S0680 LitePower
LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.1
| Item | Value |
|---|---|
| ID | S0680 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 02 February 2022 |
| Last Modified | 16 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | LitePower can use HTTP and HTTPS for C2 communications.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | LitePower can use a PowerShell script to execute commands.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | LitePower can send collected data, including screenshots, over its C2 channel.1 |
| enterprise | T1105 | Ingress Tool Transfer | LitePower has the ability to download payloads containing system commands to a compromised host.1 |
| enterprise | T1106 | Native API | LitePower can use various API calls.1 |
| enterprise | T1012 | Query Registry | LitePower can query the Registry for keys added to execute COM hijacking.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | LitePower can create a scheduled task to enable persistence mechanisms.1 |
| enterprise | T1113 | Screen Capture | LitePower can take system screenshots and save them to %AppData%.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | LitePower can identify installed AV software.1 |
| enterprise | T1082 | System Information Discovery | LitePower has the ability to list local drives and enumerate the OS architecture.1 |
| enterprise | T1033 | System Owner/User Discovery | LitePower can determine if the current user has admin privileges.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0090 | WIRTE | 1 |