S1101 LoFiSe
LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on targeted systems.
| Item |
Value |
| ID |
S1101 |
| Associated Names |
|
| Type |
MALWARE |
| Version |
1.0 |
| Created |
19 January 2024 |
| Last Modified |
19 January 2024 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1560 |
Archive Collected Data |
LoFiSe can collect files into password-protected ZIP-archives for exfiltration. |
| enterprise |
T1119 |
Automated Collection |
LoFiSe can collect all the files from the working directory every three hours and place them into a password-protected archive for further exfiltration. |
| enterprise |
T1005 |
Data from Local System |
LoFiSe can collect files of interest from targeted systems. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
LoFiSe can save files to be evaluated for further exfiltration in the C:\Programdata\Microsoft\ and C:\windows\temp\ folders. |
|
|
|
|
| enterprise |
T1083 |
File and Directory Discovery |
LoFiSe can monitor the file system to identify files less than 6.4 MB in size with file extensions including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .odt, .ods, .odp, .eml, and .msg. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.001 |
DLL |
LoFiSe has been executed as a file named DsNcDiag.dll through side-loading. |
Groups That Use This Software
References