S1152 IMAPLoader
IMAPLoader is a .NET-based loader malware exclusively associated with CURIUM operations since at least 2022. IMAPLoader leverages email protocols for command and control and payload delivery.1
| Item | Value |
|---|---|
| ID | S1152 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 14 August 2024 |
| Last Modified | 02 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.003 | Mail Protocols | IMAPLoader uses the IMAP email protocol for command and control purposes.1 |
| enterprise | T1543 | Create or Modify System Process | IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | IMAPLoader hides the Windows Console window created by its execution by directly importing the kernel32.dll and user32.dll libraries GetConsoleWindow and ShowWindow APIs.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.014 | AppDomainManager | IMAPLoader is executed via the AppDomainManager injection technique.1 |
| enterprise | T1105 | Ingress Tool Transfer | IMAPLoader is a loader used to retrieve follow-on payload encoded in email messages for execution on victim systems.1 |
| enterprise | T1106 | Native API | IMAPLoader imports native Windows APIs such as GetConsoleWindow and ShowWindow.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | IMAPLoader creates scheduled tasks for persistence based on the operating system version of the victim machine.1 |
| enterprise | T1082 | System Information Discovery | IMAPLoader uses WMI queries to gather information about the victim machine.1 |
| enterprise | T1047 | Windows Management Instrumentation | IMAPLoader uses WMI queries to query system information on victim hosts.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1012 | CURIUM | IMAPLoader was deployed by CURIUM as a post-exploitation payload from strategic website compromise.1 |