S0546 SharpStage
SharpStage is a .NET malware with backdoor capabilities.12
| Item | Value |
|---|---|
| ID | S0546 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 22 December 2020 |
| Last Modified | 18 August 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | SharpStage can execute arbitrary commands with PowerShell.12 |
| enterprise | T1059.003 | Windows Command Shell | SharpStage can execute arbitrary commands with the command line.12 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SharpStage has decompressed data received from the C2 server.2 |
| enterprise | T1105 | Ingress Tool Transfer | SharpStage has the ability to download and execute additional payloads via a DropBox API.12 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | SharpStage has a persistence component to write a scheduled task for the payload.1 |
| enterprise | T1113 | Screen Capture | SharpStage has the ability to capture the victim’s screen.12 |
| enterprise | T1082 | System Information Discovery | SharpStage has checked the system settings to see if Arabic is the configured language.2 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.2 |
| enterprise | T1102 | Web Service | SharpStage has used a legitimate web service for evading detection.1 |
| enterprise | T1047 | Windows Management Instrumentation | SharpStage can use WMI for execution.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0021 | Molerats | 1 |
References
-
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. ↩↩↩↩↩↩↩↩↩↩
-
Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. ↩↩↩↩↩↩↩↩↩