Skip to content

S0680 LitePower

LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.1

Item Value
ID S0680
Associated Names
Version 1.0
Created 02 February 2022
Last Modified 16 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols LitePower can use HTTP and HTTPS for C2 communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell LitePower can use a PowerShell script to execute commands.1
enterprise T1041 Exfiltration Over C2 Channel LitePower can send collected data, including screenshots, over its C2 channel.1
enterprise T1105 Ingress Tool Transfer LitePower has the ability to download payloads containing system commands to a compromised host.1
enterprise T1106 Native API LitePower can use various API calls.1
enterprise T1012 Query Registry LitePower can query the Registry for keys added to execute COM hijacking.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task LitePower can create a scheduled task to enable persistence mechanisms.1
enterprise T1113 Screen Capture LitePower can take system screenshots and save them to %AppData%.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery LitePower can identify installed AV software.1
enterprise T1082 System Information Discovery LitePower has the ability to list local drives and enumerate the OS architecture.1
enterprise T1033 System Owner/User Discovery LitePower can determine if the current user has admin privileges.1

Groups That Use This Software

ID Name References
G0090 WIRTE 1