S0280 MirageFox
MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. 1
| Item | Value |
|---|---|
| ID | S0280 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 22 July 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | MirageFox has the capability to execute commands using cmd.exe.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | MirageFox has a function for decrypting data containing C2 configuration information.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.1 |
| enterprise | T1082 | System Information Discovery | MirageFox can collect CPU and architecture information from the victim’s machine.1 |
| enterprise | T1033 | System Owner/User Discovery | MirageFox can gather the username from the victim’s machine.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0004 | Ke3chang | 1 |