Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Attor

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.(Citation: ESET Attor Oct 2019)
ID: S0438
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 06 May 2020
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

Attor has used FTP protocol for C2 communication.(Citation: ESET Attor Oct 2019)

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Attor encrypts collected data with a custom implementation of Blowfish and RSA ciphers.(Citation: ESET Attor Oct 2019)

Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

Attor's dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USER\Environment "UserInitMprLogonScript" .(Citation: ESET Attor Oct 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Attor's dispatcher can establish persistence by registering a new service.(Citation: ESET Attor Oct 2019)

Enterprise T1074 .001 Data Staged: Local Data Staging

Attor has staged collected data in a central upload directory prior to exfiltration.(Citation: ESET Attor Oct 2019)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.(Citation: ESET Attor Oct 2019)

.002 Encrypted Channel: Asymmetric Cryptography

Attor's Blowfish key is encrypted with a public RSA key.(Citation: ESET Attor Oct 2019)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.(Citation: ESET Attor Oct 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

Attor’s plugin deletes the collected files and log files after exfiltration.(Citation: ESET Attor Oct 2019)

.006 Indicator Removal: Timestomp

Attor has manipulated the time of last access to files and registry keys after they have been created or modified.(Citation: ESET Attor Oct 2019)

Enterprise T1056 .001 Input Capture: Keylogging

One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.(Citation: ESET Attor Oct 2019)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).(Citation: ESET Attor Oct 2019)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.(Citation: ESET Attor Oct 2019)

Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API.(Citation: ESET Attor Oct 2019)

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Attor has used Tor for C2 communication.(Citation: ESET Attor Oct 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Attor's installer plugin can schedule a new task that loads the dispatcher on boot/logon.(Citation: ESET Attor Oct 2019)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Attor's installer plugin can schedule rundll32.exe to load the dispatcher.(Citation: ESET Attor Oct 2019)

Enterprise T1569 .002 System Services: Service Execution

Attor's dispatcher can be executed as a service.(Citation: ESET Attor Oct 2019)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.(Citation: ESET Attor Oct 2019)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.