Mango
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Mango can retrieve C2 commands sent in HTTP responses.(Citation: ESET OilRig Campaigns Sep 2023) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Mango can receive Base64-encoded commands from C2.(Citation: ESET OilRig Campaigns Sep 2023) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Mango can receive XOR-encrypted commands from C2.(Citation: ESET OilRig Campaigns Sep 2023) |
.002 | Encrypted Channel: Asymmetric Cryptography |
Mango can use TLS to encrypt C2 communications.(Citation: ESET OilRig Campaigns Sep 2023) |
||
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Mango contains an unused capability to block endpoint security solutions from loading user-mode code hooks via a DLL in a specified process by using the `UpdateProcThreadAttribute API` to set the `PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY` to `PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON` for an identified process. (Citation: ESET OilRig Campaigns Sep 2023) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Mango contains a series of base64 encoded substrings.(Citation: ESET OilRig Campaigns Sep 2023) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Mango can create a scheduled task to run every 32 seconds to communicate with C2 and execute received commands.(Citation: ESET OilRig Campaigns Sep 2023) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Mango has been executed through a Microsoft Word document with a malicious macro.(Citation: ESET OilRig Campaigns Sep 2023) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.