S0634 EnvyScout
EnvyScout is a dropper that has been used by APT29 since at least 2021.1
| Item | Value |
|---|---|
| ID | S0634 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 02 August 2021 |
| Last Modified | 16 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | EnvyScout can use cmd.exe to execute malicious files on compromised hosts.1 |
| enterprise | T1059.007 | JavaScript | EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.1 |
| enterprise | T1005 | Data from Local System | EnvyScout can collect sensitive NTLM material from a compromised host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | EnvyScout can deobfuscate and write malicious ISO files to disk.1 |
| enterprise | T1480 | Execution Guardrails | EnvyScout can call window.location.pathname to ensure that embedded files are being executed from the C: drive, and will terminate if they are not.1 |
| enterprise | T1187 | Forced Authentication | EnvyScout can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | EnvyScout can use hidden directories and files to hide malicious executables.1 |
| enterprise | T1036 | Masquerading | EnvyScout has used folder icons for malicious files to lure victims into opening them.1 |
| enterprise | T1027 | Obfuscated Files or Information | EnvyScout can Base64 encode payloads.1 |
| enterprise | T1027.006 | HTML Smuggling | EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | EnvyScout has been distributed via spearphishing as an email attachment.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | EnvyScout has the ability to proxy execution of malicious files with Rundll32.1 |
| enterprise | T1082 | System Information Discovery | EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | EnvyScout has been executed through malicious files attached to e-mails.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 1 |