S0147 Pteranodon
Pteranodon is a custom backdoor used by Gamaredon Group. 1
| Item | Value |
|---|---|
| ID | S0147 |
| Associated Names | Pterodo |
| Type | MALWARE |
| Version | 2.1 |
| Created | 31 May 2017 |
| Last Modified | 23 August 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Pterodo | 32 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Pteranodon can use HTTP for C2.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Pteranodon copies itself to the Startup folder to establish persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Pteranodon can use cmd.exe for execution on victim systems.13 |
| enterprise | T1059.005 | Visual Basic | Pteranodon can use a malicious VBS file for execution.3 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\ to store screenshot JPEG files.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Pteranodon can decrypt encrypted data strings prior to using them.4 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Pteranodon exfiltrates screenshot files to its C2 server.1 |
| enterprise | T1083 | File and Directory Discovery | Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.1 |
| enterprise | T1105 | Ingress Tool Transfer | Pteranodon can download and execute additional files.135 |
| enterprise | T1106 | Native API | Pteranodon has used various API calls.4 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.007 | Dynamic API Resolution | Pteranodon can use a dynamic Windows hashing algorithm to map API components.4 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Pteranodon schedules tasks to invoke its components in order to establish persistence.13 |
| enterprise | T1113 | Screen Capture | Pteranodon can capture screenshots at a configurable interval.15 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.3 |
| enterprise | T1218.011 | Rundll32 | Pteranodon executes functions using rundll32.exe.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Pteranodon has the ability to use anti-detection functions to identify sandbox environments.5 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0047 | Gamaredon Group | 13452 |
References
-
Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022. ↩↩
-
Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. ↩↩↩↩↩↩↩
-
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. ↩↩↩↩
-
Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. ↩↩↩↩