ThreatNeedle
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
ThreatNeedle can be loaded into the Startup folder (`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk`) as a Shortcut file for persistence.(Citation: Kaspersky ThreatNeedle Feb 2021) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
ThreatNeedle can run in memory and register its payload as a Windows service.(Citation: Kaspersky ThreatNeedle Feb 2021) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.(Citation: Kaspersky ThreatNeedle Feb 2021) |
| Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon`.(Citation: Kaspersky ThreatNeedle Feb 2021) |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.(Citation: Kaspersky ThreatNeedle Feb 2021) |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
ThreatNeedle has been distributed via a malicious Word document within a spearphishing email.(Citation: Kaspersky ThreatNeedle Feb 2021) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
ThreatNeedle relies on a victim to click on a malicious document for initial execution.(Citation: Kaspersky ThreatNeedle Feb 2021) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group |
(Citation: Kaspersky ThreatNeedle Feb 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.