Skip to content

S1029 AuTo Stealer

AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.1

Item Value
ID S1029
Associated Names
Version 1.0
Created 07 August 2022
Last Modified 24 August 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols AuTo Stealer can use HTTP to communicate with its C2 servers.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder AuTo Stealer can place malicious executables in a victim’s AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell AuTo Stealer can use cmd.exe to execute a created batch file.1
enterprise T1005 Data from Local System AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging AuTo Stealer can store collected data from an infected host to a file named Hostname_UserName.txt prior to exfiltration.1
enterprise T1041 Exfiltration Over C2 Channel AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.1
enterprise T1095 Non-Application Layer Protocol AuTo Stealer can use TCP to communicate with command and control servers.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery AuTo Stealer has the ability to collect information about installed AV products from an infected host.1
enterprise T1082 System Information Discovery AuTo Stealer has the ability to collect the hostname and OS information from an infected host.1
enterprise T1033 System Owner/User Discovery AuTo Stealer has the ability to collect the username from an infected host.1

Groups That Use This Software

ID Name References
G1008 SideCopy -