| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.002 |
File Transfer Protocols |
Attor has used FTP protocol for C2 communication. |
| enterprise |
T1010 |
Application Window Discovery |
Attor can obtain application window titles and then determines which windows to perform Screen Capture on. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.003 |
Archive via Custom Method |
Attor encrypts collected data with a custom implementation of Blowfish and RSA ciphers. |
| enterprise |
T1123 |
Audio Capture |
Attor‘s has a plugin that is capable of recording audio using available input sound devices. |
| enterprise |
T1119 |
Automated Collection |
Attor has automatically collected data about the compromised system. |
| enterprise |
T1020 |
Automated Exfiltration |
Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server. |
| enterprise |
T1037 |
Boot or Logon Initialization Scripts |
- |
| enterprise |
T1037.001 |
Logon Script (Windows) |
Attor‘s dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USER\Environment “UserInitMprLogonScript” . |
| enterprise |
T1115 |
Clipboard Data |
Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
Attor‘s dispatcher can establish persistence by registering a new service. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
Attor has staged collected data in a central upload directory prior to exfiltration. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key. |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
Attor‘s Blowfish key is encrypted with a public RSA key. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
Attor has exfiltrated data over the C2 channel. |
| enterprise |
T1083 |
File and Directory Discovery |
Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.001 |
Hidden Files and Directories |
Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Attor’s plugin deletes the collected files and log files after exfiltration. |
| enterprise |
T1070.006 |
Timestomp |
Attor has manipulated the time of last access to files and registry keys after they have been created or modified. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Attor can download additional plugins, updates and other files. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
One of Attor‘s plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
Attor‘s dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate). |
| enterprise |
T1112 |
Modify Registry |
Attor‘s dispatcher can modify the Run registry key. |
| enterprise |
T1106 |
Native API |
Attor‘s dispatcher has used CreateProcessW API for execution. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Strings in Attor‘s components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA. |
| enterprise |
T1120 |
Peripheral Device Discovery |
Attor has a plugin that collects information about inserted storage devices, modems, and phone devices. |
| enterprise |
T1055 |
Process Injection |
Attor‘s dispatcher can inject itself into running processes to gain higher privileges and to evade detection. |
| enterprise |
T1055.004 |
Asynchronous Procedure Call |
Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API. |
| enterprise |
T1090 |
Proxy |
- |
| enterprise |
T1090.003 |
Multi-hop Proxy |
Attor has used Tor for C2 communication. |
| enterprise |
T1012 |
Query Registry |
Attor has opened the registry and performed query searches. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
Attor‘s installer plugin can schedule a new task that loads the dispatcher on boot/logon. |
| enterprise |
T1113 |
Screen Capture |
Attor‘s has a plugin that captures screenshots of the target applications. |
| enterprise |
T1129 |
Shared Modules |
Attor‘s dispatcher can execute additional plugins by loading the respective DLLs. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.011 |
Rundll32 |
Attor‘s installer plugin can schedule rundll32.exe to load the dispatcher. |
| enterprise |
T1082 |
System Information Discovery |
Attor monitors the free disk space on the system. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.002 |
Service Execution |
Attor‘s dispatcher can be executed as a service. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.001 |
System Checks |
Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions. |