S0679 Ferocious
Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.1
| Item | Value |
|---|---|
| ID | S0679 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 01 February 2022 |
| Last Modified | 01 February 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Ferocious can use PowerShell scripts for execution.1 |
| enterprise | T1059.005 | Visual Basic | Ferocious has the ability to use Visual Basic scripts for execution.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.015 | Component Object Model Hijacking | Ferocious can use COM hijacking to establish persistence.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Ferocious can delete files from a compromised host.1 |
| enterprise | T1112 | Modify Registry | Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.1 |
| enterprise | T1120 | Peripheral Device Discovery | Ferocious can run GET.WORKSPACE in Microsoft Excel to check if a mouse is present.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Ferocious has checked for AV software as part of its persistence process.1 |
| enterprise | T1082 | System Information Discovery | Ferocious can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function GET.WORKSPACE to determine the OS version, if there is a mouse present, and if the host is capable of playing sounds.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0090 | WIRTE | 1 |