SharpStage
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.(Citation: Cybereason Molerats Dec 2020) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
SharpStage can execute arbitrary commands with PowerShell.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
SharpStage can execute arbitrary commands with the command line.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
SharpStage has a persistence component to write a scheduled task for the payload.(Citation: Cybereason Molerats Dec 2020) |
| Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.(Citation: BleepingComputer Molerats Dec 2020) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0021 | Molerats |
(Citation: Cybereason Molerats Dec 2020) |
References
- Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
- Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.