S0473 Avenger
Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.1
| Item | Value |
|---|---|
| ID | S0473 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 11 June 2020 |
| Last Modified | 24 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Avenger has the ability to use HTTP in communication with C2.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Avenger has the ability to decrypt files downloaded from C2.1 |
| enterprise | T1083 | File and Directory Discovery | Avenger has the ability to browse files in directories such as Program Files and the Desktop.1 |
| enterprise | T1105 | Ingress Tool Transfer | Avenger has the ability to download files from C2 to a compromised host.1 |
| enterprise | T1027 | Obfuscated Files or Information | Avenger has the ability to XOR encrypt files to be sent to C2.1 |
| enterprise | T1027.003 | Steganography | Avenger can extract backdoor malware from downloaded images.1 |
| enterprise | T1057 | Process Discovery | Avenger has the ability to use Tasklist to identify running processes.1 |
| enterprise | T1055 | Process Injection | Avenger has the ability to inject shellcode into svchost.exe.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Avenger has the ability to identify installed anti-virus products on a compromised host.1 |
| enterprise | T1082 | System Information Discovery | Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host.1 |
| enterprise | T1016 | System Network Configuration Discovery | Avenger can identify the domain of the compromised host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER | 1 |