S0471 build_downer
build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.1
| Item | Value |
|---|---|
| ID | S0471 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 June 2020 |
| Last Modified | 24 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | build_downer has the ability to add itself to the Registry Run key for persistence.1 |
| enterprise | T1105 | Ingress Tool Transfer | build_downer has the ability to download files from C2 to the infected host.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | build_downer has added itself to the Registry Run key as “NVIDIA” to appear legitimate.1 |
| enterprise | T1106 | Native API | build_downer has the ability to use the WinExec API to execute malware on a compromised host.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.003 | Steganography | build_downer can extract malware from a downloaded JPEG.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | build_downer has the ability to detect if the infected host is running an anti-virus process.1 |
| enterprise | T1082 | System Information Discovery | build_downer has the ability to send system volume information to C2.1 |
| enterprise | T1124 | System Time Discovery | build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER | 1 |