S0152 EvilGrab
EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. 1
| Item | Value |
|---|---|
| ID | S0152 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 14 December 2017 |
| Last Modified | 23 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1123 | Audio Capture | EvilGrab has the capability to capture audio from a victim machine.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | EvilGrab has the capability to capture keystrokes.1 |
| enterprise | T1113 | Screen Capture | EvilGrab has the capability to capture screenshots.1 |
| enterprise | T1125 | Video Capture | EvilGrab has the capability to capture video from a victim machine.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0045 | menuPass | 1 |