S1029 AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.1
| Item | Value |
|---|---|
| ID | S1029 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 07 August 2022 |
| Last Modified | 24 August 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | AuTo Stealer can use HTTP to communicate with its C2 servers.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | AuTo Stealer can place malicious executables in a victim’s AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | AuTo Stealer can use cmd.exe to execute a created batch file.1 |
| enterprise | T1005 | Data from Local System | AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | AuTo Stealer can store collected data from an infected host to a file named Hostname_UserName.txt prior to exfiltration.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.1 |
| enterprise | T1095 | Non-Application Layer Protocol | AuTo Stealer can use TCP to communicate with command and control servers.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | AuTo Stealer has the ability to collect information about installed AV products from an infected host.1 |
| enterprise | T1082 | System Information Discovery | AuTo Stealer has the ability to collect the hostname and OS information from an infected host.1 |
| enterprise | T1033 | System Owner/User Discovery | AuTo Stealer has the ability to collect the username from an infected host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1008 | SideCopy | - |