Skip to content

S0679 Ferocious

Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.1

Item Value
ID S0679
Associated Names
Version 1.0
Created 01 February 2022
Last Modified 01 February 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Ferocious can use PowerShell scripts for execution.1
enterprise T1059.005 Visual Basic Ferocious has the ability to use Visual Basic scripts for execution.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking Ferocious can use COM hijacking to establish persistence.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Ferocious can delete files from a compromised host.1
enterprise T1112 Modify Registry Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.1
enterprise T1120 Peripheral Device Discovery Ferocious can run GET.WORKSPACE in Microsoft Excel to check if a mouse is present.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Ferocious has checked for AV software as part of its persistence process.1
enterprise T1082 System Information Discovery Ferocious can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function GET.WORKSPACE to determine the OS version, if there is a mouse present, and if the host is capable of playing sounds.1

Groups That Use This Software

ID Name References
G0090 WIRTE 1