S0092 Agent.btz
Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. 1
| Item | Value |
|---|---|
| ID | S0092 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | Agent.btz saves system information into an XML file that is then XOR-encoded.2 |
| enterprise | T1052 | Exfiltration Over Physical Medium | - |
| enterprise | T1052.001 | Exfiltration over USB | Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.1 |
| enterprise | T1105 | Ingress Tool Transfer | Agent.btz attempts to download an encrypted binary from a specified domain.2 |
| enterprise | T1091 | Replication Through Removable Media | Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.2 |
| enterprise | T1016 | System Network Configuration Discovery | Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.2 |
| enterprise | T1033 | System Owner/User Discovery | Agent.btz obtains the victim username and saves it to a file.2 |