PUNCHBUGGY
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| ShellTea | (Citation: Morphisec ShellTea June 2019) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
PUNCHBUGGY can gather user names.(Citation: Morphisec ShellTea June 2019) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.(Citation: Morphisec ShellTea June 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PUNCHBUGGY has been observed using a Registry Run key.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
PUNCHBUGGY has used PowerShell scripts.(Citation: Morphisec ShellTea June 2019) |
| .006 | Command and Scripting Interpreter: Python |
PUNCHBUGGY has used python scripts.(Citation: Morphisec ShellTea June 2019) |
||
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
PUNCHBUGGY has saved information to a random temp file before exfil.(Citation: Morphisec ShellTea June 2019) |
| Enterprise | T1546 | .009 | Event Triggered Execution: AppCert DLLs |
PUNCHBUGGY can establish using a AppCertDLLs Registry key.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
PUNCHBUGGY can delete files written to disk.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
PUNCHBUGGY can gather AVs registered in the system.(Citation: Morphisec ShellTea June 2019) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
PUNCHBUGGY can load a DLL using Rundll32.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
References
- Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
- Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.