S0472 down_new
down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.1
| Item | Value |
|---|---|
| ID | S0472 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 June 2020 |
| Last Modified | 24 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | down_new has the ability to use HTTP in C2 communications.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | down_new has the ability to base64 encode C2 communications.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | down_new has the ability to AES encrypt C2 communications.1 |
| enterprise | T1083 | File and Directory Discovery | down_new has the ability to list the directories on a compromised host.1 |
| enterprise | T1105 | Ingress Tool Transfer | down_new has the ability to download files to the compromised host.1 |
| enterprise | T1057 | Process Discovery | down_new has the ability to list running processes on a compromised host.1 |
| enterprise | T1518 | Software Discovery | down_new has the ability to gather information on installed applications.1 |
| enterprise | T1518.001 | Security Software Discovery | down_new has the ability to detect anti-virus products and processes on a compromised host.1 |
| enterprise | T1082 | System Information Discovery | down_new has the ability to identify the system volume information of a compromised host.1 |
| enterprise | T1016 | System Network Configuration Discovery | down_new has the ability to identify the MAC address of a compromised host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER | 1 |