S1089 SharpDisco
SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.1
| Item | Value |
|---|---|
| ID | S1089 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 September 2023 |
| Last Modified | 16 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.002 | File Transfer Protocols | SharpDisco has the ability to transfer data between SMB shares.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | SharpDisco can use cmd.exe to execute plugins and to send command output to specified SMB shares.1 |
| enterprise | T1005 | Data from Local System | SharpDisco has dropped a recent-files stealer plugin to C:\Users\Public\WinSrcNT\It11.exe.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | SharpDisco can load a plugin to exfiltrate stolen files to SMB shares also used in C2.1 |
| enterprise | T1083 | File and Directory Discovery | SharpDisco can identify recently opened files by using an LNK format parser to extract the original file path from LNK files found in either %USERPROFILE%\Recent (Windows XP) or %APPDATA%\Microsoft\Windows\Recent (newer Windows versions) .1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | SharpDisco can hide windows using ProcessWindowStyle.Hidden.1 |
| enterprise | T1105 | Ingress Tool Transfer | SharpDisco has been used to download a Python interpreter to C:\Users\Public\WinTN\WinTN.exe as well as other plugins from external sources.1 |
| enterprise | T1680 | Local Storage Discovery | SharpDisco can use a plugin to enumerate system drives.1 |
| enterprise | T1106 | Native API | SharpDisco can leverage Native APIs through plugins including GetLogicalDrives.1 |
| enterprise | T1120 | Peripheral Device Discovery | SharpDisco has dropped a plugin to monitor external drives to C:\Users\Public\It3.exe.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | SharpDisco can create scheduled tasks to execute reverse shells that read and write data to and from specified SMB shares.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1019 | MoustachedBouncer | 1 |