Skip to content

S0634 EnvyScout

EnvyScout is a dropper that has been used by APT29 since at least 2021.1

Item Value
ID S0634
Associated Names
Type MALWARE
Version 1.0
Created 02 August 2021
Last Modified 16 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell EnvyScout can use cmd.exe to execute malicious files on compromised hosts.1
enterprise T1059.007 JavaScript EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.1
enterprise T1005 Data from Local System EnvyScout can collect sensitive NTLM material from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information EnvyScout can deobfuscate and write malicious ISO files to disk.1
enterprise T1480 Execution Guardrails EnvyScout can call window.location.pathname to ensure that embedded files are being executed from the C: drive, and will terminate if they are not.1
enterprise T1187 Forced Authentication EnvyScout can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories EnvyScout can use hidden directories and files to hide malicious executables.1
enterprise T1036 Masquerading EnvyScout has used folder icons for malicious files to lure victims into opening them.1
enterprise T1027 Obfuscated Files or Information EnvyScout can Base64 encode payloads.1
enterprise T1027.006 HTML Smuggling EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment EnvyScout has been distributed via spearphishing as an email attachment.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 EnvyScout has the ability to proxy execution of malicious files with Rundll32.1
enterprise T1082 System Information Discovery EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File EnvyScout has been executed through malicious files attached to e-mails.1

Groups That Use This Software

ID Name References
G0016 APT29 1

References