteranodon creates various subdirectories under |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.(Citation: Palo Alto Gamaredon Feb 2017) |
| Enterprise | T1027 | .007 | Obfuscated Files or Information: Dynamic API Resolution |
Pteranodon can use a dynamic Windows hashing algorithm to map API components.(Citation: Microsoft Actinium February 2022) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Pteranodon schedules tasks to invoke its components in order to establish persistence.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: Symantec Shuckworm January 2022) |
| Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.(Citation: Symantec Shuckworm January 2022) |
| .011 | System Binary Proxy Execution: Rundll32 |
Pteranodon executes functions using rundll32.exe.(Citation: Palo Alto Gamaredon Feb 2017) |
||
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0047 | Gamaredon Group |
(Citation: Palo Alto Gamaredon Feb 2017) (Citation: Symantec Shuckworm January 2022) (Citation: Microsoft Actinium February 2022) (Citation: Unit 42 Gamaredon February 2022) (Citation: Secureworks IRON TILDEN Profile) |
References
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
- Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
- Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
- Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.