S1088 Disco
Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.1
| Item | Value |
|---|---|
| ID | S1088 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 September 2023 |
| Last Modified | 04 October 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.002 | File Transfer Protocols | Disco can use SMB to transfer files.1 |
| enterprise | T1659 | Content Injection | Disco has achieved initial access and execution through content injection into DNS, HTTP, and SMB replies to targeted hosts that redirect them to download malicious files.1 |
| enterprise | T1105 | Ingress Tool Transfer | Disco can download files to targeted systems via SMB.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Disco can create a scheduled task to run every minute for persistence.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Disco has been executed through inducing user interaction with malicious .zip and .msi files.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1019 | MoustachedBouncer | 1 |