Skip to content

S0339 Micropsia

Micropsia is a remote access tool written in Delphi.12

Item Value
ID S0339
Associated Names
Type MALWARE
Version 1.1
Created 29 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Micropsia uses HTTP and HTTPS for C2 network communications.12
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Micropsia creates a RAR archive based on collected files on the victim’s machine.2
enterprise T1123 Audio Capture Micropsia can perform microphone recording.2
enterprise T1119 Automated Collection Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (.xls, .xlsx, .csv, .odt, .doc, .docx, .ppt, .pptx, .pdf, .mdb, .accdb, .accde, *.txt).2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.009 Shortcut Modification Micropsia creates a shortcut to maintain persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Micropsia creates a command-line shell using cmd.exe.2
enterprise T1083 File and Directory Discovery Micropsia can perform a recursive directory listing for all volume drives available on the victim’s machine and can also fetch specific files by their paths.2
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Micropsia creates a new hidden directory to store all components’ outputs in a dedicated sub-folder for each.2
enterprise T1105 Ingress Tool Transfer Micropsia can download and execute an executable from the C2 server.12
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Micropsia has keylogging capabilities.2
enterprise T1027 Obfuscated Files or Information Micropsia obfuscates the configuration with a custom Base64 and XOR.12
enterprise T1113 Screen Capture Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.12
enterprise T1082 System Information Discovery Micropsia gathers the hostname and OS version from the victim’s machine.12
enterprise T1033 System Owner/User Discovery Micropsia collects the username from the victim’s machine.1
enterprise T1047 Windows Management Instrumentation Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.12

References

  1. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. 

  2. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.