Skip to content

S0438 Attor

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.1

Item Value
ID S0438
Associated Names
Type MALWARE
Version 1.0
Created 06 May 2020
Last Modified 07 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.002 File Transfer Protocols Attor has used FTP protocol for C2 communication.1
enterprise T1010 Application Window Discovery Attor can obtain application window titles and then determines which windows to perform Screen Capture on.1
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method Attor encrypts collected data with a custom implementation of Blowfish and RSA ciphers.1
enterprise T1123 Audio Capture Attor‘s has a plugin that is capable of recording audio using available input sound devices.1
enterprise T1119 Automated Collection Attor has automatically collected data about the compromised system.1
enterprise T1020 Automated Exfiltration Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.1
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.001 Logon Script (Windows) Attor‘s dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USER\Environment “UserInitMprLogonScript” .1
enterprise T1115 Clipboard Data Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Attor‘s dispatcher can establish persistence by registering a new service.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Attor has staged collected data in a central upload directory prior to exfiltration.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.1
enterprise T1573.002 Asymmetric Cryptography Attor‘s Blowfish key is encrypted with a public RSA key.1
enterprise T1041 Exfiltration Over C2 Channel Attor has exfiltrated data over the C2 channel.1
enterprise T1083 File and Directory Discovery Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Attor’s plugin deletes the collected files and log files after exfiltration.1
enterprise T1070.006 Timestomp Attor has manipulated the time of last access to files and registry keys after they have been created or modified.1
enterprise T1105 Ingress Tool Transfer Attor can download additional plugins, updates and other files. 1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging One of Attor‘s plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Attor‘s dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).1
enterprise T1112 Modify Registry Attor‘s dispatcher can modify the Run registry key.1
enterprise T1106 Native API Attor‘s dispatcher has used CreateProcessW API for execution.1
enterprise T1027 Obfuscated Files or Information Strings in Attor‘s components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.1
enterprise T1120 Peripheral Device Discovery Attor has a plugin that collects information about inserted storage devices, modems, and phone devices.1
enterprise T1055 Process Injection Attor‘s dispatcher can inject itself into running processes to gain higher privileges and to evade detection.1
enterprise T1055.004 Asynchronous Procedure Call Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Attor has used Tor for C2 communication.1
enterprise T1012 Query Registry Attor has opened the registry and performed query searches.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Attor‘s installer plugin can schedule a new task that loads the dispatcher on boot/logon.1
enterprise T1113 Screen Capture Attor‘s has a plugin that captures screenshots of the target applications.1
enterprise T1129 Shared Modules Attor‘s dispatcher can execute additional plugins by loading the respective DLLs.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Attor‘s installer plugin can schedule rundll32.exe to load the dispatcher.1
enterprise T1082 System Information Discovery Attor monitors the free disk space on the system.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Attor‘s dispatcher can be executed as a service.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.1

References