S1200 StealBit
StealBit is a data exfiltration tool that is developed and maintained by the operators of the the LockBit Ransomware-as-a-Service (RaaS) and offered to affiliates to exfiltrate data from compromised systems for double extortion purposes.12
| Item | Value |
|---|---|
| ID | S1200 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 January 2025 |
| Last Modified | 29 January 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | StealBit can use HTTP to exfiltrate files to actor-controlled infrastructure.21 |
| enterprise | T1005 | Data from Local System | StealBit can upload data and files to the LockBit victim-shaming site.21 |
| enterprise | T1030 | Data Transfer Size Limits | StealBit can be configured to exfiltrate files at a specified rate to evade network detection mechanisms.1 |
| enterprise | T1622 | Debugger Evasion | StealBit can detect it is being run in the context of a debugger.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | StealBit can deobfuscate loaded modules prior to execution.21 |
| enterprise | T1480 | Execution Guardrails | StealBit will execute an empty infinite loop if it detects it is being run in the context of a debugger.1 |
| enterprise | T1083 | File and Directory Discovery | StealBit can be configured to exfiltrate specific file types.21 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.006 | Indicator Blocking | StealBit can configure processes to not display certain Windows error messages by through use of the NtSetInformationProcess.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | StealBit can self-delete its executable file from the compromised system.12 |
| enterprise | T1559 | Inter-Process Communication | StealBit can use interprocess communication (IPC) to enable the designation of multiple files for exfiltration in a scalable manner.1 |
| enterprise | T1106 | Native API | StealBit can use native APIs including LoadLibraryExA for execution and NtSetInformationProcess for defense evasion purposes.1 |
| enterprise | T1095 | Non-Application Layer Protocol | StealBit can use the Windows Socket networking library to communicate with attacker-controlled endpoints.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | StealBit stores obfuscated DLL file names in its executable.1 |
| enterprise | T1082 | System Information Discovery | StealBit can enumerate the computer name and domain membership of the compromised system.1 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | StealBit can determine system location based on the default language setting and will not execute on systems located in former Soviet countries.1 |