S0469 ABK
ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.1
| Item | Value |
|---|---|
| ID | S0469 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 June 2020 |
| Last Modified | 24 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ABK has the ability to use HTTP in communications with C2.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ABK has the ability to decrypt AES encrypted payloads.1 |
| enterprise | T1105 | Ingress Tool Transfer | ABK has the ability to download files from C2.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.003 | Steganography | ABK can extract a malicious Portable Executable (PE) from a photo.1 |
| enterprise | T1055 | Process Injection | ABK has the ability to inject shellcode into svchost.exe.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | ABK has the ability to identify the installed anti-virus product on the compromised host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER | 1 |