S1169 Mango
Mango is a first-stage backdoor written in C#/.NET that was used by OilRig during the Juicy Mix campaign. Mango is the successor to Solar and includes additional exfiltration capabilities, the use of native APIs, and added detection evasion code.1
| Item | Value |
|---|---|
| ID | S1169 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 November 2024 |
| Last Modified | 25 November 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Mango can retrieve C2 commands sent in HTTP responses.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Mango can receive Base64-encoded commands from C2.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Mango can receive XOR-encrypted commands from C2.1 |
| enterprise | T1573.002 | Asymmetric Cryptography | Mango can use TLS to encrypt C2 communications.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Mango can use its HTTP C2 channel for exfiltration.1 |
| enterprise | T1083 | File and Directory Discovery | Mango can enumerate the contents of current working or other specified directories.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Mango contains an unused capability to block endpoint security solutions from loading user-mode code hooks via a DLL in a specified process by using the UpdateProcThreadAttribute API to set the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY to PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON for an identified process. 1 |
| enterprise | T1106 | Native API | Mango has the ability to use Native APIs.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | Mango contains a series of base64 encoded substrings.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Mango can create a scheduled task to run every 32 seconds to communicate with C2 and execute received commands.1 |
| enterprise | T1082 | System Information Discovery | Mango can collect the machine name of a compromised system which is later used as part of a unique victim identifier.1 |
| enterprise | T1033 | System Owner/User Discovery | Mango can collect the user name from a compromised system which is used to create a unique victim identifier.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Mango has been executed through a Microsoft Word document with a malicious macro.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 1 |