Skip to content

S0092 Agent.btz

Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. 1

Item Value
ID S0092
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method Agent.btz saves system information into an XML file that is then XOR-encoded.2
enterprise T1052 Exfiltration Over Physical Medium -
enterprise T1052.001 Exfiltration over USB Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.1
enterprise T1105 Ingress Tool Transfer Agent.btz attempts to download an encrypted binary from a specified domain.2
enterprise T1091 Replication Through Removable Media Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.2
enterprise T1016 System Network Configuration Discovery Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.2
enterprise T1033 System Owner/User Discovery Agent.btz obtains the victim username and saves it to a file.2

References